AW: Simplistic serial number roll back

2023-02-20 Thread Klaus Darilion via bind-users
Yes it does. I guess all name servers offer a command to force a transfer of the zone without checking the serial. The ones I use support that: Bind: rndc retransfer NSD: nsd-control force_transfer PowerDNS: pdns_control retrieve Knot: knotc zone-retransfer regards Klaus > -Ursprünglich

AW: DNS DDoS protection

2023-02-27 Thread Klaus Darilion via bind-users
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Bob > Harold > Gesendet: Freitag, 24. Februar 2023 19:26 > An: bind-users > Betreff: DNS DDoS protection > > Before answering this question, can you tell me the proper place where I > should be asking this question? > > "We ar

Correlation between NOTIFY-Source and AXFR-Source

2023-03-09 Thread Klaus Darilion via bind-users
Hello! I always was quite sure that Bind will request XFR from the Primary that sent the NOTIFY. config: masters { X.X.X.4; X.X.X.20; }; Bind Version 9.11.5.P4+dfsg-5.1+deb10u8 But I just saw this in the logs that the first NOTIFY is received from .20, but AXFR is perf

AW: Correlation between NOTIFY-Source and AXFR-Source

2023-03-09 Thread Klaus Darilion via bind-users
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Mark > Andrews > Gesendet: Donnerstag, 9. März 2023 21:04 > An: Jan-Piet Mens > Cc: bind-users@lists.isc.org > Betreff: Re: Correlation between NOTIFY-Source and AXFR-Source > > Named just uses the notify to trigger an early re

Bind not sending notifies for some time

2023-03-24 Thread Klaus Darilion via bind-users
Hi! root@cc-tld-sbg1:/var/log/tld-acct-by-customer# dpkg -l|grep bind9 ii bind9 1:9.18.6-1+ubuntu22.04.1+isc+1 amd64Internet Domain Name Server Please help me debugging this issue: We have a TLD zone with ~3mio delegations and updates every f

RE: Bind not sending notifies for some time

2023-03-24 Thread Klaus Darilion via bind-users
> > https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-notify-rate Will that feature throttle Notifys or stop them completely for some minutes? Thanks Klaus -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the developmen

AW: Bind not sending notifies for some time

2023-03-27 Thread Klaus Darilion via bind-users
> > On 24. 3. 2023, at 14:36, Klaus Darilion via bind-users us...@lists.isc.org> wrote: > > > > Is there some rate liming in Bind? > > https://bind9.readthedocs.io/en/stable/reference.html#namedconf- > statement-notify-rate For the records: Increasing the n

AW: Tools to mesure performance and benchmarking of a DNS

2023-06-21 Thread Klaus Darilion via bind-users
There are several tools with different features and behavior. I would take alook at dnsperf, kxdpgun and flamethrower regards > -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von > sami.ra...@sofrecom.com > Gesendet: Mittwoch, 21. Juni 2023 17:59 > An: bind-users@lists.isc.org >

Why are XFRs to Secondaries equally fast?

2023-07-27 Thread Klaus Darilion via bind-users
Hello! Yesterday I made some tests transferring a zone with 50mio RRs to 35 Secondaries. I measured the time between: - Primary logs "zone test/IN: sending notifies" - Primary logs "client : transfer of 'test/IN': AXFR-style IXFR ended" What makes we wonder is, that for

AW: Why are XFRs to Secondaries equally fast?

2023-07-27 Thread Klaus Darilion via bind-users
Hi Petr! > > For example, there are 8 secondaries (Mumbai, LosAngeles, Melbourne, > > Atlante, SaoPaulo...) to which the XFR took 2361 seconds. > > > > Are there some mechanisms in Bind that put multiple XFRs together into > a > > common stream? Or do you have any other ideas how it come that seve

AW: migration from auto-dnssec to dnssec-policy deletes keys immediately

2024-01-08 Thread Klaus Darilion via bind-users
Hi all! I also know a colleague which was hit by the same issue, causing problems to their zone. Migrating from auto-dnssec to dnssec-policy can lead to operational issues. For example that problem with different algos should be mentioned in https://kb.isc.org/docs/dnssec-key-and-signing-p

AW: Problem upgrading to 9.18 - important feature being removed

2024-02-27 Thread Klaus Darilion via bind-users
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Carsten ... > It would be nice to have a "dry-run" mode in BIND 9, where BIND 9 would > report steps it would do because of "dnssec-policy", but will not execute the > changes. If this Bind9 is only a hidden primary, disable all

AW: Crafting a NOTIFY message from the command line?

2024-03-21 Thread Klaus Darilion via bind-users
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Arsen > STASIC > Gesendet: Donnerstag, 21. März 2024 08:47 > An: Petr Špaček > Cc: bind-users@lists.isc.org > Betreff: Re: Crafting a NOTIFY message from the command line? > > * Petr Špaček [2024-03-20 09:32 (+0100)]: > > On 1

AW: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records

2024-03-26 Thread Klaus Darilion via bind-users
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Jan > Schaumann via bind-users > Gesendet: Dienstag, 26. März 2024 14:44 > An: bind-users@lists.isc.org > Betreff: Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records > > Karl Auer wrote: > > I'm puzzled by the C

Sporadic Timeouts after upgrading to bind9.20

2024-09-04 Thread Klaus Darilion via bind-users
Hello! On our production name servers we have check every 30s if bind is alive by sending a SOA query to bind. Today I upgraded a few nodes from 9.18.x (x between 17 and 27) to 9.20.1 (Ubuntu 24.04 with packages from ISC ppa). Since that, we have sporadic timeouts (3s). On the nodes with more q

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-04 Thread Klaus Darilion via bind-users
4. 9. 2024, at 19:06, Klaus Darilion via bind-users mailto:bind-users@lists.isc.org>> wrote:  Hello! On our production name servers we have check every 30s if bind is alive by sending a SOA query to bind. Today I upgraded a few nodes from 9.18.x (x between 17 and 27) to 9.20.1 (Ubuntu

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-06 Thread Klaus Darilion via bind-users
snapshoting the call stack with eu-stack and save the one when the timeout happens. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 4. 9. 2024, at 19:06, Klaus Darilion via

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-06 Thread Klaus Darilion via bind-users
I just happened again. I have not yet installed the debug symbols. I query the SOA every second with 1 second timeout. Here are the traces. I happened a few times in a row. Below are the traces. I noticed the timeout happened during Bind9 starting an inbound IXFR: Sep 06 07:20:55 named[1605200]

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-06 Thread Klaus Darilion via bind-users
As there just was another IXFR, for the records, here is another trace with debug symbols installed. Thanks Klaus PID 1605200 - process TID 1605200: #0 0x7b8ceb529ee0 epoll_pwait - /usr/lib/x86_64-linux-gnu/libc.so.6 #1 0x7b8cec52c9fa - 1 - /usr/lib/x86_64-linux-gnu/libuv.so.1.0.0 #

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-06 Thread Klaus Darilion via bind-users
From: Ondřej Surý Sent: Friday, September 6, 2024 4:10 PM To: Klaus Darilion Cc: Klaus Darilion via bind-users Subject: Re: Sporadic Timeouts after upgrading to bind9.20 Hmm, what is the churn in the zones? How often there’s IXFR and how large those changes are? Every 30 minutes. See logs

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-06 Thread Klaus Darilion via bind-users
From: Ondřej Surý Sent: Friday, September 6, 2024 4:08 PM To: Klaus Darilion Cc: Petr Špaček ; bind-users@lists.isc.org; Klaus Darilion via bind-users Subject: Re: Sporadic Timeouts after upgrading to bind9.20 Are your running with options { reuseport no; }; ? You might want to try that

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-06 Thread Klaus Darilion via bind-users
Correcting myself: event with { reuseport no; }; and UV_THREADPOOL_SIZE=12 still timeouts happen, but the situation improved a lot. Regards Klaus From: bind-users On Behalf Of Klaus Darilion via bind-users Sent: Saturday, September 7, 2024 12:21 AM To: Ondřej Surý Cc: Klaus Darilion via bind

RE: Sporadic Timeouts after upgrading to bind9.20

2024-09-09 Thread Klaus Darilion via bind-users
Klaus Darilion via bind-users Sent: Saturday, September 7, 2024 12:21 AM To: Ondřej Surý mailto:ond...@isc.org>> Cc: Klaus Darilion via bind-users mailto:bind-users@lists.isc.org>> Subject: RE: Sporadic Timeouts after upgrading to bind9.20 From: Ondřej Surý mailto:ond...@isc.org>> S

AW: New BIND releases are available: 9.11.32, 9.16.16, and 9.17.13

2021-05-20 Thread Klaus Darilion via bind-users
Nevertheless I think there is a bug. IIR the previous default was 100% (switch to AXFR if IXFR would be grater than AXFR) and we also saw plenty of AXFR although the IXFR difference was very small and far away from 100% regards Klaus > -Ursprüngliche Nachricht- > Von: bind-users Im Auf

failed trust-anchor-telemetry queries

2021-07-27 Thread Klaus Darilion via bind-users
Hello! Bind version: 9.16.19-1+ubuntu18.04.1+isc+1 Recently I discovered these logs: 09:13:12 named[3234]: _default: sending trust-anchor-telemetry query '_ta-/NULL' 09:13:12 named[3234]: validating ./NSEC: no valid signature found 09:13:12 named[3234]: validating ./SOA: no valid signatu

AW: Does BIND supports ANAME RR

2021-08-09 Thread Klaus Darilion via bind-users
> -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Evan > Hunt > Gesendet: Samstag, 7. August 2021 20:21 > An: Gaurav Kansal > Cc: bind-users@lists.isc.org > Betreff: Re: Does BIND supports ANAME RR > > On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote: > > I need t

AW: Does BIND supports ANAME RR

2021-08-09 Thread Klaus Darilion via bind-users
> On 09.08.21 13:55, Klaus Darilion via bind-users wrote: > >But honestly SVCB will not solve the ANAME problem. I will take years > > until all resolvers/client would support SVCB whereas ANAME would be > > implemented in the authoritative name server > > resolving on

AW: Does BIND supports ANAME RR

2021-08-09 Thread Klaus Darilion via bind-users
red to be able to return these records. It > just makes it easier. > > Just about all the other DNS vendors also have code that can read and > display presentation format. > > ANAME is dead. > -- > Mark Andrews > > > On 9 Aug 2021, at 21:53, Klaus Darilion via bin

AW: Does BIND supports ANAME RR

2021-08-09 Thread Klaus Darilion via bind-users
gated to reply outside your normal working hours. > > > On 9. 8. 2021, at 17:23, Klaus Darilion via bind-users us...@lists.isc.org> wrote: > > > > Does every application that uses gethostbyname have a benefit of > HTTPS/SVCB? That is what I meant. > > re

AW: Deprecating auto-dnssec and inline-signing in 9.18+

2021-08-10 Thread Klaus Darilion via bind-users
Hi Matthijs! > We would like to encourage you to change your configurations to > 'dnssec-policy'. See this KB article for migration help: > > https://kb.isc.org/docs/dnssec-key-and-signing-policy Some comments to this KB article and dnssec-policy: - The article should mention how to retrie

AW: AW: Deprecating auto-dnssec and inline-signing in 9.18+

2021-08-10 Thread Klaus Darilion via bind-users
> On 10-08-2021 13:38, Klaus Darilion wrote: > > Hi Matthijs! > > > >> We would like to encourage you to change your configurations to > >> 'dnssec-policy'. See this KB article for migration help: > >> > >> https://kb.isc.org/docs/dnssec-key-and-signing-policy > > > > Some comments to this KB artic

AW: Bind 9, dnssec, and .key .private files physical deletion after the key id becomes deleted from zone (the key becomes outdated)

2022-01-24 Thread Klaus Darilion via bind-users
IIRC, Bind needs the key as long as there are signatures in the zone generated by this key. After key deactivation I waited the RRSIG lifetime before deleting them. regards Klaus Von: bind-users Im Auftrag von egoitz--- via bind-users Gesendet: Montag, 24. Jänner 2022 13:00 An: bind-users@lis

AW: all resource record types and examples

2022-04-13 Thread Klaus Darilion via bind-users
As I have such a zone I will paste it here. But fore sure it is not complete as it was created some time ago. regards Klaus $ cat types.test $TTL 60 ; 1 minute @ IN SOA sec1.rcode0.net. rcodezero.ipcom.at. ( 36 ; serial

AW: Why did my DNS bill go up?

2022-04-14 Thread Klaus Darilion via bind-users
Hi Andrew! DNSSEC is more costly: more Ressource Records to hold on disk, to hold in memory and more queries and more IP traffic. If the DNSSEC signing is also done by the DNS provider there would be additional ressources for the signing service and risks when doing something wrong. For a sing

AW: High memory consumption in bind 9.18.2

2022-05-17 Thread Klaus Darilion via bind-users
I remember we had similar issues with 9.18 (isc ppa packages) and hence wen't back to 9.16. But I can not remember the details. regards Klaus > -Ursprüngliche Nachricht- > Von: bind-users Im Auftrag von Ondrej > Surý > Gesendet: Mittwoch, 18. Mai 2022 08:37 > An: Raman kumar > Cc: bind

AW: AW: High memory consumption in bind 9.18.2

2022-05-18 Thread Klaus Darilion via bind-users
> differences are not small, for some configurations it can be even 2x or > 3x more on 9.16 than it is on 9.18. > > If you encounter it again please get back to us so we can diagnose it. > > Thank you! > Petr Špaček > > > On 18. 05. 22 8:56, Klaus Darilion via bind-u

AW: High memory consumption in bind 9.18.2

2022-05-19 Thread Klaus Darilion via bind-users
ent of the JSON stats endpoint (if you are on Linux). > > I hope it helps. > Petr Špaček > > > > > > > Ondrej > > -- > > Ondřej Surý — ISC (He/Him) > > > > My working hours and your working hours may be different. Please do not > feel ob

AW: BIND 9.18.6 disables RSASHA1 at runtime?

2022-09-13 Thread Klaus Darilion via bind-users
> Can you propose log line? > > Should it be one line per algorithm? Or one line with all disabled? Or > one one with all enabled? What log level? Log category? It it okay it > will be almost always logging GOST? ... I am not using Red Hat, but when debugging DNSSEC issues it would be helpful to

Is there an rndc command to get the list of configured zones?

2022-09-20 Thread Klaus Darilion via bind-users
I checked all options of rndc to get the list of zones configured/served by bind - but I can't find any. Is it really not possible to get this list from a running Bind process? Thanks Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria -- Vi

Re: sporadic timeouts querying bind9

2018-04-23 Thread Klaus Darilion via bind-users
Hi all! Upgrading to Ubuntu 16.04 with Bind 9.10.3 did not solved the problem. I enabled debug log (trace 2) and query logging. Unless my monitoring traffic (~20 Queries every second) the server is idle. The server is a xen domU (on a idle hypervisor) with 4 vCPUs and 20G RAM. Here the logs fro

Re: Operational Notification: Extremely large zone transfers can result in corrupted journal files or server process termination

2018-07-16 Thread Klaus Darilion via bind-users
Am 14.07.2018 um 00:38 schrieb Matthew Pounsett: > On 13 July 2018 at 06:04, Michał Kępień wrote: > >> Hopefully this will shed some light on the matter: >> >> https://gitlab.isc.org/isc-projects/bind9/issues/339#note_12805 >> >> That is helpful, thanks. That comment says the issue require

AW: AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Klaus Darilion via bind-users
> > I always had the impression that dnssec-signzone is a stand-alone > > utility and signing is done either with dnssec-signzone or with > > Bind's dnssec-policy. Does it really work to use dnssec-signzone on a > > zone and journal that is managed by named? > > No, it doesn't work like that. You

Specifying NSEC3 salt with dnssec-policy

2024-09-30 Thread Klaus Darilion via bind-users
Hello! With "auto-dnssec maintain;" I was used to specify the NSEC3 salt with 'rndc signing -nsec3param'. Today I used the "dnssec-policy" and I failed to specify the salt manually. Are there any tricks/workarounds to manually specify the NSEC3 salt? I know that actually the salt should be "-"

AW: AW: AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Klaus Darilion via bind-users
Hi Petr! > It can be said that the interface pushes people to follow RFC 9276, i.e. > no salt and no extra iterations. > > It is an pointless exercise which only makes servers easier to DoS for > no benefit. I understand your decision to push people towards RFC 9276. > Why do you need extra sal

AW: Specifying NSEC3 salt with dnssec-policy

2024-10-01 Thread Klaus Darilion via bind-users
salt with dnssec-policy > > Hi Klaus, > > With dnssec-policy you can specify the salt length, not a specific salt. > > You can still use dnssec-signzone -3 to manually set a salt. > > Best regards, > > Matthijs > > On 9/30/24 22:38, Klaus Darilion via bind

RE: Bind is not using the first master for freshness checks

2024-11-25 Thread Klaus Darilion via bind-users
noted > and a > new > refresh cycle is started when the current refresh cycle / transfer completes. > > Note named is NOT logging every refresh attempt. It is logging refresh > attempt FAILURES > so you know what to fix. > > Mark > > > On 21 Nov 2024, at 00:27, K

Inconsistent Logging of zone name

2024-11-25 Thread Klaus Darilion via bind-users
Hi! Sometimes it is hard to grep the logs for a certain zone, as sometimes the zone name is within single quotation marks, sometimes not. For example: zone at/IN: Transfer started. transfer of 'at/IN' from ... zone at/IN: transferred ... transfer of 'at/IN' from ... transfer of 'at/IN' from ... z

Bind is not using the first master for freshness checks

2024-11-20 Thread Klaus Darilion via bind-users
Hello! Version: 9.18.30-1+ubuntu24.04.1+deb.sury.org+1 masters { AA.BB.4.13 key rcodezero; 2xxx:xxx:9c:2031::4 key rcodezero; AA.BB.6.13 key rcodezero; 2xxx:xxx:40:2031::4 key rcodezero; }; For some reason, t

RE: Sporadic Timeouts after upgrading to bind9.20

2024-12-05 Thread Klaus Darilion via bind-users
Hi Ondřej! I can test also the development branch. I prefer deb packages (do you have nightly builds?), but I can fallback to make&&make install Regards KLaus From: Ondřej Surý Sent: Thursday, December 5, 2024 8:36 PM To: Klaus Darilion Cc: Klaus Darilion via bind-users Sub

blocking rndc retrieve

2024-12-10 Thread Klaus Darilion via bind-users
Hello! Sometimes (serial quirks) it is necessary to force an AXFR. The "rndc retrieve" only queues the request, so I have to "tail -f" the log file to see if the AXFR was performed, which requires manual inspection. I would like to have a possibility, to trigger the AXFR, and wait until the AX

RE: Sporadic Timeouts after upgrading to bind9.20

2024-12-10 Thread Klaus Darilion via bind-users
o you need fix on top of 9.20? Ondrej -- Ondřej Surý (He/Him) ond...@isc.org<mailto:ond...@isc.org> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 9. 9. 2024, at 10:39, Klaus Darilion via bind-users