Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 22:15:25 +0100 ed [EMAIL PROTECTED] wrote: Works fine on on the 2 domains where it's been implemented, of which I handled the conversion from BIND style to djbdns. No problems on UDP lookups alone, including some deep CNAMEs, which are just not required, but I'll deal

Re: CARP+Pfsync+Bind

Quoting ed [EMAIL PROTECTED]: Zone transfers are on tcp/53, DNS lookups are 53/udp, so: pass in on $ext_if proto udp from any to $DNS port 53 keep state and if required: pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state I use TinyDNS here, so we don't really need to

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 19:52:31 -0400 Dave Anderson [EMAIL PROTECTED] wrote: Responses long enough so that required information is truncated should be rare, so perhaps you've been lucky and not encountered any yet. I understand fully what you are saying, but I just don't want to serve DNS via TCP.

Re: CARP+Pfsync+Bind

Then, you can forget about DNSSEC for example ... Lio -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de ed Envoyi : vendredi 7 octobre 2005 19:25 Cc : misc@openbsd.org Objet : Re: CARP+Pfsync+Bind On Thu, 6 Oct 2005 19:52:31 -0400 Dave Anderson [EMAIL

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 16:55:05 +0400 Vladimir Potapov [EMAIL PROTECTED] wrote: We have 1 server on which running firewall and DNS master service. And we planned to install another server for load balancing and redudancy. 2 servers(each have running PF and BIND) will balancing load (or one will

Re: CARP+Pfsync+Bind

** Reply to message from ed [EMAIL PROTECTED] on Thu, 6 Oct 2005 14:04:20 +0100 Zone transfers are on tcp/53, DNS lookups are 53/udp, so: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a UDP query and gets

Re: CARP+Pfsync+Bind

On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... I use TinyDNS here, so we don't really need to transfer zones as its handled with a single data file. CARP can be good with DNS. 53/tcp *is* required to answer normal queries. Since you're drinking djb's koolaid, see

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 15:49:02 -0400 Dave Anderson [EMAIL PROTECTED] wrote: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a UDP query and gets a 'truncated' UDP reply, so the resolver retries the query

Re: CARP+Pfsync+Bind

** Reply to message from ed [EMAIL PROTECTED] on Thu, 6 Oct 2005 22:15:25 +0100 On Thu, 6 Oct 2005 15:49:02 -0400 Dave Anderson [EMAIL PROTECTED] wrote: That's not quite the whole story: 53/tcp is also used when the response to a query is too big for a single UDP packet (the resolver sends a

Re: CARP+Pfsync+Bind

On Thu, 6 Oct 2005 15:07:23 -0500 eric [EMAIL PROTECTED] wrote: On Thu, 2005-10-06 at 14:04:20 +0100, ed proclaimed... I use TinyDNS here, so we don't really need to transfer zones as its handled with a single data file. CARP can be good with DNS. 53/tcp *is* required to answer normal

Re: CARP+Pfsync+Bind

On Thu, 2005-10-06 at 22:15:52 +0100, ed proclaimed... TCP for for DNS lookups are probably going to incur latency. I'd rather just block that off and ensure that the DNS being provided does not leak excess 512 bytes. This might cause some problems with huge round robin lists, but we can all