Dear Partner ! I think this problem of me, need have version new of Bind. I think resolver of Bind.9.9.5 have problem when response for customer. If recusive client of My DNS increase to 4000 then resolver response servfail.
Thanks./. ============%%- Nguyễn Xuân Hùng 0084-966581518 P.ISP– TT CNTT – VTNet. -----Original Message----- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of bind-users-requ...@lists.isc.org Sent: Friday, August 01, 2014 2:51 AM To: bind-users@lists.isc.org Subject: bind-users Digest, Vol 1902, Issue 2 Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. rndc (was: Re: Reload BIND ...) (/dev/rob0) 2. Re: rndc (Reindl Harald) 3. Re: rndc (Kevin Darcy) 4. Re: rndc (/dev/rob0) 5. Re: rndc (Reindl Harald) 6. Re: rndc (and now nsupdate too) (/dev/rob0) 7. Re: rndc (and now nsupdate too) (Reindl Harald) 8. Re: rndc (and now nsupdate too) (Kevin Darcy) ---------------------------------------------------------------------- Message: 1 Date: Thu, 31 Jul 2014 10:41:30 -0500 From: /dev/rob0 <r...@gmx.co.uk> To: bind-users@lists.isc.org Subject: rndc (was: Re: Reload BIND ...) Message-ID: <20140731154130.gg23...@harrier.slackbuilds.org> Content-Type: text/plain; charset=us-ascii On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: > i am doing reloads of named with "killall -HUP named" just because i > disabled rndc completly for security reasons and configurations are > generated with own software only needs named to reload Hmm, rndc is securable. You don't have to open it to the Internet; typically you'd just bind it on 127.0.0.1. Then your rndc key will further secure it against system users. Your OS can probably give extra protective layers by firewalling it, such as this Linux example: iptables -vA OUTPUT -p tcp --dport 953 -m owner \ \! --gid-owner wheel -j REJECT (This forces root and other wheel members to "chgrp wheel" before they can use rndc, as an extra inconvenience.) Another option is to use a UNIX domain socket, which, of course avoids the network altogether.[1] You're losing a lot of new features without rndc. This is a "throwing out the baby with the bathwater" sort of solution. Sure, this is what you are familiar with and what works for you, but to disable rndc isn't good advice for readers of this list. ISC is moving on. See Bv9ARM.ch06.html#controls_statement_definition_and_usage and rndc-confgen(8). [1] Unfortunately it is not clear to me how to access the socket with rndc. The one time I tried it, I gave up and stuck with that with which I am familiar. ISC moved on, but if the documentation did, I don't see it. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ------------------------------ Message: 2 Date: Thu, 31 Jul 2014 17:56:08 +0200 From: Reindl Harald <h.rei...@thelounge.net> To: bind-users@lists.isc.org Subject: Re: rndc Message-ID: <53da6718.30...@thelounge.net> Content-Type: text/plain; charset="windows-1252" Am 31.07.2014 um 17:41 schrieb /dev/rob0: > On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: >> i am doing reloads of named with "killall -HUP named" just because >> i disabled rndc completly for security reasons and configurations >> are generated with own software only needs named to reload > > Hmm, rndc is securable. You don't have to open it to the Internet; > typically you'd just bind it on 127.0.0.1. Then your rndc key will > further secure it against system users. Your OS can probably give > extra protective layers by firewalling it, such as this Linux > example: > > iptables -vA OUTPUT -p tcp --dport 953 -m owner \ > \! --gid-owner wheel -j REJECT > > (This forces root and other wheel members to "chgrp wheel" before > they can use rndc, as an extra inconvenience.) > > Another option is to use a UNIX domain socket, which, of course > avoids the network altogether.[1] > > You're losing a lot of new features without rndc. This is a > "throwing out the baby with the bathwater" sort of solution. Sure, > this is what you are familiar with and what works for you, but to > disable rndc isn't good advice for readers of this list. ISC is > moving on don't get me wrong but if someone creates *any* bind configuration and zone-files with self developed software there are no features rndc could provide and so disable something you don't use is the way to go instead make is secure with other switches -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 246 bytes Desc: OpenPGP digital signature URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140731/45b1c349/attachment-0001.bin> ------------------------------ Message: 3 Date: Thu, 31 Jul 2014 12:11:40 -0400 From: Kevin Darcy <k...@chrysler.com> To: bind-users@lists.isc.org Subject: Re: rndc Message-ID: <53da6abc.4060...@chrysler.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 7/31/2014 11:56 AM, Reindl Harald wrote: > > Am 31.07.2014 um 17:41 schrieb /dev/rob0: >> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: >>> i am doing reloads of named with "killall -HUP named" just because >>> i disabled rndc completly for security reasons and configurations >>> are generated with own software only needs named to reload >> Hmm, rndc is securable. You don't have to open it to the Internet; >> typically you'd just bind it on 127.0.0.1. Then your rndc key will >> further secure it against system users. Your OS can probably give >> extra protective layers by firewalling it, such as this Linux >> example: >> >> iptables -vA OUTPUT -p tcp --dport 953 -m owner \ >> \! --gid-owner wheel -j REJECT >> >> (This forces root and other wheel members to "chgrp wheel" before >> they can use rndc, as an extra inconvenience.) >> >> Another option is to use a UNIX domain socket, which, of course >> avoids the network altogether.[1] >> >> You're losing a lot of new features without rndc. This is a >> "throwing out the baby with the bathwater" sort of solution. Sure, >> this is what you are familiar with and what works for you, but to >> disable rndc isn't good advice for readers of this list. ISC is >> moving on > don't get me wrong but if someone creates *any* bind configuration > and zone-files with self developed software there are no features > rndc could provide and so disable something you don't use is the > way to go instead make is secure with other switches This thread started with "I need a way to force named to re-scan for interfaces". Since that *is* a "feature[] that rndc could provide" it seems like enabling rndc in a secure way is a good fit for the requirement that was raised. kill -HUP is way more disruptive than necessary for a mere interface scan. It's overkill. - Kevin ------------------------------ Message: 4 Date: Thu, 31 Jul 2014 13:51:29 -0500 From: /dev/rob0 <r...@gmx.co.uk> To: bind-users@lists.isc.org Subject: Re: rndc Message-ID: <20140731185129.gh23...@harrier.slackbuilds.org> Content-Type: text/plain; charset=us-ascii On Thu, Jul 31, 2014 at 12:11:40PM -0400, Kevin Darcy wrote: > kill -HUP is way more disruptive than necessary for a mere > interface scan. It's overkill. Furthermore, on a server with lots of zones, it could cause a DoS while zones are reloading, and named is unable to answer. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ------------------------------ Message: 5 Date: Thu, 31 Jul 2014 20:58:50 +0200 From: Reindl Harald <h.rei...@thelounge.net> To: bind-users@lists.isc.org Subject: Re: rndc Message-ID: <53da91ea....@thelounge.net> Content-Type: text/plain; charset="windows-1252" Am 31.07.2014 um 20:51 schrieb /dev/rob0: > On Thu, Jul 31, 2014 at 12:11:40PM -0400, Kevin Darcy wrote: >> kill -HUP is way more disruptive than necessary for a mere >> interface scan. It's overkill. > > Furthermore, on a server with lots of zones, it could cause a DoS > while zones are reloading, and named is unable to answer agreed - loading of our currently 522 zones takes 1 second and the maintaining cronjobs have 5 minutes difference on slave and master i did not pretend it's a perfect solution in every environment but it is suiteable for many and so a valid opportunity -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 246 bytes Desc: OpenPGP digital signature URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140731/60bf99bf/attachment-0001.bin> ------------------------------ Message: 6 Date: Thu, 31 Jul 2014 14:08:48 -0500 From: /dev/rob0 <r...@gmx.co.uk> To: bind-users@lists.isc.org Subject: Re: rndc (and now nsupdate too) Message-ID: <20140731190848.gi23...@harrier.slackbuilds.org> Content-Type: text/plain; charset=us-ascii On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote: > Am 31.07.2014 um 17:41 schrieb /dev/rob0: > > On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: > >> i am doing reloads of named with "killall -HUP named" just > >> because i disabled rndc completly for security reasons and > >> configurations are generated with own software only needs > >> named to reload > > > > Hmm, rndc is securable. You don't have to open it to the snip > > You're losing a lot of new features without rndc. This is a > > "throwing out the baby with the bathwater" sort of solution. > > Sure, this is what you are familiar with and what works for > > you, but to disable rndc isn't good advice for readers of > > this list. ISC is moving on > > don't get me wrong but if someone creates *any* bind > configuration and zone-files with self developed software ... that someone is almost surely doing it wrong. "Zone files"? > there are no features rndc could provide and so disable > something you don't use is the way to go instead make is > secure with other switches The proper tool to manage named configuration and operation, and which in the best Unix ethic is well suited for automation, is rndc(8). The proper tool to manage zone data is nsupdate(8). Likewise well suited for automation. Unfortunately, it seems that no one with an adequate understanding of BIND has written and released a good management frontend. Too many of them are still wallowing around in zone file editing rather than nsupdate and (as it seems from this thread) sending of signals rather than rndc. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ------------------------------ Message: 7 Date: Thu, 31 Jul 2014 21:19:48 +0200 From: Reindl Harald <h.rei...@thelounge.net> To: bind-users@lists.isc.org Subject: Re: rndc (and now nsupdate too) Message-ID: <53da96d4.7060...@thelounge.net> Content-Type: text/plain; charset="windows-1252" Am 31.07.2014 um 21:08 schrieb /dev/rob0: > On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote: >> don't get me wrong but if someone creates *any* bind >> configuration and zone-files with self developed software > > ... that someone is almost surely doing it wrong. "Zone files"? > >> there are no features rndc could provide and so disable >> something you don't use is the way to go instead make is >> secure with other switches > > The proper tool to manage named configuration and operation, and > which in the best Unix ethic is well suited for automation, is > rndc(8). > > The proper tool to manage zone data is nsupdate(8). Likewise well > suited for automation. > > Unfortunately, it seems that no one with an adequate understanding of > BIND has written and released a good management frontend. Too many > of them are still wallowing around in zone file editing rather than > nsupdate and (as it seems from this thread) sending of signals rather > than rndc zone file *editing*? sorry, no, i developed 2008 a interface to create all zone files based on database records, write the complete zone content in a main table with a textfiled and a second textfiled where translation for NAT/WAN zones happens and so there is and never was a reason to *edit* a zone file it is created from scratch when changes in a zone happen and cronjobs only pull zones with the "updated-field" set to 1 that infrastructure provides a stable API for mailserver and other backends and at the end the realted zone is created from scratch only the fact having a 1:1 NAT and only edit records once to feed internal and external nameservers with one action and the fact you can change global properties like TTL if not overriden per domain and change A-records in any zone base on our own domain working like a CNAME but still be an A record justifies that 6 years for some hundret domains as auth nameserver proves me right -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 246 bytes Desc: OpenPGP digital signature URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140731/3a22c622/attachment-0001.bin> ------------------------------ Message: 8 Date: Thu, 31 Jul 2014 15:50:49 -0400 From: Kevin Darcy <k...@chrysler.com> To: bind-users@lists.isc.org Subject: Re: rndc (and now nsupdate too) Message-ID: <53da9e19.3070...@chrysler.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 7/31/2014 3:08 PM, /dev/rob0 wrote: > On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote: >> Am 31.07.2014 um 17:41 schrieb /dev/rob0: >>> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: >>>> i am doing reloads of named with "killall -HUP named" just >>>> because i disabled rndc completly for security reasons and >>>> configurations are generated with own software only needs >>>> named to reload >>> Hmm, rndc is securable. You don't have to open it to the > snip >>> You're losing a lot of new features without rndc. This is a >>> "throwing out the baby with the bathwater" sort of solution. >>> Sure, this is what you are familiar with and what works for >>> you, but to disable rndc isn't good advice for readers of >>> this list. ISC is moving on >> don't get me wrong but if someone creates *any* bind >> configuration and zone-files with self developed software > ... that someone is almost surely doing it wrong. "Zone files"? > >> there are no features rndc could provide and so disable >> something you don't use is the way to go instead make is >> secure with other switches > The proper tool to manage named configuration and operation, and > which in the best Unix ethic is well suited for automation, is > rndc(8). > > The proper tool to manage zone data is nsupdate(8). Likewise well > suited for automation. > > Unfortunately, it seems that no one with an adequate understanding of > BIND has written and released a good management frontend. Too many > of them are still wallowing around in zone file editing rather than > nsupdate and (as it seems from this thread) sending of signals rather > than rndc. Written? Yes. Released? Unfortunately not. It's intellectual property of my employer. Even with the nice GUI frontend of Infoblox, we still use our homegrown, crudely-formatted web frontend for the vast majority of changes (Infoblox being the backend of that frontend), since a) our existing users are accustomed to it, b) it's simple enough that even novices can get up to speed on it quickly, without the possibility of causing major disruption, c) the lack of significant eye-candy means it still runs well even in slow and/or high-latency locations, d) it has a more robust ACL system that I haven't seen rivaled in any commercial product, and e) other stuff I've added over the years, like automatic external-to-internal sync'ing, and so forth - Kevin ------------------------------ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users End of bind-users Digest, Vol 1902, Issue 2 ******************************************* _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
