Hi, when it happen, what log of bind did you see?
-----Original Message-----
From: "Xuan Hung" <hungn...@viettel.com.vn>
Sent: 8/1/2014 9:57 AM
To: "bind-users@lists.isc.org" <bind-users@lists.isc.org>
Subject: RE: bind-users Digest, Vol 1902, Issue 2
Dear Partner !
I think this problem of me, need have version new of Bind.
I think resolver of Bind.9.9.5 have problem when response for customer.
If recusive client of My DNS increase to 4000 then resolver response servfail.
Thanks./.
============%%-
Nguyễn Xuân Hùng
0084-966581518
P.ISP– TT CNTT – VTNet.
-----Original Message-----
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of
bind-users-requ...@lists.isc.org
Sent: Friday, August 01, 2014 2:51 AM
To: bind-users@lists.isc.org
Subject: bind-users Digest, Vol 1902, Issue 2
Send bind-users mailing list submissions to
bind-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org
You can reach the person managing the list at
bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific than "Re:
Contents of bind-users digest..."
Today's Topics:
1. rndc (was: Re: Reload BIND ...) (/dev/rob0)
2. Re: rndc (Reindl Harald)
3. Re: rndc (Kevin Darcy)
4. Re: rndc (/dev/rob0)
5. Re: rndc (Reindl Harald)
6. Re: rndc (and now nsupdate too) (/dev/rob0)
7. Re: rndc (and now nsupdate too) (Reindl Harald)
8. Re: rndc (and now nsupdate too) (Kevin Darcy)
----------------------------------------------------------------------
Message: 1
Date: Thu, 31 Jul 2014 10:41:30 -0500
From: /dev/rob0 <r...@gmx.co.uk>
To: bind-users@lists.isc.org
Subject: rndc (was: Re: Reload BIND ...)
Message-ID: <20140731154130.gg23...@harrier.slackbuilds.org>
Content-Type: text/plain; charset=us-ascii
On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
> i am doing reloads of named with "killall -HUP named" just because i
> disabled rndc completly for security reasons and configurations are
> generated with own software only needs named to reload
Hmm, rndc is securable. You don't have to open it to the Internet; typically
you'd just bind it on 127.0.0.1. Then your rndc key will further secure it
against system users. Your OS can probably give extra protective layers by
firewalling it, such as this Linux
example:
iptables -vA OUTPUT -p tcp --dport 953 -m owner \
\! --gid-owner wheel -j REJECT
(This forces root and other wheel members to "chgrp wheel" before they can use
rndc, as an extra inconvenience.)
Another option is to use a UNIX domain socket, which, of course avoids the
network altogether.[1]
You're losing a lot of new features without rndc. This is a "throwing out the
baby with the bathwater" sort of solution. Sure, this is what you are familiar
with and what works for you, but to disable rndc isn't good advice for readers
of this list. ISC is moving on.
See Bv9ARM.ch06.html#controls_statement_definition_and_usage and
rndc-confgen(8).
[1] Unfortunately it is not clear to me how to access the socket
with rndc. The one time I tried it, I gave up and stuck with
that with which I am familiar. ISC moved on, but if the
documentation did, I don't see it. :)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
------------------------------
Message: 2
Date: Thu, 31 Jul 2014 17:56:08 +0200
From: Reindl Harald <h.rei...@thelounge.net>
To: bind-users@lists.isc.org
Subject: Re: rndc
Message-ID: <53da6718.30...@thelounge.net>
Content-Type: text/plain; charset="windows-1252"
Am 31.07.2014 um 17:41 schrieb /dev/rob0:
> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>> i am doing reloads of named with "killall -HUP named" just because
>> i disabled rndc completly for security reasons and configurations
>> are generated with own software only needs named to reload
>
> Hmm, rndc is securable. You don't have to open it to the Internet;
> typically you'd just bind it on 127.0.0.1. Then your rndc key will
> further secure it against system users. Your OS can probably give
> extra protective layers by firewalling it, such as this Linux
> example:
>
> iptables -vA OUTPUT -p tcp --dport 953 -m owner \
> \! --gid-owner wheel -j REJECT
>
> (This forces root and other wheel members to "chgrp wheel" before
> they can use rndc, as an extra inconvenience.)
>
> Another option is to use a UNIX domain socket, which, of course
> avoids the network altogether.[1]
>
> You're losing a lot of new features without rndc. This is a
> "throwing out the baby with the bathwater" sort of solution. Sure,
> this is what you are familiar with and what works for you, but to
> disable rndc isn't good advice for readers of this list. ISC is
> moving on
don't get me wrong but if someone creates *any* bind configuration
and zone-files with self developed software there are no features
rndc could provide and so disable something you don't use is the
way to go instead make is secure with other switches
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20140731/45b1c349/attachment-0001.bin>
------------------------------
Message: 3
Date: Thu, 31 Jul 2014 12:11:40 -0400
From: Kevin Darcy <k...@chrysler.com>
To: bind-users@lists.isc.org
Subject: Re: rndc
Message-ID: <53da6abc.4060...@chrysler.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 7/31/2014 11:56 AM, Reindl Harald wrote:
>
> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
>> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>>> i am doing reloads of named with "killall -HUP named" just because
>>> i disabled rndc completly for security reasons and configurations
>>> are generated with own software only needs named to reload
>> Hmm, rndc is securable. You don't have to open it to the Internet;
>> typically you'd just bind it on 127.0.0.1. Then your rndc key will
>> further secure it against system users. Your OS can probably give
>> extra protective layers by firewalling it, such as this Linux
>> example:
>>
>> iptables -vA OUTPUT -p tcp --dport 953 -m owner \
>> \! --gid-owner wheel -j REJECT
>>
>> (This forces root and other wheel members to "chgrp wheel" before
>> they can use rndc, as an extra inconvenience.)
>>
>> Another option is to use a UNIX domain socket, which, of course
>> avoids the network altogether.[1]
>>
>> You're losing a lot of new features without rndc. This is a
>> "throwing out the baby with the bathwater" sort of solution. Sure,
>> this is what you are familiar with and what works for you, but to
>> disable rndc isn't good advice for readers of this list. ISC is
>> moving on
> don't get me wrong but if someone creates *any* bind configuration
> and zone-files with self developed software there are no features
> rndc could provide and so disable something you don't use is the
> way to go instead make is secure with other switches
This thread started with "I need a way to force named to re-scan for
interfaces". Since that *is* a "feature[] that rndc could provide" it
seems like enabling rndc in a secure way is a good fit for the
requirement that was raised.
kill -HUP is way more disruptive than necessary for a mere interface
scan. It's overkill.
- Kevin
------------------------------
Message: 4
Date: Thu, 31 Jul 2014 13:51:29 -0500
From: /dev/rob0 <r...@gmx.co.uk>
To: bind-users@lists.isc.org
Subject: Re: rndc
Message-ID: <20140731185129.gh23...@harrier.slackbuilds.org>
Content-Type: text/plain; charset=us-ascii
On Thu, Jul 31, 2014 at 12:11:40PM -0400, Kevin Darcy wrote:
> kill -HUP is way more disruptive than necessary for a mere
> interface scan. It's overkill.
Furthermore, on a server with lots of zones, it could cause a DoS
while zones are reloading, and named is unable to answer.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
------------------------------
Message: 5
Date: Thu, 31 Jul 2014 20:58:50 +0200
From: Reindl Harald <h.rei...@thelounge.net>
To: bind-users@lists.isc.org
Subject: Re: rndc
Message-ID: <53da91ea....@thelounge.net>
Content-Type: text/plain; charset="windows-1252"
Am 31.07.2014 um 20:51 schrieb /dev/rob0:
> On Thu, Jul 31, 2014 at 12:11:40PM -0400, Kevin Darcy wrote:
>> kill -HUP is way more disruptive than necessary for a mere
>> interface scan. It's overkill.
>
> Furthermore, on a server with lots of zones, it could cause a DoS
> while zones are reloading, and named is unable to answer
agreed - loading of our currently 522 zones takes 1 second
and the maintaining cronjobs have 5 minutes difference on
slave and master
i did not pretend it's a perfect solution in every environment
but it is suiteable for many and so a valid opportunity
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20140731/60bf99bf/attachment-0001.bin>
------------------------------
Message: 6
Date: Thu, 31 Jul 2014 14:08:48 -0500
From: /dev/rob0 <r...@gmx.co.uk>
To: bind-users@lists.isc.org
Subject: Re: rndc (and now nsupdate too)
Message-ID: <20140731190848.gi23...@harrier.slackbuilds.org>
Content-Type: text/plain; charset=us-ascii
On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote:
> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
> > On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
> >> i am doing reloads of named with "killall -HUP named" just
> >> because i disabled rndc completly for security reasons and
> >> configurations are generated with own software only needs
> >> named to reload
> >
> > Hmm, rndc is securable. You don't have to open it to the
snip
> > You're losing a lot of new features without rndc. This is a
> > "throwing out the baby with the bathwater" sort of solution.
> > Sure, this is what you are familiar with and what works for
> > you, but to disable rndc isn't good advice for readers of
> > this list. ISC is moving on
>
> don't get me wrong but if someone creates *any* bind
> configuration and zone-files with self developed software
... that someone is almost surely doing it wrong. "Zone files"?
> there are no features rndc could provide and so disable
> something you don't use is the way to go instead make is
> secure with other switches
The proper tool to manage named configuration and operation, and
which in the best Unix ethic is well suited for automation, is
rndc(8).
The proper tool to manage zone data is nsupdate(8). Likewise well
suited for automation.
Unfortunately, it seems that no one with an adequate understanding of
BIND has written and released a good management frontend. Too many
of them are still wallowing around in zone file editing rather than
nsupdate and (as it seems from this thread) sending of signals rather
than rndc.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
------------------------------
Message: 7
Date: Thu, 31 Jul 2014 21:19:48 +0200
From: Reindl Harald <h.rei...@thelounge.net>
To: bind-users@lists.isc.org
Subject: Re: rndc (and now nsupdate too)
Message-ID: <53da96d4.7060...@thelounge.net>
Content-Type: text/plain; charset="windows-1252"
Am 31.07.2014 um 21:08 schrieb /dev/rob0:
> On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote:
>> don't get me wrong but if someone creates *any* bind
>> configuration and zone-files with self developed software
>
> ... that someone is almost surely doing it wrong. "Zone files"?
>
>> there are no features rndc could provide and so disable
>> something you don't use is the way to go instead make is
>> secure with other switches
>
> The proper tool to manage named configuration and operation, and
> which in the best Unix ethic is well suited for automation, is
> rndc(8).
>
> The proper tool to manage zone data is nsupdate(8). Likewise well
> suited for automation.
>
> Unfortunately, it seems that no one with an adequate understanding of
> BIND has written and released a good management frontend. Too many
> of them are still wallowing around in zone file editing rather than
> nsupdate and (as it seems from this thread) sending of signals rather
> than rndc
zone file *editing*?
sorry, no, i developed 2008 a interface to create all zone files based
on database records, write the complete zone content in a main table
with a textfiled and a second textfiled where translation for NAT/WAN
zones happens and so there is and never was a reason to *edit* a
zone file
it is created from scratch when changes in a zone happen and cronjobs
only pull zones with the "updated-field" set to 1
that infrastructure provides a stable API for mailserver and other
backends and at the end the realted zone is created from scratch
only the fact having a 1:1 NAT and only edit records once to feed
internal and external nameservers with one action and the fact you
can change global properties like TTL if not overriden per domain
and change A-records in any zone base on our own domain working
like a CNAME but still be an A record justifies that
6 years for some hundret domains as auth nameserver proves me right
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL:
<https://lists.isc.org/pipermail/bind-users/attachments/20140731/3a22c622/attachment-0001.bin>
------------------------------
Message: 8
Date: Thu, 31 Jul 2014 15:50:49 -0400
From: Kevin Darcy <k...@chrysler.com>
To: bind-users@lists.isc.org
Subject: Re: rndc (and now nsupdate too)
Message-ID: <53da9e19.3070...@chrysler.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 7/31/2014 3:08 PM, /dev/rob0 wrote:
> On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote:
>> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
>>> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>>>> i am doing reloads of named with "killall -HUP named" just
>>>> because i disabled rndc completly for security reasons and
>>>> configurations are generated with own software only needs
>>>> named to reload
>>> Hmm, rndc is securable. You don't have to open it to the
> snip
>>> You're losing a lot of new features without rndc. This is a
>>> "throwing out the baby with the bathwater" sort of solution.
>>> Sure, this is what you are familiar with and what works for
>>> you, but to disable rndc isn't good advice for readers of
>>> this list. ISC is moving on
>> don't get me wrong but if someone creates *any* bind
>> configuration and zone-files with self developed software
> ... that someone is almost surely doing it wrong. "Zone files"?
[The entire original message is not included.]_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
