rndc stats - 9.5.0-p2

2009-02-17 Thread Cihan Subasi (Garanti Teknoloji)
Hi,

When I run "rndc stats" on two different servers with 9.5.0-p2,  I am getting 
two different dumps of stats, one of them dumps the stats in very short format 
(7 lines), the other dumps it in very long format (50-60lines per dump)..What 
could be the difference on both? thank you


SHORT

+++ Statistics Dump +++ (1234821660)
success 276836710
referral 161176
nxrrset 87427
nxdomain 17918582
recursion 190395
failure 40629328


LONG

+++ Statistics Dump +++ (1234524979)
++ Incoming Requests ++
   12807 QUERY
++ Incoming Queries ++
8373 A
  96 NS
 370 SOA
 495 PTR
2420 MX
 621 
 144 SRV
 288 ANY
++ Outgoing Queries ++
++ Name Server Statistics ++
   12807 IPv4 requests received
   1 requests with EDNS(0) received
   12597 responses sent
   1 responses with EDNS(0) sent
2052 queries resulted in successful answer
 638 queries resulted in authoritative answer
1861 queries resulted in non authoritative answer
   1 queries resulted in referral answer
  53 queries resulted in nxrrset
   10098 queries resulted in SERVFAIL
 393 queries resulted in NXDOMAIN
   11649 queries caused recursion
 186 duplicate queries received
   4 queries dropped
++ Zone Maintenance Statistics ++
++ Resolver Statistics ++
[Common]
  72 mismatch responses received
++ Cache DB RRsets ++
[View: default]
3313 A
1855 NS
  37 CNAME
  12 PTR
 550 MX
 141 
  43 RRSIG
  23 NSEC
   6 !A
  27 !MX
   1 !
 176 NXDOMAIN
[View: _bind]




<>___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: adb.c:1526: INSIST(find->adbname == ((void *)0)) failed

2009-02-17 Thread Niall O'Reilly
On Mon, 2009-02-16 at 12:17 +1100, Mark Andrews wrote:
> It should be unrelated.  I would however still upgrade.

Thanks, Mark.

If I don't see the same assertion failure with
the current release, I guess that's closed.

One advantage of upgrading is getting all those nice
log entries reporting EDNS faults.  8-)

/Niall



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Exiting due to early fatal error

2009-02-17 Thread Lars Hecking

 BIND 9.4.3-P1, Solaris 8

 I'm trying to get a chroot setup to work following the instructions here
  http://www.boran.com/security/sp/bind9_20010430.html

# /usr/sbin/named -g -t /var/named/chroot
17-Feb-2009 12:05:56.789 starting BIND 9.4.3-P1 -g -t /var/named/chroot
17-Feb-2009 12:05:56.790 found 2 CPUs, using 2 worker threads
17-Feb-2009 12:05:56.793 ./main.c:506: unexpected error:
17-Feb-2009 12:05:56.793 isc_socketmgr_create() failed: file not found
17-Feb-2009 12:05:56.794 create_managers() failed: unexpected error
17-Feb-2009 12:05:56.794 exiting (due to early fatal error)
# 

 The log gives no indication which file is not found, and truss doesn't
 help either:

...
chroot("/var/named/chroot") = 0
chdir("/")  = 0
brk(0x0025CEF8) = 0
brk(0x0025EEF8) = 0
pipe()  = 6 [7]
fork1() = 10598
lwp_sigredirect(0, SIGWAITING, 0x)  Err#22 EINVAL
lwp_cond_wait(0xFF275548, 0xFF275558, 0xFF26EDB0) = 0
lwp_mutex_wakeup(0xFF275558)= 0
lwp_mutex_lock(0xFF275558)  = 0
lwp_mutex_wakeup(0xFF275558)= 0
lwp_mutex_lock(0xFF275558)  = 0
close(7)= 0
read(6, 0xFFBEFC0F, 1)  = 0
_exit(1)

 This bind was compiled for threads, and /dev/poll is not in the jail.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: rndc stats - 9.5.0-p2

2009-02-17 Thread Chris Thompson

On Feb 17 2009, Cihan Subasi (Garanti Teknoloji) wrote:


When I run "rndc stats" on two different servers with 9.5.0-p2,  I am getting
two different dumps of stats, one of them dumps the stats in very short format
(7 lines), the other dumps it in very long format (50-60lines per dump)..What
could be the difference on both? thank you


Are you *sure* they are both running BIND 9.5.0-P2 ? Much the most likely
explanation is that the one producing short statistics is a pre 9.5 version.
I don't believe that BIND 9.5.x even includes any code to generate the old
format.

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: rndc stats - 9.5.0-p2

2009-02-17 Thread Cihan Subasi (Garanti Teknoloji)
I think you're rigth, when I check the file sizes they are not same but 
versions are matching...

short

--
#ls -la
total 48166
drwxr-xr-x   2 root other512 Aug 15  2008 .
drwxr-xr-x  13 root other512 Nov 21 14:02 ..
-rwxr-xr-x   1 root other1199932 Aug 15  2008 dnssec-keygen
-rwxr-xr-x   1 root other3675504 Aug 15  2008 dnssec-signzone
-rwxr-xr-x   2 root other5134128 Aug 15  2008 lwresd
-rwxr-xr-x   2 root other5134128 Aug 15  2008 named
-rwxr-xr-x   1 root other3816336 Aug 15  2008 named-checkconf
-rwxr-xr-x   1 root other3624412 Aug 15  2008 named-checkzone
lrwxrwxrwx   1 root other 15 Aug 15  2008 named-compilezone -> 
named-checkzone
-rwxr-xr-x   1 root other 847676 Aug 15  2008 rndc
-rwxr-xr-x   1 root other1136800 Aug 15  2008 rndc-confgen
 /usr/local/sbin
#named -v
BIND 9.5.0-P2
 /usr/local/sbin

long--
[garanti2]ls -la 
total 158646
drwxr-xr-x   2 bin  bin  512 Nov 26 17:10 .
drwxr-xr-x  15 root other512 Nov 26 17:01 ..
-rwxr-xr-x   1 root other3318808 Nov 26 17:10 dnssec-keygen
-rwxr-xr-x   1 bin  bin  5182984 Mar 25  2004 dnssec-makekeyset
-rwxr-xr-x   1 bin  bin  5184180 Mar 25  2004 dnssec-signkey
-rwxr-xr-x   1 root other9997148 Nov 26 17:10 dnssec-signzone
-rwxr-xr-x   2 root other15535428 Nov 26 17:10 lwresd
-rwxr-xr-x   2 root other15535428 Nov 26 17:10 named
-rwxr-xr-x   1 root other10443912 Nov 26 17:10 named-checkconf
-rwxr-xr-x   1 root other9923952 Nov 26 17:10 named-checkzone
lrwxrwxrwx   1 root other 15 Nov 26 17:10 named-compilezone -> 
named-checkzone
-rwxr-xr-x   1 root other2917848 Nov 26 17:10 rndc
-rwxr-xr-x   1 root other3061584 Nov 26 17:10 rndc-confgen
[garanti2]named -v
BIND 9.5.0-P2

 

-Original Message-
From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris Thompson
Sent: Tuesday, February 17, 2009 2:40 PM
To: Cihan Subasi (Garanti Teknoloji)
Cc: Bind Users Mailing List
Subject: Re: rndc stats - 9.5.0-p2

On Feb 17 2009, Cihan Subasi (Garanti Teknoloji) wrote:

>When I run "rndc stats" on two different servers with 9.5.0-p2,  I am 
>getting two different dumps of stats, one of them dumps the stats in 
>very short format
>(7 lines), the other dumps it in very long format (50-60lines per 
>dump)..What could be the difference on both? thank you

Are you *sure* they are both running BIND 9.5.0-P2 ? Much the most likely 
explanation is that the one producing short statistics is a pre 9.5 version.
I don't believe that BIND 9.5.x even includes any code to generate the old 
format.

--
Chris Thompson
Email: c...@cam.ac.uk


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


client query logging (refused message)

2009-02-17 Thread Matthew Huff

In my logging global section I have:

logging {

channel audit_log {
file "/var/log/named_audit.log" versions 128 size 4m;
severity debug;
print-time yes;
print-category yes;
  };

...
category client { audit_log; };
...
};

and I get:
...
17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view
external-in: query: . IN NS +
...

logged, and I have verified that the query is refused, but nothing in the
log shows that it was refused. Is there anyway to log the success/failure of
the queries?



Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139


Matthew Huff.vcf
Description: Binary data


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: rndc stats - 9.5.0-p2

2009-02-17 Thread Matthew Huff
There may be more than one "named" binary in your path. You may want to do
an explicit reference to check the version (./named -V) or do a "which
named"


Matthew Huff   | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -Original Message-
> From: bind-users-boun...@lists.isc.org [mailto:bind-users-
> boun...@lists.isc.org] On Behalf Of Cihan Subasi (Garanti Teknoloji)
> Sent: Tuesday, February 17, 2009 7:51 AM
> To: bind-users@lists.isc.org
> Cc: c...@hermes.cam.ac.uk
> Subject: RE: rndc stats - 9.5.0-p2
> 
> I think you're rigth, when I check the file sizes they are not same but
> versions are matching...
> 
> short
> 
> --
> #ls -la
> total 48166
> drwxr-xr-x   2 root other512 Aug 15  2008 .
> drwxr-xr-x  13 root other512 Nov 21 14:02 ..
> -rwxr-xr-x   1 root other1199932 Aug 15  2008 dnssec-keygen
> -rwxr-xr-x   1 root other3675504 Aug 15  2008 dnssec-signzone
> -rwxr-xr-x   2 root other5134128 Aug 15  2008 lwresd
> -rwxr-xr-x   2 root other5134128 Aug 15  2008 named
> -rwxr-xr-x   1 root other3816336 Aug 15  2008 named-checkconf
> -rwxr-xr-x   1 root other3624412 Aug 15  2008 named-checkzone
> lrwxrwxrwx   1 root other 15 Aug 15  2008 named-compilezone
> -> named-checkzone
> -rwxr-xr-x   1 root other 847676 Aug 15  2008 rndc
> -rwxr-xr-x   1 root other1136800 Aug 15  2008 rndc-confgen
>  /usr/local/sbin
> #named -v
> BIND 9.5.0-P2
>  /usr/local/sbin
> 
> long--
> [garanti2]ls -la
> total 158646
> drwxr-xr-x   2 bin  bin  512 Nov 26 17:10 .
> drwxr-xr-x  15 root other512 Nov 26 17:01 ..
> -rwxr-xr-x   1 root other3318808 Nov 26 17:10 dnssec-keygen
> -rwxr-xr-x   1 bin  bin  5182984 Mar 25  2004 dnssec-makekeyset
> -rwxr-xr-x   1 bin  bin  5184180 Mar 25  2004 dnssec-signkey
> -rwxr-xr-x   1 root other9997148 Nov 26 17:10 dnssec-signzone
> -rwxr-xr-x   2 root other15535428 Nov 26 17:10 lwresd
> -rwxr-xr-x   2 root other15535428 Nov 26 17:10 named
> -rwxr-xr-x   1 root other10443912 Nov 26 17:10 named-checkconf
> -rwxr-xr-x   1 root other9923952 Nov 26 17:10 named-checkzone
> lrwxrwxrwx   1 root other 15 Nov 26 17:10 named-compilezone
> -> named-checkzone
> -rwxr-xr-x   1 root other2917848 Nov 26 17:10 rndc
> -rwxr-xr-x   1 root other3061584 Nov 26 17:10 rndc-confgen
> [garanti2]named -v
> BIND 9.5.0-P2
> 
> 
> 
> -Original Message-
> From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris
> Thompson
> Sent: Tuesday, February 17, 2009 2:40 PM
> To: Cihan Subasi (Garanti Teknoloji)
> Cc: Bind Users Mailing List
> Subject: Re: rndc stats - 9.5.0-p2
> 
> On Feb 17 2009, Cihan Subasi (Garanti Teknoloji) wrote:
> 
> >When I run "rndc stats" on two different servers with 9.5.0-p2,  I am
> >getting two different dumps of stats, one of them dumps the stats in
> >very short format
> >(7 lines), the other dumps it in very long format (50-60lines per
> >dump)..What could be the difference on both? thank you
> 
> Are you *sure* they are both running BIND 9.5.0-P2 ? Much the most
> likely explanation is that the one producing short statistics is a pre
> 9.5 version.
> I don't believe that BIND 9.5.x even includes any code to generate the
> old format.
> 
> --
> Chris Thompson
> Email: c...@cam.ac.uk
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


Matthew Huff.vcf
Description: Binary data


smime.p7s
Description: S/MIME cryptographic signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: rndc stats - 9.5.0-p2

2009-02-17 Thread Cihan Subasi (Garanti Teknoloji)
One named and same version on both, but has a installation date august

#ps -ef | grep named
root   137 1  0   Dec 11 ?   4297:13 /usr/local/sbin/named -c 
/var/named/named.conf
 /usr/local/sbin
#/usr/local/sbin/named -v
BIND 9.5.0-P2
 /usr/local/sbin 



-Original Message-
From: Matthew Huff [mailto:mh...@ox.com] 
Sent: Tuesday, February 17, 2009 3:17 PM
To: Cihan Subasi (Garanti Teknoloji); 'bind-users@lists.isc.org'
Cc: 'c...@hermes.cam.ac.uk'
Subject: RE: rndc stats - 9.5.0-p2

There may be more than one "named" binary in your path. You may want to do an 
explicit reference to check the version (./named -V) or do a "which named"


Matthew Huff   | One Manhattanville Rd OTA Management LLC | Purchase, NY 
10577 http://www.ox.com  | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139



> -Original Message-
> From: bind-users-boun...@lists.isc.org [mailto:bind-users- 
> boun...@lists.isc.org] On Behalf Of Cihan Subasi (Garanti Teknoloji)
> Sent: Tuesday, February 17, 2009 7:51 AM
> To: bind-users@lists.isc.org
> Cc: c...@hermes.cam.ac.uk
> Subject: RE: rndc stats - 9.5.0-p2
> 
> I think you're rigth, when I check the file sizes they are not same 
> but versions are matching...
> 
> short
> 
> --
> #ls -la
> total 48166
> drwxr-xr-x   2 root other512 Aug 15  2008 .
> drwxr-xr-x  13 root other512 Nov 21 14:02 ..
> -rwxr-xr-x   1 root other1199932 Aug 15  2008 dnssec-keygen
> -rwxr-xr-x   1 root other3675504 Aug 15  2008 dnssec-signzone
> -rwxr-xr-x   2 root other5134128 Aug 15  2008 lwresd
> -rwxr-xr-x   2 root other5134128 Aug 15  2008 named
> -rwxr-xr-x   1 root other3816336 Aug 15  2008 named-checkconf
> -rwxr-xr-x   1 root other3624412 Aug 15  2008 named-checkzone
> lrwxrwxrwx   1 root other 15 Aug 15  2008 named-compilezone
> -> named-checkzone
> -rwxr-xr-x   1 root other 847676 Aug 15  2008 rndc
> -rwxr-xr-x   1 root other1136800 Aug 15  2008 rndc-confgen
>  /usr/local/sbin
> #named -v
> BIND 9.5.0-P2
>  /usr/local/sbin
> 
> long--
> [garanti2]ls -la
> total 158646
> drwxr-xr-x   2 bin  bin  512 Nov 26 17:10 .
> drwxr-xr-x  15 root other512 Nov 26 17:01 ..
> -rwxr-xr-x   1 root other3318808 Nov 26 17:10 dnssec-keygen
> -rwxr-xr-x   1 bin  bin  5182984 Mar 25  2004 dnssec-makekeyset
> -rwxr-xr-x   1 bin  bin  5184180 Mar 25  2004 dnssec-signkey
> -rwxr-xr-x   1 root other9997148 Nov 26 17:10 dnssec-signzone
> -rwxr-xr-x   2 root other15535428 Nov 26 17:10 lwresd
> -rwxr-xr-x   2 root other15535428 Nov 26 17:10 named
> -rwxr-xr-x   1 root other10443912 Nov 26 17:10 named-checkconf
> -rwxr-xr-x   1 root other9923952 Nov 26 17:10 named-checkzone
> lrwxrwxrwx   1 root other 15 Nov 26 17:10 named-compilezone
> -> named-checkzone
> -rwxr-xr-x   1 root other2917848 Nov 26 17:10 rndc
> -rwxr-xr-x   1 root other3061584 Nov 26 17:10 rndc-confgen
> [garanti2]named -v
> BIND 9.5.0-P2
> 
> 
> 
> -Original Message-
> From: Chris Thompson [mailto:c...@hermes.cam.ac.uk] On Behalf Of Chris 
> Thompson
> Sent: Tuesday, February 17, 2009 2:40 PM
> To: Cihan Subasi (Garanti Teknoloji)
> Cc: Bind Users Mailing List
> Subject: Re: rndc stats - 9.5.0-p2
> 
> On Feb 17 2009, Cihan Subasi (Garanti Teknoloji) wrote:
> 
> >When I run "rndc stats" on two different servers with 9.5.0-p2,  I am 
> >getting two different dumps of stats, one of them dumps the stats in 
> >very short format
> >(7 lines), the other dumps it in very long format (50-60lines per 
> >dump)..What could be the difference on both? thank you
> 
> Are you *sure* they are both running BIND 9.5.0-P2 ? Much the most 
> likely explanation is that the one producing short statistics is a pre
> 9.5 version.
> I don't believe that BIND 9.5.x even includes any code to generate the 
> old format.
> 
> --
> Chris Thompson
> Email: c...@cam.ac.uk
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


This message and attachments are confidential and intended solely for the 
individual(s) stated in this message. If you received this message although you 
are not the addressee, you are responsible to keep the message confidential. 
The sender has no responsibility for the accuracy or correctness of the 
information in the message and its attachments. Our company shall have no 
liability for any changes or late receiving, loss of integrity and 
confidentiality, viruses and any damages caused in anyway to your computer 
system.  

Bu mesaj ve ekleri, mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve 
gizlidir. Bu mesajin muhatabi olmamaniza ragmen tarafiniza ulasmis olmasi 
halinde mesaj iceriginin gizliligi ve bu gizlilik yukumlulugune uyulmasi 
zorunlulugu tarafiniz icin

NOTAUTH on dynamic zone update

2009-02-17 Thread Benedikt Gollatz
Hello everyone,

I use nsupdate to dynamically update a reverse lookup zone hosted by my 
BIND9 setup. For that purpose, I've created host-type HMAC-MD5 keys, 
added an appropriate "key" section to my configuration, added the updating 
host to the "controls" section, and added an "allow-update" parameter to the 
zone configuration like this:

zone "[...]" in {
type master;
[...]
allow-update { key "key-name"; };
};

I pass the key to nsupdate using one (either) of the keyfiles generated by 
dnssec-keygen with the -k parameter.

Unfortunately this doesn't work. When running nsupdate, I get a "failed: not 
authoritative for update zone (NOTAUTH)" error in my server log file, and no 
updating is done.

I'm confused about the error message because both the BIND configuration file 
and the SOA record of the zone state that the server indeed is authoritative 
for the update zone.

Also, this configuration works fine with a dhcpd updating a different zone 
hosted by the same server.

Googling yields a few people with similar problems but no real solution. Any 
hints on what I might be doing wrong are appreciated.

Benedikt

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: rndc stats - 9.5.0-p2

2009-02-17 Thread Jeremy C. Reed
Make sure you are really talking to the correct named. Maybe a you have a 
rndc.conf file.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Too long stats on version: 9.6.0-P1 - windows

2009-02-17 Thread Chiesa Stefano
Hi all.
I just upgraded my Bind 9.4.2 to 9.6.0-P1 without changing anything in
the named.conf file.
Now my named.stats has changed in his structure from the short one:

+++ Statistics Dump +++ (1211013000)
success 664883
referral 127191
nxrrset 147535
nxdomain 183023
recursion 442326
failure 11897
--- Statistics Dump --- (1211013000)

to the extended one:

+++ Statistics Dump +++ (1234878900)
++ Incoming Requests ++
   24196 QUERY
1391 NOTIFY
  18 UPDATE
++ Incoming Queries ++
   11377 A
3150 NS
 318 CNAME
 428 SOA
4956 PTR
2194 MX
 418 TXT
 971 
  52 SRV
 111 A6
  54 SPF
   3 TKEY
 119 IXFR
  46 ANY
++ Outgoing Queries ++
[View: internal]
7967 A
  25 NS
 285 CNAME
  84 SOA
4998 PTR
 590 MX
 118 TXT
  49 
  26 SRV
   1 ANY
[View: external]
   3 A
   1 NS
   3 



Is there a way to come back to the first structure? The dns server send
the file to a statistic server but now it doesn't undestand the
structure any more...

Thanks in advance...

Stefano.


C:\bind\bin>rndc status
version: 9.6.0-P1
CPUs found: 2
worker threads: 2
number of zones: 683
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 2/0/1000
tcp clients: 1/100
server is up and running



Stefano Chiesa
Wolters Kluwer Italia
20090 Milanofiori Assago (Mi)
Strada 1, Palazzo F6
Phone +39 0282476279 (20279 Voip)
Fax +39 0282476633

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: adb.c:1526: INSIST(find->adbname == ((void *)0)) failed

2009-02-17 Thread Mark Andrews

In message <1234867921.16690.43.ca...@d410-heron>, "Niall O'Reilly" writes:
> On Mon, 2009-02-16 at 12:17 +1100, Mark Andrews wrote:
> > It should be unrelated.  I would however still upgrade.
> 
>   Thanks, Mark.
> 
>   If I don't see the same assertion failure with
>   the current release, I guess that's closed.
> 
>   One advantage of upgrading is getting all those nice
>   log entries reporting EDNS faults.  8-)

No.  You get log entries reporting TIMEOUTS.

Using EDNS is only one possible reason for the timeout and
it is one we have control over so that is why it is mentioned.

Mark

>   /Niall
> 
>   
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: adb.c:1526: INSIST(find->adbname == ((void *)0)) failed

2009-02-17 Thread David Forrest

On Wed, 18 Feb 2009, Mark Andrews wrote:



In message <1234867921.16690.43.ca...@d410-heron>, "Niall O'Reilly" writes:

On Mon, 2009-02-16 at 12:17 +1100, Mark Andrews wrote:

It should be unrelated.  I would however still upgrade.


Thanks, Mark.

If I don't see the same assertion failure with
the current release, I guess that's closed.

One advantage of upgrading is getting all those nice
log entries reporting EDNS faults.  8-)


No.  You get log entries reporting TIMEOUTS.

Using EDNS is only one possible reason for the timeout and
it is one we have control over so that is why it is mentioned.

Mark


/Niall


To get rid of all those "nice" log entries, I have this in my named.conf:

channel edns-disabled   {
file "/dev/null";
};
category edns-disabled { null; };

--
David Forrest 
St. Louis, Missouri

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Exiting due to early fatal error

2009-02-17 Thread Mark Andrews

In message <20090217121007.91cf14e...@cork.irdesign.cypress.com>, Lars Hecking 
writes:
> 
>  BIND 9.4.3-P1, Solaris 8
> 
>  I'm trying to get a chroot setup to work following the instructions here
>   http://www.boran.com/security/sp/bind9_20010430.html
> 
> # /usr/sbin/named -g -t /var/named/chroot
> 17-Feb-2009 12:05:56.789 starting BIND 9.4.3-P1 -g -t /var/named/chroot
> 17-Feb-2009 12:05:56.790 found 2 CPUs, using 2 worker threads
> 17-Feb-2009 12:05:56.793 ./main.c:506: unexpected error:
> 17-Feb-2009 12:05:56.793 isc_socketmgr_create() failed: file not found
> 17-Feb-2009 12:05:56.794 create_managers() failed: unexpected error
> 17-Feb-2009 12:05:56.794 exiting (due to early fatal error)
> # 
> 
>  The log gives no indication which file is not found, and truss doesn't
>  help either:

 
> ...
> chroot("/var/named/chroot") = 0
> chdir("/")  = 0
> brk(0x0025CEF8) = 0
> brk(0x0025EEF8) = 0
> pipe()  = 6 [7]
> fork1() = 10598
> lwp_sigredirect(0, SIGWAITING, 0x)  Err#22 EINVAL
> lwp_cond_wait(0xFF275548, 0xFF275558, 0xFF26EDB0) = 0
> lwp_mutex_wakeup(0xFF275558)= 0
> lwp_mutex_lock(0xFF275558)  = 0
> lwp_mutex_wakeup(0xFF275558)= 0
> lwp_mutex_lock(0xFF275558)  = 0
> close(7)= 0
> read(6, 0xFFBEFC0F, 1)  = 0
> _exit(1)
> 
>  This bind was compiled for threads, and /dev/poll is not in the jail.

Well add /dev/poll/.  Things have changed since 2001 when that
advice was written.
 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: NOTAUTH on dynamic zone update

2009-02-17 Thread Mark Andrews

In message , Benedikt Gollatz writes:
> Hello everyone,
> 
> I use nsupdate to dynamically update a reverse lookup zone hosted by my 
> BIND9 setup. For that purpose, I've created host-type HMAC-MD5 keys, 
> added an appropriate "key" section to my configuration, added the updating 
> host to the "controls" section, and added an "allow-update" parameter to the 
> zone configuration like this:
> 
> zone "[...]" in {
> type master;
> [...]
> allow-update { key "key-name"; };
> };
> 
> I pass the key to nsupdate using one (either) of the keyfiles generated by 
> dnssec-keygen with the -k parameter.
> 
> Unfortunately this doesn't work. When running nsupdate, I get a "failed: not 
> authoritative for update zone (NOTAUTH)" error in my server log file, and no 
> updating is done.

The zone section in the update message does NOT match a
master/slave zone configured in the view that the update
message matched.

Mark
 
> I'm confused about the error message because both the BIND configuration file
> and the SOA record of the zone state that the server indeed is authoritative 
> for the update zone.
> 
> Also, this configuration works fine with a dhcpd updating a different zone 
> hosted by the same server.
> 
> Googling yields a few people with similar problems but no real solution. Any 
> hints on what I might be doing wrong are appreciated.
> 
> Benedikt
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ResendRE: ns_type question

2009-02-17 Thread JINMEI Tatuya / 神明達哉
At Sun, 15 Feb 2009 00:34:38 -0800,
Jack Tavares  wrote:

> Any suggestions on this?

[snip]

> I have downloaded libbind6.0b1
> 
> My question is;
> 
> the arpa/nameser.h file included does not include
> type definitions for DNSKEY (or other dnssec rr types)
> in the ns_type enum.
> 
> am I looking in the wrong place?

No, you're looking at the right place, and libbind isn't supposed to
provide any new feature regarding the new DNSSEC spec.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: client query logging (refused message)

2009-02-17 Thread JINMEI Tatuya / 神明達哉
At Tue, 17 Feb 2009 08:15:39 -0500,
Matthew Huff  wrote:

> 17-Feb-2009 08:14:17.376 queries: client 62.109.4.89#49464: view
> external-in: query: . IN NS +
> ...
> 
> logged, and I have verified that the query is refused, but nothing in the
> log shows that it was refused. Is there anyway to log the success/failure of
> the queries?

Not yet, but BIND 9.7 (and perhaps next minor versions of 9.6 and 9.5)
will provide a new logging category that can log the information you
seem to want:

17-Feb-2009 14:15:45.998 debug 3: client ::1#50076: query failed (REFUSED) for 
./IN/NS at query.c:3887

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Too long stats on version: 9.6.0-P1 - windows

2009-02-17 Thread JINMEI Tatuya / 神明達哉
At Tue, 17 Feb 2009 15:44:44 +0100,
"Chiesa Stefano"  wrote:

> I just upgraded my Bind 9.4.2 to 9.6.0-P1 without changing anything in
> the named.conf file.
> Now my named.stats has changed in his structure from the short one:

[snip]

> Is there a way to come back to the first structure?

No with 9.6, sorry.  This is a backward incompatible change in 9.5 and
onward.  If this is crucial for you and you don't need other new
features in 9.5 or 9.6, please use 9.4.3-P1.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Where to find Class Cs for sale or rent in North America

2009-02-17 Thread The Doctor
Anyone with pointers on this?
-- 
Member - Liberal International  This is doc...@nl2k.ab.ca
Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Christian(n): A Jew that believe Christ is Messiah and Saviour and alive

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: Where to find Class Cs for sale or rent in North America

2009-02-17 Thread Jason Mitchell
https://www.arin.net/

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of The Doctor
Sent: Wednesday, 18 February 2009 10:48 AM
To: comp-protocols-dns-b...@isc.org
Subject: Where to find Class Cs for sale or rent in North America

Anyone with pointers on this?
-- 
Member - Liberal International  This is doc...@nl2k.ab.ca
Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising!
Never Satan President Republic!
Christian(n): A Jew that believe Christ is Messiah and Saviour and alive

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Bind Patch for Solaris 10

2009-02-17 Thread Ray Van Dolson
On Thu, Feb 12, 2009 at 04:01:56AM -0800, Worrell, James J Mr CIV US DISA GS4T1 
wrote:
> Thanks Ray!  Any information would be greatly appreciated.

Applied the patch but ran into one "gotcha".  The server wasn't
starting up properly after applyign the patch.  I tried running the
binary in the foreground and turns out it was complaining about not
being able to find /dev/poll in the chroot environment.

I ran:

  # cd /var/named/dev
  # mknod poll c 138 0
  # chmod 666 poll

And everything worked fine.  I'm not sure if Sun built things
differently or there is a new requirement on this /dev/poll file.
Regardless all seems to be working OK now.

Ray

> 
> -Original Message-
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ray Van Dolson
> Sent: Wednesday, February 11, 2009 14:35
> To: bind-users@lists.isc.org
> Subject: Re: Bind Patch for Solaris 10
> 
> On Wed, Feb 11, 2009 at 12:30:19PM -0800, Worrell, James J Mr CIV US
> DISA GS4T1 wrote:
> > 
> > Greeting!
> > 
> > I am trying to load bind patch 119783-10 on a Solaris 10 system
> running
> > DNS 9.35-p2 and ran into several problems.  I suspect that the root
> > cause is due to the security posture that we have in place that
> prevents
> > a compiler from being loaded on the systems.  Has anyone loaded this
> > patch to a system without a compiler and if so did you experience any
> > issues.
> > 
> 
> Hmm, don't understand why a compiler would be necessary?
> 
> I'll be trying this patch shortly on several Solaris 10 systems, so
> will let you know.
> 
> Ray
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Catch ALL Setup

2009-02-17 Thread Sven Eschenberg

Dear list,

I tried googling about a Catch-All setup for a DNS, with little success. 
I tried messing around with some zone/hint files in an isolated setup, 
but without any success.


What I am trying to achieve is the following:

No matter which host/name is looked up, the DNS should spit out the same 
IP address. The intention is to bring the users to a specific 
webserver/webpage, not matter what web page the intend to surf to, for 
the easiness of setting up their connection. The basic idea is, 
unauthenticated clients will be put in an isolated network, users then 
pop up their web browser, will land on a specific webpage with 
instructions on which steps they need to take, to get proper access.


I tried to create a "*" zone, which seems to be ignored by bind, or 
rather bind doesn't like the contents of the zone file.


I'd appreciate any pointer to some information, how I can tweak bind to 
do such a thing.


With best regards

-Sven
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Catch ALL Setup

2009-02-17 Thread Mark Andrews

$ORIGIN .
@ 0 SOA ...
@ 0 NS ...
* 0 A 1.2.3.4

In message <499b8e5a.5010...@whgl.uni-frankfurt.de>, Sven Eschenberg writes:
> Dear list,
> 
> I tried googling about a Catch-All setup for a DNS, with little success. 
> I tried messing around with some zone/hint files in an isolated setup, 
> but without any success.
> 
> What I am trying to achieve is the following:
> 
> No matter which host/name is looked up, the DNS should spit out the same 
> IP address. The intention is to bring the users to a specific 
> webserver/webpage, not matter what web page the intend to surf to, for 
> the easiness of setting up their connection. The basic idea is, 
> unauthenticated clients will be put in an isolated network, users then 
> pop up their web browser, will land on a specific webpage with 
> instructions on which steps they need to take, to get proper access.
> 
> I tried to create a "*" zone, which seems to be ignored by bind, or 
> rather bind doesn't like the contents of the zone file.
> 
> I'd appreciate any pointer to some information, how I can tweak bind to 
> do such a thing.
> 
> With best regards
> 
> -Sven
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: adb.c:1526: INSIST(find->adbname == ((void *)0)) failed

2009-02-17 Thread Niall O'Reilly
On Tue, 2009-02-17 at 14:09 -0600, David Forrest wrote:
> To get rid of all those "nice" log entries, I have this in my
> named.conf:

Thanks, David.
For now, they're not so frequent as to be a nuisance.

/Niall


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


RE: ResendRE: ns_type question

2009-02-17 Thread Jack Tavares

From: JINMEI Tatuya / 神明達哉 [jinmei_tat...@isc.org]
> I have downloaded libbind6.0b1
>
> My question is;
>
> the arpa/nameser.h file included does not include
> type definitions for DNSKEY (or other dnssec rr types)
> in the ns_type enum.
>
> am I looking in the wrong place?

> No, you're looking at the right place, and libbind isn't supposed to
> provide any new feature regarding the new DNSSEC spec.

Ok. So is there a 'C' api for dealing with DNSSEC in this regard?
--
jack.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users