Re: Core dumping DLZ
On May 7, 2009, at 9:50 PM, Mark Andrews wrote: I beg to differ. Named only gets to this position in the code if it has been told to shut itself down. Note this may happen as a side effect of shutting the machine itself down. I can say with a lot of confidence, the machine is not being shut down. Not 100% though, I will certainly look into improving that percentage. I peeked in the logs for messages, wtmp, secure, and boot, which did not yield anything that would lead me to think a reboot was happening. Could it be that if SBD/DLZ gets into bad shape, that is causing the terminate? I turned on mysql query logging and watched it for a while, seeing three queries come in that were suspicious. 090508 3:09:34 24 Query SELECT zone FROM resource_records WHERE zone = 'www.a.com' 24 Query SELECT zone FROM resource_records WHERE zone = 'a.com' 24 Query SELECT zone FROM resource_records WHERE zone = 'com' That is the result of one dig: dig www.a.com @ns1.example.com SOA Taking the further, I made a more extreme test, which only moments later, generated a core file, though this time, DNS managed to stay up and answer questions... * At some point in time later, queries will not get answers unless I restart named-sdb manually. * After this core was made, named-sdb is unable to answer queries, for mysql driven data, or file based zones. However, named-sdb is still running: $ ps aux | grep named | grep -v grep named 4918 0.0 0.1 199188 20528 ?Ssl 02:56 0:00 /usr/ sbin/named-sdb -u named This one dig causes 26 total lookups, which is pretty strange in and of itself. dig a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com @ns1.example.com SOA SELECT zone FROM resource_records WHERE zone = 'a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'd.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'm.n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'n.o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'o.p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'p.q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'q.r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'r.s.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 's.t.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 't.u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'u.v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'v.w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'w.x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'x.y.z.com' SELECT zone FROM resource_records WHERE zone = 'y.z.com' SELECT zone FROM resource_records WHERE zone = 'z.com' SELECT zone FROM resource_records WHERE zone = 'com' Thanks for your suggestions, I appreciate it. Has anyone else managed to get mysql and named-sdb running solid on RHEL? -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Quick poll: Cache poison vs site problems vs BIND bug vs Windows neg caching
Howdy all, we're running 9.5.0-P2 (fairly recent) on two servers that are recursive DNS sources for a medium sized college. This week, we had more than a few users complaining about craigslist.org and www.chase.com not resolving, and sure enough when I checked with dig one of Craigslist's NS servers was not working right (sending SERVFAIL replies). An "rndc flush" did not seem to get things working again immediately, so I stopped and restarted named. I don't know what was up with Chase, I didn't hear about that problem with that until after I fixed it. I am tempted to chalk this up to negative caching, but the default is only a few hours and by the time I was notified, the users were complaining they had been having problems with Craigslist for 2 weeks. Just out of curiosity, I tuned max-ncache-ttl down to 10 min, but max-ncache-ttl only affects caching of NXDOMAIN replies as I understand it. Is BIND negative caching on SERVFAIL responses as well as NXDOMAIN responses? (Unlikely.) What's the behavior of a recursive lookup when one NS host is dead and the others are working? Does BIND try all of them or give up after the first? Our setup is pretty generic, except that we allow the whole world access for authoritative responses but allow recursive access only to "inside" addresses with an "allow-recursion" statement. I suppose this allows the rest of the world to try their hand at messing up our cache. Chase and Craigslist being high-profile targets ... I searched around and Craigslist did have some DNS problems last month, but mostly it was just people whining about it being their carrier's fault somehow. Well, I'll stop my rambling on about this and if anyone has any thoughts on the matter, thanks in advance, -W Sanders http://wsanders.net ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
host unreachable
Hi I get a lot of log messages like this: named[6379]: client x.x.x.x#59767: error sending response: host unreachable I can ping x.x.x.x so I'm confused. Can some kind soul help? Thanks Kurt ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
S-NAPTR and lightweight resolver
I understand the version 9 (and above) of BIND supports S-NAPTR. Is this supported in both the lightweight resolver and the full resolver ? ... or ONLY the full resolver ? Greg Waines Nortel Networks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about named reload
Hi, When named is reloading (rndc reload) and at this time the query request is coming, what will be happened? Will this query be rejected? Thanks. Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Quick poll: Cache poison vs site problems vs BIND bug vs Windows neg caching
Hi Wiley, I did have trouble with cached negatives. My isp is breaking my aDSL line at least once per day. When they had problems reconnecting I lost connectivity for a day when bind could not receive any answers for about 10 minutes. Reload with rndc did not help but restarting bind did. I experienced this long ago with bind 8. Kind regards Peter Wiley Sanders wrote: > Howdy all, we're running 9.5.0-P2 (fairly recent) on two servers that > are recursive DNS sources for a medium sized college. This week, we > had more than a few users complaining about craigslist.org and > www.chase.com not resolving, and sure enough when I checked with dig > one of Craigslist's NS servers was not working right (sending SERVFAIL > replies). > > An "rndc flush" did not seem to get things working again immediately, > so I stopped and restarted named. I don't know what was up with Chase, > I didn't hear about that problem with that until after I fixed it. > > I am tempted to chalk this up to negative caching, but the default is > only a few hours and by the time I was notified, the users were > complaining they had been having problems with Craigslist for 2 weeks. > Just out of curiosity, I tuned max-ncache-ttl down to 10 min, but > max-ncache-ttl only affects caching of NXDOMAIN replies as I > understand it. > > Is BIND negative caching on SERVFAIL responses as well as NXDOMAIN > responses? (Unlikely.) > > What's the behavior of a recursive lookup when one NS host is dead and > the others are working? Does BIND try all of them or give up after the > first? > > Our setup is pretty generic, except that we allow the whole world > access for authoritative responses but allow recursive access only to > "inside" addresses with an "allow-recursion" statement. I suppose this > allows the rest of the world to try their hand at messing up our > cache. Chase and Craigslist being high-profile targets ... > > I searched around and Craigslist did have some DNS problems last > month, but mostly it was just people whining about it being their > carrier's fault somehow. > > Well, I'll stop my rambling on about this and if anyone has any > thoughts on the matter, thanks in advance, > > -W Sanders > http://wsanders.net > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Rimbacher Strasse 16 D-69509 Moerlenbach-Bonsweiher +49(6209)795-816 (Telekom) +49(6252)750-308 (VoIP: sipgate.de) mail: pe...@peter-dambier.de http://www.peter-dambier.de/ http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/ ULA= fd80:4ce1:c66a::/48 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC - where to start?
I realize this question isn't strictly BIND related, but I am running BIND, and would like to use BIND to start looking at DNSSEC. I've spent the better part of today looking around for resources. I've found a few: http://www.dnssec-deployment.org/ https://www.ripe.net/projects/disi//dnssec_howto/dnssec_howto.pdf http://www.dnssec.net/ But what I haven't found is a guide for starting. It seems most of the guides I've found assume that I understand things about DNSSEC which I clearly do not. So, for those of you who have done this, or looked around, played with DNSSEC, etc, where do I start? Where is the "howto" guide for people like me? I understand regular DNS just fine, but start adding SEPs, DLVs, KSKs and I start getting lost. Thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - where to start?
> So, for those of you who have done this, or looked around, played with > DNSSEC, etc, where do I start? Where is the "howto" guide for people > like me? I understand regular DNS just fine, but start adding SEPs, > DLVs, KSKs and I start getting lost. You might check out this slide presentation, written by my colleague Alan Clegg: https://www.isc.org/files/DNSSEC_in_6_minutes.pdf -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable
On Fri, May 08, 2009 at 11:22:59AM +0200, Kurt Petersen wrote a message of 17 lines which said: > named[6379]: client x.x.x.x#59767: error sending response: host unreachable > > I can ping x.x.x.x so I'm confused. On today's Internet, ping is a poor connectivity test because most machines are behind firewalls and firewalls discriminate depending on, among other things, the protocol you use. Also, do you test immediately? Connectivity can change with time. May be a tcpdump at the time of the query would give you more information. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: S-NAPTR and lightweight resolver
In message <90243c8a881f8d419d855264d9636f3a39f...@zcarhxm2.corp.nortel.com>, " Gregory Waines" writes: > I understand the version 9 (and above) of BIND supports S-NAPTR. > > Is this supported in both the lightweight resolver and the full resolver > ? ... or ONLY the full resolver ? > > Greg Waines > Nortel Networks Both BIND 4 and BIND 8 also supported NAPTR records. NAPTR is nearly 12 years old at this point. It's supported in the stub resolver (libbind), the light weight resolver and the full resolver. It is up to the application to sort and process the returned records. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable
In article , Kurt Petersen wrote: > Hi > > I get a lot of log messages like this: > > named[6379]: client x.x.x.x#59767: error sending response: host unreachable > > I can ping x.x.x.x so I'm confused. > > Can some kind soul help? My guess is that the response was sent too late, and the client had already closed the port. One of the subtypes of host unreachable is used for UDP port unreachable. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: S-NAPTR and lightweight resolver
On Sat, May 09, 2009 at 09:38:25AM +1000, Mark Andrews wrote a message of 26 lines which said: > It is up to the application to sort and process the returned > records. But I suspect that this is precisely what the OP wanted (and expected BIND to do). Does anyone know a good free-software library for processing NAPTR/S-NAPTR/U-NAPTR records? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
