Re: what to do after received multiple NS record?

2009-05-20 Thread Matus UHLAR - fantomas 
On 20.05.09 06:53, MontyRee wrote:
> If client executes recursive query, client will receive some NS records
> like below.
>  
> $ dig www.example.com
> example.com.172800  IN  NS  a.iana-servers.net.
> example.com.172800  IN  NS  b.iana-servers.net.
> 
> if 
> a.iana-servers.net. is local network and fast
> b.iana-servers.net. is remote network and very slow, 
>  
> 1. then, client querys most to a.iana-servers.net or randomly?

the client may prefer server that is closer, but should remember other one,
if the first fails.
BIND does that afaik.

I'm not sure what order does it process unknown servers in, I guess it's
initially in the order responses were sent.

Since BIND has options to sort responses, it would be good to use that,
since the admin may know which server is topologically closer, although I'm
not sure if this is used here and for NS records.

> 2. if client received NS records(a.iana-servers.net and b.iana-servers.net) 
>from root servers, how to check which DNS is fast or slow?

only by sending queries and seeing reply.

>I can't find any icmp packets or related packets.

I think bind queries servers it does not have RTT's for to find it out, then
prefers servers with shorter RTT and ocasionaly checks others if anything
changed.

> 3. below is a cache_dump.db.
>Anyone can explain what's the meaning of TTL and srtt?

TTL is the time an entry will be valid. srtt is the response time, used for
selection described above.

> ; J.ROOT-SERVERS.NET [v4 TTL 86393] [v4 success] [v6 unexpected]
> ;   192.58.128.30 [srtt 18] [flags ] [ttl 1793]
> ; k.gtld-servers.net [v4 TTL 3] [v4 success] [v6 unexpected]
> ;   192.52.178.30 [srtt 9] [flags ] [ttl 1793]
> 
> If any RFC or related documents, please let me know.

I'm not sure if any rfc requires 
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory. 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: what to do after received multiple NS record?

2009-05-20 Thread MontyRee 

So thanks for your kind answer.
 
 
>> 2. if client received NS records(a.iana-servers.net and b.iana-servers.net)
>> from root servers, how to check which DNS is fast or slow?
>
> only by sending queries and seeing reply.

But if I tested, I can't find any related packets.
after flushing the all cache, I executed like below.
 
$ dig @127.0.0.1 www.example.com   (192.168.1.3 is dns client)

19:23:49.711259 IP 192.168.1.3.12825> 192.54.112.30.domain:  58548 [1au] A? 
www.example.com. (44)
19:23:49.987665 IP 192.54.112.30.domain> 192.168.1.3.12825:  58548- 0/2/3 (124)
19:23:49.987903 IP 192.168.1.3.29328> 192.112.36.4.domain:  57596% [1au] A? 
a.iana-servers.net. (47)
19:23:49.987971 IP 192.168.1.3.29630> 192.112.36.4.domain:  57429% [1au] A? 
b.iana-servers.net. (47)
19:23:50.139827 IP 192.112.36.4.domain> 192.168.1.3.29328:  57596- 0/13/16 (532)
19:23:50.140108 IP 192.112.36.4.domain> 192.168.1.3.29630:  57429- 0/13/16 (532)
19:23:50.140265 IP 192.168.1.3.11208> 192.48.79.30.domain:  56734% [1au] A? 
a.iana-servers.net. (47)
19:23:50.140476 IP 192.168.1.3.64270> 192.48.79.30.domain:  19705% [1au] A? 
b.iana-servers.net. (47)
19:23:50.207358 IP 192.48.79.30.domain> 192.168.1.3.11208:  56734- 1/5/4 A 
192.0.34.43 (212)
19:23:50.207365 IP 192.48.79.30.domain> 192.168.1.3.64270:  19705- 1/5/4 A 
193.0.0.236 (214)
19:23:50.207703 IP 192.168.1.3.58817> 193.0.0.236.domain:  59823 [1au] A? 
www.example.com. (44)
19:23:50.482477 IP 193.0.0.236.domain> 192.168.1.3.58817:  59823*- 1/2/3 A 
208.77.188.166 (140)
 
 
as you see, two dns serves are 192.0.34.43 and 193.0.0.236. but dns client only 
querys to 193.0.0.236 without any reply from 192.0.34.43.
 
 
 
Thanks again.
 
_
계정의 여왕 5월! 예쁜 사진 많이 찍고, 사진 갤러리로 리사이즈와 보정, 공유까지 한번에 해결하세요!
http://mswindowslive.tistory.com/5
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: choosing key for auto-signing

2009-05-20 Thread Richard Doty 
On Wed, 20 May 2009 14:56:20 +1000 Mark Andrews wrote:
> 
> In message <200905200158.n4k1wmzv006...@edge.twig.com>, Richard Doty writes:
> > I am running bind 9.5.0, and have a dynamic zone with two ZSK set
> > up in the pre-publish manner - one ZSK is "published" but not used
> > for signing, one ZSK is "active" and signs all records.  That's
> > how I use them when I do a full re-sign with dnssec-signzone.  But
> > when I make a dynamic update to the zone, bind signs the updated
> > record with both ZSKs.  That makes sense because bind has no way
> > to tell the two ZSKs apart.
> 
>   Firstly I would just upgrade to BIND 9.6 so you don't need
>   to use dnssec-signzone to re-sign the zone.

So if I add a key, or remove a key, using dynamic update, BIND 9.6
re-signs the whole zone automatically?  (assuming the private key
is visible).  And removes signatures that do not match an existing key?

What I'm doing now is:

freeze zone
add new key
use dnssec-signzone to sign with new key
thaw zone

Very clumsy, but couldn't think of anything else.

> 
>   Named will re-sign using the private keys it has available
>   to it.  Just keep the private key where named can't see it
>   until you wish it to be used.  Then move it into place when
>   you wish it to start signing and then move the existing
>   private key out of the way.  Note the order of operations
>   is important otherwise there will be a time when named has
>   no private keys available to re-sign.

Thanks for that.

>   We are looking at adding start and stop dates to keys so
>   this will be less complicated in future.
> 
>   Mark
>  
> > So I guess my question is - does pre-publish work with dynamic update?
> > If so, how is it configured?
> > 
> > Thanks,
> > 
> > Richard.
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
> 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what to do after received multiple NS record?

2009-05-20 Thread Mark Andrews 

In message , MontyRee writes:
> 
> So thanks for your kind answer.
>  
>  
> >> 2. if client received NS records(a.iana-servers.net and b.iana-servers.net)
> >> from root servers, how to check which DNS is fast or slow?
> >
> > only by sending queries and seeing reply.
> 
> But if I tested, I can't find any related packets.
> after flushing the all cache, I executed like below.
>  
> $ dig @127.0.0.1 www.example.com   (192.168.1.3 is dns client)
> 
> 19:23:49.711259 IP 192.168.1.3.12825> 192.54.112.30.domain:  58548 [1au] A? 
> www.example.com. (44)
> 19:23:49.987665 IP 192.54.112.30.domain> 192.168.1.3.12825:  58548- 0/2/3 
> (124)
> 19:23:49.987903 IP 192.168.1.3.29328> 192.112.36.4.domain:  57596% [1au] A? 
> a.iana-servers.net. (47)
> 19:23:49.987971 IP 192.168.1.3.29630> 192.112.36.4.domain:  57429% [1au] A? 
> b.iana-servers.net. (47)
> 19:23:50.139827 IP 192.112.36.4.domain> 192.168.1.3.29328:  57596- 0/13/16 
> (532)
> 19:23:50.140108 IP 192.112.36.4.domain> 192.168.1.3.29630:  57429- 0/13/16 
> (532)
> 19:23:50.140265 IP 192.168.1.3.11208> 192.48.79.30.domain:  56734% [1au] A? 
> a.iana-servers.net. (47)
> 19:23:50.140476 IP 192.168.1.3.64270> 192.48.79.30.domain:  19705% [1au] A? 
> b.iana-servers.net. (47)
> 19:23:50.207358 IP 192.48.79.30.domain> 192.168.1.3.11208:  56734- 1/5/4 A 
> 192.0.34.43 (212)
> 19:23:50.207365 IP 192.48.79.30.domain> 192.168.1.3.64270:  19705- 1/5/4 A 
> 193.0.0.236 (214)
> 19:23:50.207703 IP 192.168.1.3.58817> 193.0.0.236.domain:  59823 [1au] A? 
> www.example.com. (44)
> 19:23:50.482477 IP 193.0.0.236.domain> 192.168.1.3.58817:  59823*- 1/2/3 A 
> 208.77.188.166 (140)
>  
>  
> as you see, two dns serves are 192.0.34.43 and 193.0.0.236. but dns client 
> only 
> querys to 193.0.0.236 without any reply from 192.0.34.43.

named works out the rtt as a side effect of ordinary queries.
For zones that are queried often it will home in on the
closest server (in network terms).  For zones that are
queried once or twice the rtt processing doesn't provide
any benefit.
  
> Thanks again.
>  
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Delegation of DHCP blocks within same server?

2009-05-20 Thread John Cole 
Question:

[Apologies for asking something that strikes me as most likely obvious, but 
just outside my grasp today - and of course, I haven't been able to find 
similar situations to borrow from on the web]

Within a private /16 in.addr zone, I've got two /24 blocks of (contiguous) DHCP 
issued addresses.  Presently DHCP updates these addresses which are 
intermingled with all other static addresses in the /16 space.  For the 
purposes of a cleaner zone file and less traffic between slave servers, what's 
the best technique to break out the two dhcp issued address spaces?

My presumption is that the /16 zone remain a single zone file, with 
sub-delegation of those two /24 blocks.  As I've only done delegation to other 
name servers, is this both possible/recommended to be done in one bind 
instance?  Ideally, delegating a /23 seems to strike me as the right thing to 
do.  Of course, my blocks don't fall on a /23 boundary.  *eye roll*

For a concrete example:

10.0.0.0/16 is presently handled by a single zone file.
10.1.3.0/24 is DHCP issued
10.1.4.0/24 is DHCP issued

What do the experts recommend as the best method to split these into 1-3 
different zone files on the same name server.

Thanks much for the assistance,
jc


___

JOHN C. COLE | Technical Product Management Specialist

DIGITAL REEF
85 Swanson Road | Boxborough, MA 01719 | 978-893-1023
www.digitalreefinc.com

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation of DHCP blocks within same server?

2009-05-20 Thread Matthew Pounsett 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 20-May-2009, at 19:03, John Cole wrote:


For a concrete example:

10.0.0.0/16 is presently handled by a single zone file.
10.1.3.0/24 is DHCP issued
10.1.4.0/24 is DHCP issued


I haven't tested this... but I'm 99% certain that you can simply load  
them as three separate zones, exactly as you might expect.  BIND  
should recognize that the zone{} statements for 10.1.3/24 and  
10.1.4/24 are more-specific than what's in 10.0/16 and act  
accordingly.  Along those same lines, if you happen to have data for  
either 10.1.3/24 or 10.1.4/24 inside the 10.0/16 zone file, you should  
get an error.



-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)

iEYEARECAAYFAkoUmPAACgkQmFeRJ0tjIxGe4gCgkhfqzbwL9BcT4MtXtqQSMQ08
pmEAn2YNy86QLMcpPd8Rl09d965NskJc
=2nvo
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Delegation of DHCP blocks within same server?

2009-05-20 Thread John Cole 
Thanks to both Chris and Matthew for solutions that worked.  I knew there had 
to be an easy way ;)

I'll be using the delegation method for one of the two dhcp zones (works out 
better for network traffic), and indeed, the hunch that just loading a more 
specific zone worked if you don't want to do the delegation (like I'm now doing 
for the other zone!)

John

-Original Message-
From: Matthew Pounsett [mailto:m...@conundrum.com] 
Sent: Wednesday, May 20, 2009 7:58 PM
To: John Cole
Cc: bind-users@lists.isc.org
Subject: Re: Delegation of DHCP blocks within same server?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 20-May-2009, at 19:03, John Cole wrote:

> For a concrete example:
>
> 10.0.0.0/16 is presently handled by a single zone file.
> 10.1.3.0/24 is DHCP issued
> 10.1.4.0/24 is DHCP issued

I haven't tested this... but I'm 99% certain that you can simply load  
them as three separate zones, exactly as you might expect.  BIND  
should recognize that the zone{} statements for 10.1.3/24 and  
10.1.4/24 are more-specific than what's in 10.0/16 and act  
accordingly.  Along those same lines, if you happen to have data for  
either 10.1.3/24 or 10.1.4/24 inside the 10.0/16 zone file, you should  
get an error.


-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.11 (Darwin)

iEYEARECAAYFAkoUmPAACgkQmFeRJ0tjIxGe4gCgkhfqzbwL9BcT4MtXtqQSMQ08
pmEAn2YNy86QLMcpPd8Rl09d965NskJc
=2nvo
-END PGP SIGNATURE-
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

MX is a numeric IP

2009-05-20 Thread Tech W. 

What will be happened if a MX is an numeric IP?
for example,

# dig vip.online2.sh.cn mx +short
10 218.1.71.125.


Thanks.


  Need a Holiday? Win a $10,000 Holiday of your choice. Enter 
now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users