RE: How See what is Cached?
Thanks
Its working now
Regards
Vivek Aggarwal
+973-36583058
-Original Message-
From: Alans [mailto:batpowe...@yahoo.co.uk]
Sent: Wednesday, July 15, 2009 8:38 AM
To: Agarwal Vivek-RNGB36
Cc: bind-users@lists.isc.org
Subject: RE: How See what is Cached?
You should create the file that specified in Options:
options {
directory "/var/named";
dump-file "/data/cache_dump.db";
make sure that cache_dump.db file exist in that directory and if it is Chroot
then it will be inside Chroot directory, also make sure that named has proper
permissions for that file then run the command: rndc dumpdb -cahce
Alans
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36
Sent: Tuesday, July 14, 2009 9:11 AM
To: Alans; Niall O'Reilly
Cc: bind-users@lists.isc.org
Subject: RE: How See what is Cached?
Hi All
Iam trying to run the same command on Red Hat Linux; but its not giving any
output.
How can I check the cache in the redhat linux
Regards
Vivek Aggarwal
+973-36583058
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alans
Sent: Tuesday, July 07, 2009 9:51 AM
To: 'Niall O'Reilly'
Cc: bind-users@lists.isc.org
Subject: RE: How See what is Cached?
It is an ISP DNS, when they test the second DNS (advertised as secondary for
customers), when they test they noticed that it is a little bit slow when
opening same websites comparing to first DNS (primary), this happens only first
time they open the website then it will be fine (because caching)..
Now, they do have DHCP clients, I'll put the second DNS for them and see if
there is any difference.
Thanks everyone,
Alans
JINMEI Tatuya / 神明達哉 wrote
(but my comment is for the OP, AlanS):
> If the reason is due to client-side server
> selection algorithm (many Unix based resolvers only uses the first
> address in /etc/resolv.conf as long as it responds to their queries),
> there's basically nothing you can do as the server side operator.
If you also operate the DHCP server(s) from which
the clients obtain the data to put in /etc/resolv.conf,
you can try to balance the resolver load by tuning the
DHCP advertisements.
No-one on the list can really advise whether this would be
useful, as you don't say what problem you're trying to solve,
Best regards,
Niall O'Reilly
University College Dublin IT Services
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: clearing local caches
Hello. powerdns-recursor - the best. :)) Over 20k req/sec - feel good. As variant try to use small TTL like: bind: max-ncache-ttl 1; max-cache-ttl 1; powerdns-recursor cache-ttl=1 default-ttl=1 Scott Haneda wrote: Hello, this may not entirely be related to BIND/named, though I believe it is. I am working on a set of benchmarks to test the resolving speed of different recursive DNS providers. My plan is call an http resource, and see how long it takes to resolve that host, as well as all embedded hosts and redirects within the html. After the initial test, I will want to call the same resource, with a different resolver. What is the most reliable way to clear any caches I would have picked up from the first request? I suspect I should call it 2x, so the remote resolver can cache the request, and provide those results as well? Currently, I was planing on using a browser, and timing the page request from start to stop with javascript. I am not entirely in love with this idea for obvious reasons. Can anyone suggest a better method? I could grep out the url's from an ad heavy url, and curl each of those, making a cumulative time result. However, I would like to just get DNS response times. Perhaps take the list of hosts and feed them to a iterative script calling dig, and fish out the response time? This does add the problem of redirects of course would not be followed, so I would have to pre-fetch all my urls and follow them to get my testing list. Thanks for any suggestions. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSKEY Validation
On Jul 14 2009, Mark Elkins wrote:
On Tue, 2009-07-14 at 17:50 +1000, Mark Andrews wrote:
In message <1247555725.13064.4.ca...@ilinux>, Mark Elkins writes:
> OK - so I accept that the algorithm will change.
>
> What about some sort of validation of the base-64 part of the key?
> Is there a checksum byte/word?
> Is there a way of checking that the length is correct?
Have you thought of reading the RFCs which describe these records?
The answers to your questions are in the RFCs.
For the record - have been looking at various definitions and at some
RFC's - but the 'right thing' has not jumped out at me yet. Could some
kind soul please point me at the latest RFC that describes the base-64
part of the DNSREC resource record - how to checksum it and calculate
that the length is correct.
Is it really that difficult?
RFC 4034 defines the DNSKEY record (among others).
Section 2.2 defines its presentation ("master file") format.
Appendix A defines the algorithm types (updated by RFC 5155
to define types 6 and 7).
Appendix B describes how to compute the tag ("checksum") for
a DNSKEY record.
All other necessary RFCs are cross-referenced from there:
RFC 3548 for base-64 encoding
RFC 3110 for the RSASHA1 (type 5/7) algorithm
RFC 2536 for the DSA (type 3/6) algorithm
others for more deprecated algorithms
(You do have to appreciate that where the latter refer to type KEY
records you should take them to cover DNSKEY ones as well.)
There is a limit to how much "validation" you can do on an RSASHA1
key record (the most popular type), absent the signatures that use it.
--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
A smarter stub resolver??
I've frequently run into a problem that the stub resolver just isn't very dynamic in its selection of name servers - especially when dealing with time-sensitive apps. If the first DNS server in the list is down, the applications may slow down due to the constant retransmits. Given a resolv.conf like the one below, the xNix box will ALWAYS query the first DNS server, event if it's down. So, every single DNS query (think of how many reverse lookups a mail server, or Kerberos will do), there's a 2 second delay. Is there a "smarter" stub resolver that acts more like a DNS server using Round Trip Time (RTT) to pick the "best" DNS server from the list? We run well over 500 xNix boxes (and growing), so running DNS on each of these just isn't a viable option to get round the DNS timing issues. Nameserver 10.10.10.1 Nameserver 10.10.10.2 Nameserver 10.10.10.3 Options retry:2 Options retrans:2 Gord Taylor (CISSP, GCIH, GEEK) ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A smarter stub resolver??
I should mention, that I've looked at "options rotate", but the concern is that this will mean retransmits if ANY of the nameservers are down. So, any DNS outage would cause some level of impact to the application. It also makes it harder for applications to determine if slowdowns are due to DNS name resolution issues. Since 1/3 of the queries will be slower, they'll not think to look at DNS as root cause; they'd probably see it as a utilization issue, or something along those liens. While that may mean I don't get paged, it's not great for the business :) Gord Taylor (CISSP, GCIH, GEEK) -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Taylor, Gord Sent: 2009, July, 15 10:05 AM To: bind-users@lists.isc.org Subject: A smarter stub resolver?? I've frequently run into a problem that the stub resolver just isn't very dynamic in its selection of name servers - especially when dealing with time-sensitive apps. If the first DNS server in the list is down, the applications may slow down due to the constant retransmits. Given a resolv.conf like the one below, the xNix box will ALWAYS query the first DNS server, event if it's down. So, every single DNS query (think of how many reverse lookups a mail server, or Kerberos will do), there's a 2 second delay. Is there a "smarter" stub resolver that acts more like a DNS server using Round Trip Time (RTT) to pick the "best" DNS server from the list? We run well over 500 xNix boxes (and growing), so running DNS on each of these just isn't a viable option to get round the DNS timing issues. Nameserver 10.10.10.1 Nameserver 10.10.10.2 Nameserver 10.10.10.3 Options retry:2 Options retrans:2 Gord Taylor (CISSP, GCIH, GEEK) ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding first DNSKEY record with update (9.6.0 vs 9.6.1)
On Jul 15 2009, Mark Andrews wrote: In message , Chris Thompson writes: In BIND 9.6.0 one could take an unsigned zone and add an initial KSK and ZSK to it using nsupdate (and if the right files were in the key directory, it would sign everything correctly). In BIND 9.6.1 this no longer works: it returns REFUSED. It's unclear to me whether this change was intended - if so I can't work out which entry in the CHANGES file it corresponds to. 2530. [bug] named failed to reject insecure to secure transitions via UPDATE. [RT #19101] The functionality was supposed to be conditionally available when it is complete it will be available in a default build. Thank you. Also Shumon Huque pointed out in private e-mail that this has recently been discussed on bind-users in the thread "DNSKEY dynamic update: unexpected change 9.6.0-P1 -> 9.6.1". It was careless of me not to have checked that. Luckily my current plans for transitioning "real" zones from unsigned to signed involve freezing, signing with dnssec-signzone, and then thawing. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.6 freezing on update to signed zone (rare!)
We had an incident last night on the authoritative nameserver which is master for dnssec-test.csi.cam.ac.uk (a signed zone). At the time it was running BIND 9.6.1rc1 (but I doubt if 9.6.1 is going to make a difference). A script-generated update timed out, and it subsequently failed to respond to any DNS queries or rndc commands (although the named process was still running). It has to have been the update itself that caused this. (It had just previously processed updates to two unsigned zones perfectly). On the other hand, it had previously processed dozens of updates to the signed zone without any problems (it is maintained as an approximate clone of cam.ac.uk), and there wasn't anything unusual about this one. Indeed there was no problem re-applying it after BIND had been restarted. I am reduced to speculating about timing effects, e.g. collision with a re-signing event. Unfortunately I failed to get a core dump of named in the non-responding state (I need to review my procedures for that!) so I haven't got enough to report to bind-bugs. This is an appeal to ask if anyone has seen anything similar. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Issue with Two Views and Master/SLAVE Servers.
Guys, Please forgive me if this is a bit hard to follow, but I have two server that are both running bind bind-9.3.4, but I am having an issue with the way one zone file is being transferred from the master to the slave. The master server is set up like this with the zone having the issue... Internal ( hosting all the localserver on a private subnet) External ( has a line point to the a file in the share dir) Share ( That has the SN# and all the External host in) The slave server is set up like this... Internal ( hosting all the localserver on a private subnet) External ( That has the SN# and all the External host in ) Now before some one points out they aren't the same. I know, I didn't set them up this way and because they are production boxes I can't tear them and rebuild them they way I want. When the master transfer the slave, what it is doing is taking all the host for internal and share ( remember the external only has a include statement to look at the share file) and creating an new external zone view on the slave. This is a issue for me because we have for the internal view with the host that are on 192.168 and when this file is created you can now see them only with the external host. I had tried to break out them out to two seprate zone files, but when I do that it break where internal users can't see the external hosts. Is there a simple way to get where I can have zone transfer, does any one have any help for this nightmare? == Chuck Payne | Unix System Administrator TRAVEL CHANNEL MEDIA 3700 Mansell Rd, Suite 500 Alpharetta, GA 30022 CATCH IT | travelchannel.com I caught the Travel Bug in Japan when I went there live and teach. --- Email: chuck.pa...@travelchannel.com Desk Phone: 404-269-5533 (x65533) Fax Number: 404-269-5461 Blackberry Number: 770-940-7765 Personal Cell: 404-451-3579 aim: terrorp Office Comunicator: chuck.pa...@cox.com gtalk: terror...@gmail.com --- Need IT help? Go to http://Keystoneweb.corp.cox.com Or contact us at supp...@travelchannel.com / 301-244- This e-mail and any attachments are intended only for the person to whom (or entity to which) it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, copying, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. The contents of this message may contain personal views that are not the views of The Travel Channel, L.L.C. TRAVEL BUG EFFECT: Making The Absolute Most of your Weekends Samantha Brown's Weekends, Saturdays at 10PM E/P CATCH IT | travelchannel.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with Two Views and Master/SLAVE Servers.
See the FAQ Question: Q: How can I make a server a slave for both an internal and an external view at the same time? When I tried, both views on the slave were transferred from the same view on the master. (It has two different answers.) The FAQ is included with BIND source. Here it is in HTML: https://www.isc.org/node/282 If I misunderstood your problem, then please provide more details and copies of your named.conf files. Also consider upgrading your BIND version. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clearing local caches
Scott Haneda wrote: ... However, I would like to just get DNS response times. Perhaps take the list of hosts and feed them to a iterative script calling dig, and fish out the response time? This does add the problem of redirects of course would not be followed, so I would have to pre-fetch all my urls and follow them to get my testing list. I don't see how you could call the results from any other method "DNS response times." If you used a web browser to measure from, you'd be introducing all sorts of other latencies. Delays from the web server itself. The webserver may have to talk to a database to output the HTML. The transfer of the actual HTML code isn't instantaneous. (ad that's just off the top of my head). -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Truncated, retrying in TCP on Reverse lookup
Matus UHLAR - fantomas wrote: On Thu, Jul 09, 2009 at 05:50:02AM -0700, Fr34k wrote a message of 119 lines which said: There should be one and only one PTR for that IP. On 10.07.09 22:40, Stephane Bortzmeyer wrote: No. No good reason for such restriction. While from DNS' point of view there is no reason to do that, many programs checking and/or validating reverse DNS may comply or give strange results (different hostname may appear in the logs). Also, validating (forward confirming) more reverse names takes much longer time than validating just one. Or, will you validate only one/few of them? How do you validate when the forward host name that you know about doesn't match the single PTR record you think reverse DNS should be limited to? -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How See what is Cached?
Gregory Hicks wrote: From: "Alans" Date: Sun, 5 Jul 2009 11:29:27 +0300 I run that command but nothing happened! And named.conf option is dump-file "/data/cache_dump.db"; , I checked that directory that file doesn't exist!! Do you think there is a problem in configuration? File / directory permissions perhaps? chroot jail possibly. '/data' would be relative to the chroot director that BIND is running from. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clearing local caches
On Jul 15, 2009, at 12:29 PM, Dave Sparro wrote: Scott Haneda wrote: ... However, I would like to just get DNS response times. Perhaps take the list of hosts and feed them to a iterative script calling dig, and fish out the response time? This does add the problem of redirects of course would not be followed, so I would have to pre-fetch all my urls and follow them to get my testing list. I don't see how you could call the results from any other method "DNS response times." If you used a web browser to measure from, you'd be introducing all sorts of other latencies. Delays from the web server itself. The webserver may have to talk to a database to output the HTML. The transfer of the actual HTML code isn't instantaneous. (ad that's just off the top of my head). Correct. So I will end up pulling down the file, extracting the hostnames, following any redirects, and extracting the resulting hostnames. This gives me a nice list of hostnames that I can run through an iterative loop in dig. I just need to make sure that I am not getting a locally cached result. I suspect there is no way to force a non caches result from the remote ended resolver? -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ixfr-from-differences; journal not created on "rndc reload "
BIND-9.5.1-P1. When "ixfr-from-differences yes;" is configured on a zone, and an edit is made to the zone file and the zone reloaded via "rndc reload foo.com" a journal file is not created. However, when an "rndc reload" of the whole configuration is done, then the journal is created. Is this expected behavior? Why is the journal of the differences not create on an explicit rndc reload of the zone? Thanks. -Tim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clearing local caches
Scott Haneda wrote: On Jul 15, 2009, at 12:29 PM, Dave Sparro wrote: Scott Haneda wrote: ... However, I would like to just get DNS response times. Perhaps take the list of hosts and feed them to a iterative script calling dig, and fish out the response time? This does add the problem of redirects of course would not be followed, so I would have to pre-fetch all my urls and follow them to get my testing list. I don't see how you could call the results from any other method "DNS response times." If you used a web browser to measure from, you'd be introducing all sorts of other latencies. Delays from the web server itself. The webserver may have to talk to a database to output the HTML. The transfer of the actual HTML code isn't instantaneous. (ad that's just off the top of my head). Correct. So I will end up pulling down the file, extracting the hostnames, following any redirects, and extracting the resulting hostnames. This gives me a nice list of hostnames that I can run through an iterative loop in dig. I just need to make sure that I am not getting a locally cached result. I suspect there is no way to force a non caches result from the remote ended resolver? If you aim your dig at a specific DNS server you'll be getting the results from that IP address. There won't be any local resolver involved. If you aren't in control of the remote resolver, there's no way to predict the cache status of your query on the remote side. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clearing local caches
On Jul 15, 2009, at 12:59 PM, Dave Sparro wrote: Scott Haneda wrote: On Jul 15, 2009, at 12:29 PM, Dave Sparro wrote: Scott Haneda wrote: ... However, I would like to just get DNS response times. Perhaps take the list of hosts and feed them to a iterative script calling dig, and fish out the response time? This does add the problem of redirects of course would not be followed, so I would have to pre-fetch all my urls and follow them to get my testing list. I don't see how you could call the results from any other method "DNS response times." If you used a web browser to measure from, you'd be introducing all sorts of other latencies. Delays from the web server itself. The webserver may have to talk to a database to output the HTML. The transfer of the actual HTML code isn't instantaneous. (ad that's just off the top of my head). Correct. So I will end up pulling down the file, extracting the hostnames, following any redirects, and extracting the resulting hostnames. This gives me a nice list of hostnames that I can run through an iterative loop in dig. I just need to make sure that I am not getting a locally cached result. I suspect there is no way to force a non caches result from the remote ended resolver? If you aim your dig at a specific DNS server you'll be getting the results from that IP address. There won't be any local resolver involved. If you aren't in control of the remote resolver, there's no way to predict the cache status of your query on the remote side. Thank you, makes sense, I will give it a shot. -- Scott * If you contact me off list replace talklists@ with scott@ * ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ixfr-from-differences on rndc reload
BIND-9.5.1-P1. When "ixfr-from-differences yes;" is configured on a zone, and an edit is made to the zone file and the zone reloaded via "rndc reload foo.com " a journal file is not created. However, when an "rndc reload" of the whole configuration is done, then the journal is created. Is this expected behavior? Why is the journal of the differences not created on an explicit rndc reload of the zone? Thanks. -Tim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Truncated, retrying in TCP on Reverse lookup
In message <4a5e300c.7050...@gmail.com>, Dave Sparro writes: > --===2296683873387296090== > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: 7bit > > > > > > > > > > Matus UHLAR - fantomas wrote: > > > On Thu, Jul 09, 2009 at 05:50:02AM -0700, > Fr34k mailto:freaknet...@yahoo.com";>& > lt;freaknet...@yahoo.com> wrote > a message of 119 lines which said: > > > > There should be one and only one PTR for that IP. > > > > > On 10.07.09 22:40, Stephane Bortzmeyer wrote: > > > No. No good reason for such restriction. > > > > While from DNS' point of view there is no reason to do that, many programs > checking and/or validating reverse DNS may comply or give strange results > (different hostname may appear in the logs). > > Also, validating (forward confirming) more reverse names takes much longer > time than validating just one. Or, will you validate only one/few of them? > > > > How do you validate when the forward host name that you know about > doesn't match the single PTR record you think reverse DNS should be > limited to? > A machine has a cannonical name. Everything else is a alias whether it is a CNAME or A or . Mark > -- > Dave > > > > --===2296683873387296090== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===2296683873387296090==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about allow-update
Dear list,
Currently I'm using TSIG key for dynamic update auth.
allow-update {key "mykey";};
Besides TSIG key, I want to limit the source address also.
That's to say, I want the given address with specified key to execute the
update only.
How can I do it? Is this syntax correct?
allow-update {key "mykey"; 192.168.1.254;};
Thanks in advance.
Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1: skipping zone transfer, but why ?
Chris Buxton wrote: > On Jun 30, 2009, at 6:15 AM, bind9 wrote: >> 1) "skipping zone transfer as master 213.173.250.146#53 (source >> 0.0.0.0#0) is unreachable >> (cached)" seem to indicate that the slave has cached a knowledge about >> the master being >> unreachable. It isn't. I can nslookup on the master from the slave >> just fine. What is wrong? > > The slave is caching, for some length of time set in the source code (an > hour? something like that), that the master is unreachable for zone > transfers. > >> 2) what causes "transfer of '3yhta.dk/IN' from 213.173.250.146#53: >> failed to connect: >> connection refused" ? There is no evidence of "connection refused" in >> the masters log, so where >> could this come from? > The connection refused error means that nothing is listening at that port on that addresses. That means that either that address was not configured to listen on that address or the server has gone down. > > The master is unreachable over TCP. The port has gone deaf. We see this > on some operating systems and not others. (We don't work much with BIND > on Windows, so we hadn't seen the issue on that OS.) Basically, when the > port is not used for a while, it looks like the OS shuts down the > listener without telling the service. > No, Windows doesn't do that. It is no different from a Unix O/S. I have no idea what you mean by the listener here or the service, but on Windows the service is only involved with getting the server running and does not know or care about what IP addresses and ports get used if they get used at all. This is no different from Unix. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about allow-update
> Besides TSIG key, I want to limit the source address also. That's to
> say, I want the given address with specified key to execute the update
> only.
>
> How can I do it? Is this syntax correct?
>
> allow-update {key "mykey"; 192.168.1.254;};
Alas, no. What you want is:
allow-update { !{ !192.168.1.254; any; }; key mykey; }
See http://www.mail-archive.com/bind-users@lists.isc.org/msg00045.html
for my hard-to-read explanation of this painful syntax.
--
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
IPv6 hostname resolution not working
hi,
I am trying to setup BIND9 as a DNS server for local IPv6 name resolution
within a LAN. I've been reading through related threads on forums and whatever
documents Google comes up with. I am new to this and haven't been able to get
it to work so far and could really use some help.
heres the network:
Ubuntu 8.10 running BIND 9.5.0-P2
IPv4 - 192.168.1.8
IPv6 - fe80::a00:27ff:fe56:7f27/64
hostname - dnsserver
Windows XP SP2 (IPv6 Protocol installed)
IPv4 - 192.168.1.7
IPv6 - fe80::a00:27ff:fea8:81ed%5
hostname - winclient
Both the IPv6 addresses are autoconfigured, while IPv4 addresses are via DHCP.
As long as iam working with IPv4, things work. I forced dnsserver's IPv4
address on winclient's DNS settings.
i can ping winclient and it resolves its IPv4 address. (i get replies from the
IPv4 address)
However, as soon as i add dnsserver's IPv6 address as DNS using
netsh interface ipv6 add dns "Local Area Connection" fe80::a00:27ff:fe56:7f27/64
I am no longer able to resolve winclient's IP address (i get replies from IPv6
loopback address ::1).
On dnsserver:
this is the /etc/bind/named.conf.options file
listen-on-v6 { any; };
and this is the /etc/bind/named.conf.local file
zone "dnsserver." {
type master;
file "/etc/bind/db.dnsserver";
};
this is the zone file (/etc/bind/db.dnsserver)
;forward lookup zonefile
$TTL 86400
dnsserver. IN SOA dnsserver. dummy.rms. {
2009071309 ; Serial no., based on date
21600 ; Refresh after 6 hours
3600 ; Retry after 1 hour
604800 ; Expire after 7 days
3600 ; Minimum TTL of 1 hour
)
;Name Servers
dnsserver IN fe80::a00:27ff:fe56:7f27/64
dnsserver IN A 192.168.1.8
@ IN NS dnsserver
;clients
client IN A 192.168.1.7
client IN fe80::a00:27ff:fea8:81ed%5
I have tried turning iptables and ip6tables off, it still doesn't work.
I have checked that IPv6 is enabled on Ubuntu using lsmod|grep ipv6.
There must be something i am missing here, please help!
Thanks
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 hostname resolution not working
In message <644024.70777...@web31001.mail.mud.yahoo.com>, vikram writes:
> hi,
>
> I am trying to setup BIND9 as a DNS server for local IPv6 name resolution
> within a LAN. I've been reading through related threads on forums and
> whatever documents Google comes up with. I am new to this and haven't been
> able to get it to work so far and could really use some help.
Link locals are "difficult" to work with. There is no way to specify
the link in the DNS. To use the addresses you need to specify a link
identifier which is node specific.
I suggest that you generate a ULA prefix (RFC4193) and use that.
> heres the network:
> Ubuntu 8.10 running BIND 9.5.0-P2
> IPv4 - 192.168.1.8
> IPv6 - fe80::a00:27ff:fe56:7f27/64
> hostname - dnsserver
> Windows XP SP2 (IPv6 Protocol installed)
> IPv4 - 192.168.1.7
> IPv6 - fe80::a00:27ff:fea8:81ed%5
> hostname - winclient
>
> Both the IPv6 addresses are autoconfigured, while IPv4 addresses are via DHCP.
>
> As long as iam working with IPv4, things work. I forced dnsserver's IPv4
> address on winclient's DNS settings.
> i can ping winclient and it resolves its IPv4 address. (i get replies from
> the IPv4 address)
>
> However, as soon as i add dnsserver's IPv6 address as DNS using
> netsh interface ipv6 add dns "Local Area Connection" fe80::a00:27ff:fe56:7f
> 27/64
>
> I am no longer able to resolve winclient's IP address (i get replies from IPv6
> loopback address ::1).
>
> On dnsserver:
> this is the /etc/bind/named.conf.options file=20
> listen-on-v6 { any; };
>
> and this is the /etc/bind/named.conf.local file
> zone "dnsserver." {
> type master;
> file "/etc/bind/db.dnsserver";
> };
>
>
> this is the zone file (/etc/bind/db.dnsserver)
> ;forward lookup zonefile
> $TTL 86400
> dnsserver.INSOAdnsserver. dummy.rms. {
> =20
> 2009071309; Serial no., based on date
> 21600 ; Refresh after 6 hours
>3600 ; Retry after 1 hour
> 604800 ; Expire after 7 days
>3600 ; Minimum TTL of 1 hour
> )
> ;Name Servers
> dnsserverIN fe80::a00:27ff:fe56:7f27/64
> dnsserverINA192.168.1.8
> @INNSdnsserver
>
> ;clients
> clientINA192.168.1.7 =20
> clientIN fe80::a00:27ff:fea8:81ed%5
You don't specify the link identifier in records.
> I have tried turning iptables and ip6tables off, it still doesn't work.
> I have checked that IPv6 is enabled on Ubuntu using lsmod|grep ipv6.
>
> There must be something i am missing here, please help!
>
> Thanks
> =0A=0A=0A
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
