about cache nonexist record
Hello, I have Bind-9.6.1 running on our university environment, have been using dynamic update. My question is, when other DNS query my named for a record, for example test.example.com, but this record doesn't exist. How long time will the remote DNS cache this nonexist record? I found the problem that if this nonexist record was cached by remote DNS, even if I added the corresponding record to named zone soon, the remote DNS can't find it quickly. This is not good for dynamic update IMO, for example, I need to change a record, then I have to do: nsupdate delete nsupdate add If the remote DNS query for this record just after 'nsupdate delete', then it will get nothing and cache this nonexist record for some time, even though the correct record has been added. How to deal with this case? Thanks. Regards, Wah. Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SRV Record Priority set by IP Address
Hello everyone, i've stumbled into a question whether it is possible to configure BIND in a way that it responds to DNS SRV requests with the priority flag changed depending on the IP address of the requesting party. For example, there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and the other to 10.0.2.2. The requesting party has the ip address 10.0.1.53. I would want to have the first one with the priority higher than the second, which would allow me to split up the network by zones each one having their own server with the rest of servers used only in case of the prevalent zone server failure. Thanks in advance! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV Record Priority set by IP Address
Lev Vanyan wrote: i've stumbled into a question whether it is possible to configure BIND in a way that it responds to DNS SRV requests with the priority flag changed depending on the IP address of the requesting party. For example, there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and the other to 10.0.2.2. The requesting party has the ip address 10.0.1.53. I would want to have the first one with the priority higher than the second, which would allow me to split up the network by zones each one having their own server with the rest of servers used only in case of the prevalent zone server failure. As variant: Two views, fist with record srv 10.0.1.2 srv 10.0.2.2 second: srv 10.0.2.2 srv 10.0.1.2 Then set RRSET to FIXED. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about cache nonexist record
On Jul 20 2009, Tech W. wrote: I have Bind-9.6.1 running on our university environment, have been using dynamic update. My question is, when other DNS query my named for a record, for example test.example.com, but this record doesn't exist. How long time will the remote DNS cache this nonexist record? Read RFC 2308 "Negative Caching of DNS Queries". Roughly, the answer is "(at most) the (now misnamed) MINIMUM field of the SOA record for the zone". I found the problem that if this nonexist record was cached by remote DNS, even if I added the corresponding record to named zone soon, the remote DNS can't find it quickly. This is not good for dynamic update IMO, for example, I need to change a record, then I have to do: nsupdate delete nsupdate add If the remote DNS query for this record just after 'nsupdate delete', then it will get nothing and cache this nonexist record for some time, even though the correct record has been added. How to deal with this case? Do the delete and the add in the same update transaction: nsupdate
Re: SRV Record Priority set by IP Address
On Jul 20 2009, Dmitry Rybin wrote: Lev Vanyan wrote: i've stumbled into a question whether it is possible to configure BIND in a way that it responds to DNS SRV requests with the priority flag changed depending on the IP address of the requesting party. For example, there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and the other to 10.0.2.2. The requesting party has the ip address 10.0.1.53. I would want to have the first one with the priority higher than the second, which would allow me to split up the network by zones each one having their own server with the rest of servers used only in case of the prevalent zone server failure. As variant: Two views, fist with record srv 10.0.1.2 srv 10.0.2.2 second: srv 10.0.2.2 srv 10.0.1.2 Then set RRSET to FIXED. Using two views is right, but the rest of this is very much not so. No SRV-using application is going to treat the RR order in the answer as significant. They will use the priority and weight fields as described in RFC 2782 (or so one hopes). Those should be adjusted appropriately in the two views. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV Record Priority set by IP Address
20.07.09 14:11, Chris Thompson написав(ла): > On Jul 20 2009, Dmitry Rybin wrote: > >> Lev Vanyan wrote: >>> >>> i've stumbled into a question whether it is possible to configure BIND >>> in a way that it responds to DNS SRV requests with the priority flag >>> changed depending on the IP address of the requesting party. >>> For example, >>> there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and >>> the other to 10.0.2.2. The requesting party has the ip address >>> 10.0.1.53. I would want to have the first one with the priority higher >>> than the second, which would allow me to split up the network by zones >>> each one having their own server with the rest of servers used only in >>> case of the prevalent zone server failure. >> >> As variant: >> Two views, fist with record >> srv 10.0.1.2 >> srv 10.0.2.2 >> >> second: >> srv 10.0.2.2 >> srv 10.0.1.2 >> >> Then set RRSET to FIXED. > > Using two views is right, but the rest of this is very much not so. > No SRV-using application is going to treat the RR order in the answer > as significant. They will use the priority and weight fields as > described in RFC 2782 (or so one hopes). Those should be adjusted > appropriately in the two views. > I don't think that i understand how views are used here. Can you explain please (preferably accompanied with an example of a probable config)? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.6.1: skipping zone transfer, but why ?
Hi, I see exactly this problem too on windows 2003. Lookups happen normally after this behaviour occurs though. Restarting bind cures the problem. I haven't bothered to debug the issue as yet :-) Ian -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Danny Mayer Sent: 16 July 2009 04:09 To: Chris Buxton Cc: bind-users@lists.isc.org Subject: Re: Bind 9.6.1: skipping zone transfer, but why ? Chris Buxton wrote: > On Jun 30, 2009, at 6:15 AM, bind9 wrote: >> 1) "skipping zone transfer as master 213.173.250.146#53 (source >> 0.0.0.0#0) is unreachable >> (cached)" seem to indicate that the slave has cached a knowledge about >> the master being >> unreachable. It isn't. I can nslookup on the master from the slave >> just fine. What is wrong? > > The slave is caching, for some length of time set in the source code (an > hour? something like that), that the master is unreachable for zone > transfers. > >> 2) what causes "transfer of '3yhta.dk/IN' from 213.173.250.146#53: >> failed to connect: >> connection refused" ? There is no evidence of "connection refused" in >> the masters log, so where >> could this come from? > The connection refused error means that nothing is listening at that port on that addresses. That means that either that address was not configured to listen on that address or the server has gone down. > > The master is unreachable over TCP. The port has gone deaf. We see this > on some operating systems and not others. (We don't work much with BIND > on Windows, so we hadn't seen the issue on that OS.) Basically, when the > port is not used for a while, it looks like the OS shuts down the > listener without telling the service. > No, Windows doesn't do that. It is no different from a Unix O/S. I have no idea what you mean by the listener here or the service, but on Windows the service is only involved with getting the server running and does not know or care about what IP addresses and ports get used if they get used at all. This is no different from Unix. Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A smarter stub resolver??
Rather than applying lipstick to the pig, why not run a local caching-only resolver? Move up and out of the stub-ville slums. A local instance of named doesn't take up that much server resources (disk, memory, CPU), and pays you back by *not*, as a stub resolver does, using network resources, and incurring network latency, for each and every lookup. - Kevin Taylor, Gord wrote: I should mention, that I've looked at "options rotate", but the concern is that this will mean retransmits if ANY of the nameservers are down. So, any DNS outage would cause some level of impact to the application. It also makes it harder for applications to determine if slowdowns are due to DNS name resolution issues. Since 1/3 of the queries will be slower, they'll not think to look at DNS as root cause; they'd probably see it as a utilization issue, or something along those liens. While that may mean I don't get paged, it's not great for the business :) Gord Taylor (CISSP, GCIH, GEEK) -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Taylor, Gord Sent: 2009, July, 15 10:05 AM To: bind-users@lists.isc.org Subject: A smarter stub resolver?? I've frequently run into a problem that the stub resolver just isn't very dynamic in its selection of name servers - especially when dealing with time-sensitive apps. If the first DNS server in the list is down, the applications may slow down due to the constant retransmits. Given a resolv.conf like the one below, the xNix box will ALWAYS query the first DNS server, event if it's down. So, every single DNS query (think of how many reverse lookups a mail server, or Kerberos will do), there's a 2 second delay. Is there a "smarter" stub resolver that acts more like a DNS server using Round Trip Time (RTT) to pick the "best" DNS server from the list? We run well over 500 xNix boxes (and growing), so running DNS on each of these just isn't a viable option to get round the DNS timing issues. Nameserver 10.10.10.1 Nameserver 10.10.10.2 Nameserver 10.10.10.3 Options retry:2 Options retrans:2 Gord Taylor (CISSP, GCIH, GEEK) ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A simple question, please help
Ken Lai wrote: Scott Haneda wrote: 99% of the time openDNS works by just pointing some agent to their ip space. That 1% of the time, openDNS tries to make DNS responses that are modified in a way to try to help you. Maybe this is your issue? Googl.com being common enough they elect to return the google.com's answer istead. By default openDNS does not know how to return NXDOMAIN. This is fine for end users. This is bad for developed and servers. OpenDNS also does phishing URL blocking, stats, and a lot more. If you plan on using them as a resolver you want to be accurate, you must disable these features. Simply create an account with open DNS, login, add your IP, and disable all respond modification settings. Make sure someone elses IP has not been inherited by you with settings you will not want. I used to reccomend openDNS to everone. I found a problem in their system many many months back. Despite a small effort to resolve it, they have seemingly forgot about the problem. Maybe someone else here has recommendationd to huge robust recursive resolvers that do not focus on any response modification. thanks for your replays. but the forwarders in the zone entry seems not work for me, which has mentioned in the manual. the opendns return a A: 119.167.247.147 but the other return 121.199.253.147, which i want to use if i remove the forwarders in option, the answer is right. Well, you haven't told us the name you're looking up, so troubleshooting is going to be limited to mainly speculation. I tried doing reverse lookups on both of those addresses, but it gave me no insight into what you're actually trying to look up as a forward name. Note that if you want named to use forwarders *exclusively* then you should specify "forward only" along with each forwarders definition. Otherwise, if the forwarders are unavailable, even if only temporarily, named may fall back to using iterative resolution, i.e. following the delegation hierarchy to get the answer, all of the way down from the root zone, if necessary. This may give inconsistent answers and, if you're relying on seeing the "cooked" responses from OpenDNS, potentially undesirable lookup results. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.6 freezing on update to signed zone (rare!)
On Jul 15 2009, I wrote: We had an incident last night on the authoritative nameserver which is master for dnssec-test.csi.cam.ac.uk (a signed zone). At the time it was running BIND 9.6.1rc1 (but I doubt if 9.6.1 is going to make a difference). A script-generated update timed out, and it subsequently failed to respond to any DNS queries or rndc commands (although the named process was still running). It has to have been the update itself that caused this. (It had just previously processed updates to two unsigned zones perfectly). On the other hand, it had previously processed dozens of updates to the signed zone without any problems (it is maintained as an approximate clone of cam.ac.uk), and there wasn't anything unusual about this one. Indeed there was no problem re-applying it after BIND had been restarted. I am reduced to speculating about timing effects, e.g. collision with a re-signing event. Unfortunately I failed to get a core dump of named in the non-responding state (I need to review my procedures for that!) so I haven't got enough to report to bind-bugs. This is an appeal to ask if anyone has seen anything similar. Some extra information - for the previous 14+ hours it had been logging messages like this: Jul 14 10:44:24 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact Jul 14 10:45:54 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact Jul 14 10:50:22 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact Jul 14 10:51:51 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact Jul 14 10:56:15 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact ... Jul 15 00:50:56 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact Jul 15 00:52:22 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact Jul 15 00:53:47 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact Jul 15 00:55:13 authdns0.csx.cam.ac.uk named[1900]: [ID 873579 local7.error] general: error: zone dnssec-test.csi.cam.ac.uk/IN: updatesecure -> not exact But I am no nearer understanding what causes these. The zone had several externally applied updates (apparently successfully) during this period, before the one that hung. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problems with EDNS0
Hi list,
I have some servers with bind 9.5.0.P2 and one with bind 9.6.1.
And the servers logs have a lot of messages with "after disabling EDNS"
as seen above:
[...]
Jul 20 15:31:34 server named[6909]: edns-disabled: info: success
resolving 'www.click21.com.br/A' (in 'www.click21.com.br'?) after
disabling EDNS
Jul 20 15:31:39 server named[6909]: edns-disabled: info: success
resolving 'smtpgw1.gov.on.ca/A' (in 'smtpgw1.gov.on.ca'?) after
disabling EDNS
Jul 20 15:31:39 server named[6909]: edns-disabled: info: success
resolving 'uk-lon-mail2.ipass.com/A' (in 'ipass.COM'?) after reducing
the advertised EDNS UDP packet size to 512 octets
Jul 20 15:31:40 server named[6909]: edns-disabled: info: success
resolving 'bic.pt/MX' (in 'bic.pt'?) after disabling EDNS
Jul 20 15:31:42 server named[6909]: edns-disabled: info: success
resolving 'ns1.bic.pt/' (in 'bic.pt'?) after disabling EDNS
Jul 20 15:31:42 server named[6909]: edns-disabled: info: success
resolving 'ns2.bic.pt/' (in 'bic.pt'?) after disabling EDNS
Jul 20 15:31:45 server named[6909]: edns-disabled: info: success
resolving 'mail.skystyle.de/A' (in 'skystyle.DE'?) after disabling EDNS
Jul 20 15:31:45 server named[6909]: edns-disabled: info: success
resolving 'skystyle.de/MX' (in 'skystyle.DE'?) after disabling EDNS
Jul 20 15:31:46 server named[6909]: edns-disabled: info: success
resolving 'goodgame.se/MX' (in 'goodgame.SE'?) after disabling EDNS
Jul 20 15:31:47 server named[6909]: edns-disabled: info: success
resolving 'regions.com/MX' (in 'regions.COM'?) after disabling EDNS
Jul 20 15:31:52 server named[6909]: edns-disabled: info: success
resolving 'ns2.regions.com/' (in 'regions.COM'?) after disabling EDNS
Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
resolving 'ns1.regions.com/' (in 'regions.COM'?) after disabling EDNS
Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
resolving 'markets.nytimes.wallst.com/A' (in
'markets.nytimes.wallst.COM'?) after disabling EDNS
Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
resolving 'backupmx.nextweb.net/A' (in 'nextweb.net'?) after disabling EDNS
Jul 20 15:31:54 server named[6909]: edns-disabled: info: success
resolving 'delphiproductions.com/MX' (in 'delphiproductions.COM'?) after
disabling EDNS
Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
resolving 'portaldosgames.click21.com.br/A' (in
'portaldosgames.click21.com.br'?) after disabling EDNS
Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
resolving 'obaoba.click21.com.br/A' (in 'obaoba.click21.com.br'?) after
disabling EDNS
Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
resolving 'bemleve.click21.com.br/A' (in 'bemleve.click21.com.br'?)
after disabling EDNS
Jul 20 15:32:17 server named[6909]: edns-disabled: info: success
resolving 'fineprintech.com/MX' (in 'fineprintech.COM'?) after disabling
EDNS
Jul 20 15:32:20 server named[6909]: edns-disabled: info: success
resolving 'fotos.click21.com.br/A' (in 'fotos.click21.com.br'?) after
disabling EDNS
Jul 20 15:32:20 server named[6909]: edns-disabled: info: success
resolving 'giulianaflores.click21.com.br/A' (in
'giulianaflores.click21.com.br'?) after disabling EDNS
Jul 20 15:32:27 server named[6909]: edns-disabled: info: success
resolving 'mailwebslice.cloudapp.net/A' (in 'cloudapp.net'?) after
disabling EDNS
[...]
The queries to remote servers that doesn't support EDNS, the time to
resolve after disabling ENDS, generally, is over timeout (5 seconds) of
clients (resolvers), and the query fail.
In my infrastructure doesn't have firewall between DNS server and
Internet link, so it's support UDP packets > 512 bytes.
Queries to Akamai servers doesn't work with EDNS. To resolve this
problem I configure bind with directive "server { edns no; };", but
isn't a good solution.
From my server, some queries with EDNS works and some doesn't.
Anyone has this problem? Look at the tests above:
---
*Akamai plain DNS - OK*
# dig @n0g.akamai.net a961.g.akamai.net
; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63022
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;a961.g.akamai.net. IN A
;; ANSWER SECTION:
a961.g.akamai.net. 20 IN A 200.157.208.241
a961.g.akamai.net. 20 IN A 200.157.208.240
;; Query time: 22 msec
;; SERVER: 200.216.69.243#53(200.216.69.243)
;; WHEN: Mon Jul 20 15:48:00 2009
;; MSG SIZE rcvd: 67
---
*Akamai with EDNS - FAIL
*# dig @n0g.akamai
Re: SRV Record Priority set by IP Address
Lev Vanyan wrote: 20.07.09 14:11, Chris Thompson написав(ла): On Jul 20 2009, Dmitry Rybin wrote: Lev Vanyan wrote: i've stumbled into a question whether it is possible to configure BIND in a way that it responds to DNS SRV requests with the priority flag changed depending on the IP address of the requesting party. For example, there are two SRV records for _foobar._tcp. One points to 10.0.1.2 and the other to 10.0.2.2. The requesting party has the ip address 10.0.1.53. I would want to have the first one with the priority higher than the second, which would allow me to split up the network by zones each one having their own server with the rest of servers used only in case of the prevalent zone server failure. Using two views is right, but the rest of this is very much not so. No SRV-using application is going to treat the RR order in the answer as significant. They will use the priority and weight fields as described in RFC 2782 (or so one hopes). Those should be adjusted appropriately in the two views. I don't think that i understand how views are used here. Can you explain please (preferably accompanied with an example of a probable config)? "Views" are the BIND way of defining different sets of DNS data to send based on the source IP address of the requester. In effect you configure a different set of DNS data to be served for each ACL match you define in the config. You need to have a different copy of the zone file for each view you define. Use ACLs to define the different IP ranges. -- Dave ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1: skipping zone transfer, but why ?
At Mon, 20 Jul 2009 16:13:03 +0100, "Ian Tait" wrote: > I see exactly this problem too on windows 2003. > Lookups happen normally after this behaviour occurs though. > > Restarting bind cures the problem. > I haven't bothered to debug the issue as yet :-) We've found a bug that can cause this problem. We're working on a complete fix to the problem, but a workaround patch copied below may work for you in the mean time. p.s. this is a Windows specific bug. --- JINMEI, Tatuya Internet Systems Consortium, Inc. Index: zone.c === RCS file: /proj/cvs/prod/bind9/lib/dns/zone.c,v retrieving revision 1.483.36.7 diff -u -r1.483.36.7 zone.c --- zone.c 17 Jun 2009 04:53:57 - 1.483.36.7 +++ zone.c 20 Jul 2009 19:41:18 - @@ -11004,6 +11004,8 @@ isc_result_t result; isc_uint32_t seconds = isc_time_seconds(now); + return; + REQUIRE(DNS_ZONEMGR_VALID(zmgr)); locktype = isc_rwlocktype_read; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.6.1: skipping zone transfer, but why ?
At Mon, 20 Jul 2009 12:41:24 -0700, JINMEI Tatuya wrote: > We've found a bug that can cause this problem. We're working on a > complete fix to the problem, but a workaround patch copied below may > work for you in the mean time. Sorry that patch was incorrect. Copying the correct one. --- JINMEI, Tatuya Index: zone.c === RCS file: /proj/cvs/prod/bind9/lib/dns/zone.c,v retrieving revision 1.483.36.7 diff -u -r1.483.36.7 zone.c --- zone.c 17 Jun 2009 04:53:57 - 1.483.36.7 +++ zone.c 20 Jul 2009 19:42:09 - @@ -11032,6 +11032,8 @@ isc_uint32_t last = seconds; unsigned int i, slot = UNREACH_CHACHE_SIZE, oldest = 0; + return; + REQUIRE(DNS_ZONEMGR_VALID(zmgr)); RWLOCK(&zmgr->rwlock, isc_rwlocktype_write); ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Issue with Two Views and Master/SLAVE Servers.
Jeremy,
Thanks for the replay, but I have ran into another issues. On the Slave server
I am getting this error when I set up like the that of the FAQ,
CHUCK PAYNE | Unix System Administrator
TRAVEL CHANNEL MEDIA
3700 Mansell Rd, Suite 500
Alpharetta, GA 30022
Office: 404-269-5533
Blackberry: 770-940-7765
email:chuck.pa...@travelchannel.com
/etc/named.conf:124: expected IP address or masters name near '!'
This what the like looks like
view "internal" {
#options for this view
match-clients { !key dns01-dns02_141.myzones.; "corp"; "ad"; "localnet";
10.0.0.0/8 ;}; // all others hosts
server 10.58.139.85 {
keys { dns01-dns02_141.zonel.com.; };
};
recursion yes;
zone "myzone.com" {
type slave;
file "myzonel.com.zone";
allow-transfer { master; };
masters { 10.0.0.8 !key dns01-dns02_141myzonl.com.; }; <--
This the like line 124
};
CATCH IT | travelchannel.com
Need IT help? Go to http://Keystoneweb.corp.cox.com
Or contact us at supp...@travelchannel.com / 301-244-
Cox Communications Help Desk (24 X 7 X 365): 800-637-3545
This e-mail and any attachments are intended only for the person to whom (or
entity to which) it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, copying, dissemination or other use of
this information by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the sender and delete
the material from any computer. The contents of this message may contain
personal views that are not the views of The Travel Channel, L.L.C.
From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On
Behalf Of Jeremy C. Reed [jr...@isc.org]
Sent: Wednesday, July 15, 2009 11:27 AM
To: Payne, Charles (Travel Channel)
Cc: bind-users@lists.isc.org
Subject: Re: Issue with Two Views and Master/SLAVE Servers.
See the FAQ Question:
Q: How can I make a server a slave for both an internal and an external
view at the same time? When I tried, both views on the slave were
transferred from the same view on the master.
(It has two different answers.)
The FAQ is included with BIND source. Here it is in HTML:
https://www.isc.org/node/282
If I misunderstood your problem, then please provide more details and
copies of your named.conf files.
Also consider upgrading your BIND version.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
TRAVEL BUG EFFECT: Persistent Itching and Scratching
Bite Me with Dr. Mike, Tuesdays at 10PM E/P
CATCH IT | travelchannel.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: A smarter stub resolver??
The problem with this approach is when you are running a couple thousand servers - suddenly, you are running a couple thousand more instances of BIND that need monitoring/patching/care/feeding. A more clever resolver, or a simpler caching setup locally would be ideal. Otherwise, you could redo your overall DNS architecture to use something like anycasting so that there are multiple sources (potentially) for each of your nameserver entries, so you're less likely to have one drop. However, this isn't ideal. A smarter resolver would be fantastic, but with smarts comes complexity, which brings more room for errors and/or vectors for attack. You'd think this would be a common concern in large server deployments. As soon as you lose one of your resolvers, even if it's painfully obvious that the resolver is down, the resolver will continue to send queries to that host. I guess it's a trade off, but there's really only 2 options ... maybe more are needed. t. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Monday, July 20, 2009 1:30 PM To: bind-users@lists.isc.org Subject: Re: A smarter stub resolver?? Rather than applying lipstick to the pig, why not run a local caching-only resolver? Move up and out of the stub-ville slums. A local instance of named doesn't take up that much server resources (disk, memory, CPU), and pays you back by *not*, as a stub resolver does, using network resources, and incurring network latency, for each and every lookup. - Kevin Taylor, Gord wrote: > I should mention, that I've looked at "options rotate", but the concern is > that this will mean retransmits if ANY of the nameservers are down. So, any > DNS outage would cause some level of impact to the application. > > It also makes it harder for applications to determine if slowdowns are due to > DNS name resolution issues. Since 1/3 of the queries will be slower, they'll > not think to look at DNS as root cause; they'd probably see it as a > utilization issue, or something along those liens. While that may mean I > don't get paged, it's not great for the business :) > > > Gord Taylor (CISSP, GCIH, GEEK) > > > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Taylor, Gord > Sent: 2009, July, 15 10:05 AM > To: bind-users@lists.isc.org > Subject: A smarter stub resolver?? > > > I've frequently run into a problem that the stub resolver just isn't > very dynamic in its selection of name servers - especially when dealing > with time-sensitive apps. If the first DNS server in the list is down, > the applications may slow down due to the constant retransmits. Given a > resolv.conf like the one below, the xNix box will ALWAYS query the first > DNS server, event if it's down. So, every single DNS query (think of how > many reverse lookups a mail server, or Kerberos will do), there's a 2 > second delay. > > Is there a "smarter" stub resolver that acts more like a DNS server > using Round Trip Time (RTT) to pick the "best" DNS server from the list? > We run well over 500 xNix boxes (and growing), so running DNS on each of > these just isn't a viable option to get round the DNS timing issues. > > Nameserver 10.10.10.1 > Nameserver 10.10.10.2 > Nameserver 10.10.10.3 > Options retry:2 > Options retrans:2 > > > Gord Taylor (CISSP, GCIH, GEEK) > > > ___ > > This e-mail may be privileged and/or confidential, and the sender does not > waive any related rights and obligations. > Any distribution, use or copying of this e-mail or the information it > contains by other than an intended recipient is unauthorized. > If you received this e-mail in error, please advise me (by return e-mail or > otherwise) immediately. > > Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce > pas aux droits et obligations qui s'y rapportent. > Toute diffusion, utilisation ou copie de ce message ou des renseignements > qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) > est interdite. > Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser > immédiatement, par retour de courrier électronique ou par un autre moyen. > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ > > This e-mail may be privileged and/or confidential, and the sender does not > waive any related rights and obligations. > Any distribution, use or copying of this e-mail or the information it > contains by other than an intended recipient is unauthorized. > If you received this e-mail in erro
Re: A smarter stub resolver??
Todd Snyder wrote: The problem with this approach is when you are running a couple thousand servers - suddenly, you are running a couple thousand more instances of BIND that need monitoring/patching/care/feeding. A more clever resolver, or a simpler caching setup locally would be ideal. What would be a simpler local-caching setup than a single daemon and its associated config file, which could be minimal, perhaps just an "options" statement"? If you're on a closed network and not using forwarders, then you'll also need a hints file and associated hints-file definition in named.conf, of course, but even so, we're still not talking about adding a great deal of additional care and feeding... - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with Two Views and Master/SLAVE Servers.
You've got some invalid syntax. Elements in a "masters" clause are
separated by semicolons, not just whitespace. I don't believe you can
use negation in a "masters" clause either.
On the slave side, your main task is to ensure that your outgoing
zone-transfer requests are signed with the appropriate key for the
appropriate view. The IP address in your "masters" clause is 10.0.0.8,
but you're only TSIG-signing transactions for 10.58.139.85, so that's
not going to work. You need to TSIG-sign the zone transfer requests for
the master you're going to actually use, if you want the correct view to
be selected.
- Kevin
chuck.pa...@travelchannel.com wrote:
Jeremy,
Thanks for the replay, but I have ran into another issues. On the Slave server
I am getting this error when I set up like the that of the FAQ,
CHUCK PAYNE | Unix System Administrator
TRAVEL CHANNEL MEDIA
3700 Mansell Rd, Suite 500
Alpharetta, GA 30022
Office: 404-269-5533
Blackberry: 770-940-7765
email:chuck.pa...@travelchannel.com
/etc/named.conf:124: expected IP address or masters name near '!'
This what the like looks like
view "internal" {
#options for this view
match-clients { !key dns01-dns02_141.myzones.; "corp"; "ad"; "localnet";
10.0.0.0/8 ;}; // all others hosts
server 10.58.139.85 {
keys { dns01-dns02_141.zonel.com.; };
};
recursion yes;
zone "myzone.com" {
type slave;
file "myzonel.com.zone";
allow-transfer { master; };
masters { 10.0.0.8 !key dns01-dns02_141myzonl.com.; }; <--
This the like line 124
};
CATCH IT | travelchannel.com
Need IT help? Go to http://Keystoneweb.corp.cox.com
Or contact us at supp...@travelchannel.com / 301-244-
Cox Communications Help Desk (24 X 7 X 365): 800-637-3545
This e-mail and any attachments are intended only for the person to whom (or
entity to which) it is addressed and may contain confidential and/or privileged
material. Any review, re-transmission, copying, dissemination or other use of
this information by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the sender and delete
the material from any computer. The contents of this message may contain
personal views that are not the views of The Travel Channel, L.L.C.
From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On
Behalf Of Jeremy C. Reed [jr...@isc.org]
Sent: Wednesday, July 15, 2009 11:27 AM
To: Payne, Charles (Travel Channel)
Cc: bind-users@lists.isc.org
Subject: Re: Issue with Two Views and Master/SLAVE Servers.
See the FAQ Question:
Q: How can I make a server a slave for both an internal and an external
view at the same time? When I tried, both views on the slave were
transferred from the same view on the master.
(It has two different answers.)
The FAQ is included with BIND source. Here it is in HTML:
https://www.isc.org/node/282
If I misunderstood your problem, then please provide more details and
copies of your named.conf files.
Also consider upgrading your BIND version.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
TRAVEL BUG EFFECT: Persistent Itching and Scratching
Bite Me with Dr. Mike, Tuesdays at 10PM E/P
CATCH IT | travelchannel.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: about cache nonexist record
In message <950.42549...@web15608.mail.cnb.yahoo.com>, "Tech W." writes: > > Hello, > > I have Bind-9.6.1 running on our university environment, have been using dyna > mic update. > > My question is, when other DNS query my named for a record, for example test. > example.com, but this record doesn't exist. How long time will the remote DNS > cache this nonexist record? For up to as long as you have told it too. The SOA minumum is used to set the timer. > I found the problem that if this nonexist record was cached by remote DNS, ev > en if I added the corresponding record to named zone soon, the remote DNS can > 't find it quickly. > > This is not good for dynamic update IMO, for example, I need to change a reco > rd, then I have to do: > > nsupdate delete > nsupdate add Well do it in one transaction. nsupdate update delete ... update add ... send > If the remote DNS query for this record just after 'nsupdate delete', then it > will get nothing and cache this nonexist record for some time, even though t > he correct record has been added. How to deal with this case? Not if you use nsupdate correctly. > Thanks. > > Regards, > Wah. > > > ___ > _ > Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. > Show me how: http://au.mobile.yahoo.com/mail > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about cache nonexist record
--- On Tue, 21/7/09, Mark Andrews wrote: > From: Mark Andrews > Subject: Re: about cache nonexist record > To: "Tech W." > Cc: bind-users@lists.isc.org > Received: Tuesday, 21 July, 2009, 8:01 AM > > In message <950.42549...@web15608.mail.cnb.yahoo.com>, > "Tech W." writes: > > > > Hello, > > > > I have Bind-9.6.1 running on our university > environment, have been using dyna > > mic update. > > > > My question is, when other DNS query my named for a > record, for example test. > > example.com, but this record doesn't exist. How long > time will the remote DNS > > cache this nonexist record? > > For up to as long as you have told it > too. The SOA minumum is > used to set the timer. > > > I found the problem that if this nonexist record was > cached by remote DNS, ev > > en if I added the corresponding record to named zone > soon, the remote DNS can > > 't find it quickly. > > > > This is not good for dynamic update IMO, for example, > I need to change a reco > > rd, then I have to do: > > > > nsupdate delete > > nsupdate add > > Well do it in one transaction. > > nsupdate > update delete ... > update add ... > send > Thanks Mark and all. Can I ask how to call nsupdate in Perl language? I know some Perl but not good at it. Thanks. Regards, Wah. Access Yahoo!7 Mail on your mobile. Anytime. Anywhere. Show me how: http://au.mobile.yahoo.com/mail ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with EDNS0
In message <4a64c374.4000...@serpro.gov.br>, Breno Silveira Soares writes:
> Hi list,
>
> I have some servers with bind 9.5.0.P2 and one with bind 9.6.1.
> And the servers logs have a lot of messages with "after disabling EDNS"
> as seen above:
>
> [...]
> Jul 20 15:31:34 server named[6909]: edns-disabled: info: success
> resolving 'www.click21.com.br/A' (in 'www.click21.com.br'?) after
> disabling EDNS
> Jul 20 15:31:39 server named[6909]: edns-disabled: info: success
> resolving 'smtpgw1.gov.on.ca/A' (in 'smtpgw1.gov.on.ca'?) after
> disabling EDNS
> Jul 20 15:31:39 server named[6909]: edns-disabled: info: success
> resolving 'uk-lon-mail2.ipass.com/A' (in 'ipass.COM'?) after reducing
> the advertised EDNS UDP packet size to 512 octets
> Jul 20 15:31:40 server named[6909]: edns-disabled: info: success
> resolving 'bic.pt/MX' (in 'bic.pt'?) after disabling EDNS
> Jul 20 15:31:42 server named[6909]: edns-disabled: info: success
> resolving 'ns1.bic.pt/' (in 'bic.pt'?) after disabling EDNS
> Jul 20 15:31:42 server named[6909]: edns-disabled: info: success
> resolving 'ns2.bic.pt/' (in 'bic.pt'?) after disabling EDNS
> Jul 20 15:31:45 server named[6909]: edns-disabled: info: success
> resolving 'mail.skystyle.de/A' (in 'skystyle.DE'?) after disabling EDNS
> Jul 20 15:31:45 server named[6909]: edns-disabled: info: success
> resolving 'skystyle.de/MX' (in 'skystyle.DE'?) after disabling EDNS
> Jul 20 15:31:46 server named[6909]: edns-disabled: info: success
> resolving 'goodgame.se/MX' (in 'goodgame.SE'?) after disabling EDNS
> Jul 20 15:31:47 server named[6909]: edns-disabled: info: success
> resolving 'regions.com/MX' (in 'regions.COM'?) after disabling EDNS
> Jul 20 15:31:52 server named[6909]: edns-disabled: info: success
> resolving 'ns2.regions.com/' (in 'regions.COM'?) after disabling EDNS
> Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
> resolving 'ns1.regions.com/' (in 'regions.COM'?) after disabling EDNS
> Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
> resolving 'markets.nytimes.wallst.com/A' (in
> 'markets.nytimes.wallst.COM'?) after disabling EDNS
> Jul 20 15:31:53 server named[6909]: edns-disabled: info: success
> resolving 'backupmx.nextweb.net/A' (in 'nextweb.net'?) after disabling EDNS
> Jul 20 15:31:54 server named[6909]: edns-disabled: info: success
> resolving 'delphiproductions.com/MX' (in 'delphiproductions.COM'?) after
> disabling EDNS
> Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
> resolving 'portaldosgames.click21.com.br/A' (in
> 'portaldosgames.click21.com.br'?) after disabling EDNS
> Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
> resolving 'obaoba.click21.com.br/A' (in 'obaoba.click21.com.br'?) after
> disabling EDNS
> Jul 20 15:32:04 server named[6909]: edns-disabled: info: success
> resolving 'bemleve.click21.com.br/A' (in 'bemleve.click21.com.br'?)
> after disabling EDNS
> Jul 20 15:32:17 server named[6909]: edns-disabled: info: success
> resolving 'fineprintech.com/MX' (in 'fineprintech.COM'?) after disabling
> EDNS
> Jul 20 15:32:20 server named[6909]: edns-disabled: info: success
> resolving 'fotos.click21.com.br/A' (in 'fotos.click21.com.br'?) after
> disabling EDNS
> Jul 20 15:32:20 server named[6909]: edns-disabled: info: success
> resolving 'giulianaflores.click21.com.br/A' (in
> 'giulianaflores.click21.com.br'?) after disabling EDNS
> Jul 20 15:32:27 server named[6909]: edns-disabled: info: success
> resolving 'mailwebslice.cloudapp.net/A' (in 'cloudapp.net'?) after
> disabling EDNS
> [...]
>
> The queries to remote servers that doesn't support EDNS, the time to
> resolve after disabling ENDS, generally, is over timeout (5 seconds) of
> clients (resolvers), and the query fail.
> In my infrastructure doesn't have firewall between DNS server and
> Internet link, so it's support UDP packets > 512 bytes.
You think there isn't a firewall. There is something in the path
that is blocking responses. When you find it can you please inform
the manufacture that there produce is broken and you would like it
fixed. FORMERR is part of the base DNS specification and shouldn't
be filtered.
> Queries to Akamai servers doesn't work with EDNS. To resolve this
> problem I configure bind with directive "server { edns no; };", but
> isn't a good solution.
> From my server, some queries with EDNS works and some doesn't.
The Akamai do respond to EDNS queries.
> Anyone has this problem? Look at the tests above:
> -
> --
> *Akamai plain DNS - OK*
>
> # dig @n0g.akamai.net a961.g.akamai.net
>
> ; <<>> DiG 9.6.1 <<>> @n0g.akamai.net a961.g.akamai.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63022
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADD
