Bind 9.7 and using multiple forwarders

[Dangl, Thomas]

Hello,
 
when we have a zone with type forward and a forwarders list with
multiple entries, which strategy is used by Bind9.7?
I found some information in the DNS and Bind book by O Reilly and the
identical statement on the Internet and FAQs saying
There was a Bind8.2.3 that had applied an intelligent behavior
evaluating roundtrip times of forwarded queries and used the name server
that provided the fatsest response.
For Bind9 it is stated that simply the first entry in the forwarders
list is used and if this first one fails to respond, the next in the
forwarders statement is tried and so on.
I understand the description in the way that this also applies when the
first entry in the forwarders list is not responding at all. The next
forwarding for the zone would still start with trying the first entry in
the forwarders list.
 
Is this still correct with Bind 9.7 (more precisely Bind9.7.1 /
Bind9.7.1-P1 / Bind9.7.1-P2)?
 
 
Best regards
 
Thomas Dangl
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Three NameServer DOSing my

[Michelle Konzack]

Hello Experts,

my primary NameServer  is hit by more then 600.000
requests per day coming mainly from three NameServers:

[ '/var/log/named.log' ]
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.318 security: info: 
client 194.25.2.173#34455: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.568 security: info: 
client 145.253.2.7#39557: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.747 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.033 security: info: 
client 145.253.2.7#42608: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.229 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.341 security: info: 
client 194.25.2.173#51045: query 'michelle1.private.tamay-dogan.net/MX/IN' 
denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.596 security: info: 
client 145.253.2.7#38208: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.792 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' 
denied
Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.081 security: info: 
client 145.253.2.7#52958: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.284 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' 
denied


[ STDIN ]---
[michelle.konz...@michelle1:~] host 194.25.2.173
173.2.25.194.in-addr.arpa domain name pointer dns42.btx.dtag.de.
[michelle.konz...@michelle1:~] host 145.253.2.7
Host 7.2.253.145.in-addr.arpa. not found: 3(NXDOMAIN)
[michelle.konz...@michelle1:~] host 79.242.61.7
7.61.242.79.in-addr.arpa domain name pointer p4FF23D07.dip.t-dialin.net.
[michelle.konz...@michelle1:~] dig -x 145.253.2.7

; <<>> DiG 9.5.1-P3 <<>> -x 145.253.2.7
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36189
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;7.2.253.145.in-addr.arpa.  IN  PTR

;; AUTHORITY SECTION:
253.145.in-addr.arpa.   6161IN  SOA ns1.arcor-ip.de. 
hostmaster.adm.arcor.net. 2010072800 28800 14400 1814400 7200

;; Query time: 1 msec
;; SERVER: 192.168.0.74#53(192.168.0.74)
;; WHEN: Wed Jul 28 11:38:01 2010
;; MSG SIZE  rcvd: 117



the NX one is from Arcor.  Since the Deutsche Telecom is NOT  responsive
to ANY of my requests and you can not even reach them  by  Telephone,  I
need to do something because this 32 MByte traffic per day is absolutely
useless.

Any suggestions?

 has respond for an half hour to my reqests after 3 weeks  or
such and told me they are querying my DNS because there is a link in  my
website...  but I have found nothing.

However, they want to connect to my ancien Laptop  and  my  Work-
station  from which I write this message... Both machines are
in my Intranet and will never allow access from the world.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.7 and using multiple forwarders

[Cathy Almond]

No longer true.  named picks the 'nearest' one, based on SRTT.
Non-responding forwarders are penalised via a very large SRTT.

https://lists.isc.org/mailman/htdig/bind-users/2010-April/079556.html

Dangl, Thomas wrote:
> Hello,
>  
> when we have a zone with type forward and a forwarders list with
> multiple entries, which strategy is used by Bind9.7?
> I found some information in the DNS and Bind book by O Reilly and the
> identical statement on the Internet and FAQs saying
> There was a Bind8.2.3 that had applied an intelligent behavior
> evaluating roundtrip times of forwarded queries and used the name server
> that provided the fatsest response.
> For Bind9 it is stated that simply the first entry in the forwarders
> list is used and if this first one fails to respond, the next in the
> forwarders statement is tried and so on.
> I understand the description in the way that this also applies when the
> first entry in the forwarders list is not responding at all. The next
> forwarding for the zone would still start with trying the first entry in
> the forwarders list.
>  
> Is this still correct with Bind 9.7 (more precisely Bind9.7.1 /
> Bind9.7.1-P1 / Bind9.7.1-P2)?
>  
>  
> Best regards
>  
> Thomas Dangl
> 
> 
> 
> 
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Three NameServer DOSing my

[Dave Sparro]

On 7/28/2010 5:53 AM, Michelle Konzack wrote:

Hello Experts,

my primary NameServer  is hit by more then 600.000
requests per day coming mainly from three NameServers:

[ '/var/log/named.log' ]
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.318 security: info: 
client 194.25.2.173#34455: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.568 security: info: 
client 145.253.2.7#39557: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:17 samba3 named[26425]: 28-Jul-2010 11:18:17.747 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.033 security: info: 
client 145.253.2.7#42608: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.229 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/A/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.341 security: info: 
client 194.25.2.173#51045: query 'michelle1.private.tamay-dogan.net/MX/IN' 
denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.596 security: info: 
client 145.253.2.7#38208: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:18 samba3 named[26425]: 28-Jul-2010 11:18:18.792 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' 
denied
Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.081 security: info: 
client 145.253.2.7#52958: query 'michelle1.private.tamay-dogan.net/MX/IN' denied
Jul 28 11:18:19 samba3 named[26425]: 28-Jul-2010 11:18:19.284 security: info: 
client 79.242.61.74#59366: query 'michelle1.private.tamay-dogan.net/MX/IN' 
denied




That host name does show up in your e-mail headers.  That may
be why there are some people curious about that host name.

If the repeat traffic really bothers you, I'd bet that you could
get them to go away by giving a better answer than "REFUSED"
to their query.  If you want to keep your private.tamay-dogan.net
zone private, you could use views to keep the zone from existing
for the Internet side of your connection.

I'd even be tempted to ditch the allow-query ACL so that they could get 
the michelle1.private.tamay-dogan.net/A/IN == 192.168.0.65 answer (at 
least temporarily).
I'd be even more tempted to ignore the noise in your log file.  BIND is 
just letting you know it is doing exactly what you configured it to do.


--
Dave
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question on query-source, transfer-source, notify-source

[Barry Finkel]

I have a BIND config question.  First some history.

My initial two DNS servers (A and B) had three NICs and three IP
addresses.  Then I installed two additional servers (C and D),
each with one NIC; each server has one base address and one DNS address.
All four servers run Solaris.  When I installed C and D, I placed in
the config file

 query-source address ;
 transfer-source ;
 notify-source ;

Then we changed servers A and B to new hardware, and we have in
addition to the three NICs each, a base, non-DNS address for each.
We made no config file changes, and no users have reported problems.
These "new" servers A and B have been running for a few years.

Now, I am converting all four servers to an Ubuntu platform, and I am
revisiting the config file.  In looking through various firewall and
DNS query logs, I see that machines A and B are using the non-DNS
address for DNS activity.  A and B are sending queries to the Internet
and queries to the hidden BIND master via the non-DNS addresses.
The Internet queries are being blocked at the firewall because we do
not allow non-registered DNS addresses to send DNS queries to the
Internet, and the non-DNS addresses have no firewall conduits.
I can add three options directives above, as I have done on servers
C and D, but the ARM seems to imply that I can list only one address
in each directive, and I have three DNS addresses for each server.

The BIND is 9.7.x on all machines.  Does anyone have suggestions?
Thanks.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Three NameServer DOSing my

[Michelle Konzack]

Hello Dave Sparro,

Am 2010-07-28 10:11:52, hacktest Du folgendes herunter:
> That host name does show up in your e-mail headers.  That may
> be why there are some people curious about that host name.

But why do they query my server 3 times per second?

Currently I have more then 600.000 DNS  requests  per  day...  but  only
,  and  are querying my 
excessiv.  Other NS (arround 90) are less then 20%.

The question is, why do they query an @home FQDN, if  I  have  a  public
SMTP relay?  For me it is an error in there configuration,  because  the
MTA should  only  test  the  MTA,  which  connect  to  it  and  this  is
definitively .

The other thig is that in the last 4-6 days I have not written very much
E-Mail (maybe 50-70) which let mit puzzeling arround, WHY  I  am  bombed
with several million queries.

Today I have send only 12 messages and I have attached the  unified  log
from today for servers querying .  While Google is has stoped
querying my server endless, since today it is .

Do you not wonder?

Also I have for some minutes encountered,  that  I  had  several  10.000
break-in attempts (apache, ssh and courier) from DOT CN today.  I  realy
should nuke them.

> If the repeat traffic really bothers you, I'd bet that you could
> get them to go away by giving a better answer than "REFUSED"
> to their query.  If you want to keep your private.tamay-dogan.net
> zone private, you could use views to keep the zone from existing
> for the Internet side of your connection.

OK I have to read into "views" because I do ot know how this stuff works

> I'd even be tempted to ditch the allow-query ACL so that they could
> get the michelle1.private.tamay-dogan.net/A/IN == 192.168.0.65
> answer (at least temporarily).
> I'd be even more tempted to ignore the noise in your log file.  BIND
> is just letting you know it is doing exactly what you configured it
> to do.

Hmmm, it is not realy funny to have per day a 100 MByte logfile.

Thanks, Greetings and nice Day/Evening
Michelle Konzack

[ command 'tdnamed --get-ns' ]--
119.147.9.49:  dns.guangzhou.gd.cn
120.29.157.9:  ns2.hyper.net.id
120.29.158.9:  ns2.hyper.net.id
128.151.219.8   :  galileo.cc.rochester.edu
128.151.224.6   :  galileo.cc.rochester.edu
128.86.8.10 :  ns0.ja.net
128.86.8.25 :  ns0.ja.net
130.129.33.240  :  ns1.meeting.ietf.org
145.253.2.7 :  ns1.arcor-ip.de
192.221.166.105 :  ns1.Level3.net
192.221.166.107 :  ns1.Level3.net
192.221.166.113 :  ns1.Level3.net
192.221.166.123 :  ns1.Level3.net
192.221.166.124 :  ns1.Level3.net
192.221.166.126 :  ns1.Level3.net
192.221.166.137 :  ns1.Level3.net
192.221.166.140 :  ns1.Level3.net
192.221.166.148 :  ns1.Level3.net
192.221.166.152 :  ns1.Level3.net
192.221.166.156 :  ns1.Level3.net
192.221.166.167 :  ns1.Level3.net
192.221.166.168 :  ns1.Level3.net
192.221.166.171 :  ns1.Level3.net
192.221.166.177 :  ns1.Level3.net
192.221.166.179 :  ns1.Level3.net
192.221.166.184 :  ns1.Level3.net
192.221.166.209 :  ns1.Level3.net
192.221.166.222 :  ns1.Level3.net
192.221.166.243 :  ns1.Level3.net
192.221.166.3   :  ns1.Level3.net
192.221.166.51  :  ns1.Level3.net
192.221.166.53  :  ns1.Level3.net
192.221.166.61  :  ns1.Level3.net
192.221.166.80  :  ns1.Level3.net
192.221.166.81  :  ns1.Level3.net
192.221.166.94  :  ns1.Level3.net
192.221.166.96  :  ns1.Level3.net
192.221.167.103 :  ns1.Level3.net
192.221.167.138 :  ns1.Level3.net
192.221.167.144 :  ns1.Level3.net
192.221.167.146 :  ns1.Level3.net
192.221.167.147 :  ns1.Level3.net
192.221.167.148 :  ns1.Level3.net
192.221.167.152 :  ns1.Level3.net
192.221.167.157 :  ns1.Level3.net
192.221.167.164 :  ns1.Level3.net
192.221.167.174 :  ns1.Level3.net
192.221.167.180 :  ns1.Level3.net
192.221.167.183 :  ns1.Level3.net
192.221.167.189 :  ns1.Level3.net
192.221.167.2   :  ns1.Level3.net
192.221.167.20  :  ns1.Level3.net
192.221.167.217 :  ns1.Level3.net
192.221.167.219 :  ns1.Level3.net
192.221.167.221 :  ns1.Level3.net
192.221.167.241 :  ns1.Level3.net
192.221.167.249 :  ns1.Level3.net
192.221.167.33  :  ns1.Level3.net
192.221.167.35  :  ns1.Level3.net
192.221.167.38  :  ns1.Level3.net
192.221.167.41  :  ns1.Level3.net
192.221.167.47  :  ns1.Level3.net
192.221.167.52  :  ns1.Level3.net
192.221.167.68  :  ns1.Level3.net
192.221.167.78  :  ns1.Level3.net
192.221.167.85  :  ns1.Level3.net
192.221.167.88  :  ns1.Level3.net
192.221.190.103 :  ns1.Level3.net
192.221.190.106 :  ns1.Level3.net
192.221.190.109 :  ns1.Level3.net
192.221.190.114 :  ns1.Level3.net
192.221.190.127 :  ns1.Level3.net
192.221.190.133 :  ns1.Level3.net
192.221.190.139 :  ns1.Level3.net
192.221.190.145 :  ns1.Level3.net
192.221.190.147 :  ns1.Level3.net
192.221.190.148 :  ns1.Level3.net
192.221.190.161 :  ns1.Level3.net
192.221.190.164 :  ns1.Level3.net
192.221.190.166 :  ns1.Level3.net
192.221.190.174 :  ns1.Level3.net
192.221.190.178 :  ns1.Level3.net
192.221.190.181 :  ns1.Level3.net
192.221.190.183 :  ns1.Level3.net
192.221.190.184 :  ns1.Le

Re: Bind Clustering

[Gordon A. Lang]

This reply is a few months delayed, but this issue is still very important
to me, and I'm hoping you can take a few minutes to help out.

I finally took some time to read through the code, and unfortunately I was
unable to identify where forward target(s) are obtained in the update
forwarding action.  There's a lot of structure to reverse engineer -- too
much for a casual effort.  So perhaps you can tell me where I can find the
pertinent code...  ?

My belief was that somewhere in the code, the SOA record is obtained, and
the MNAME is used as the forward target -- this belief was based on trial
and error observations.

What you suggested is that the update forwarding actually uses the masters
list from the named.conf file for forwarding targets.

I was unable to find clues one way or another.

But another thing about your response that leaves me wondering if I fully
understand your response is that you say it "walks the list of masters
trying each one in turn," and with the word "trying" in there, it suggests
that it walks the list only until the first successful update.  Perhaps I am
incorrectly reading into it, but if you could clarify that point, I would
appreciate it.  ---  I would expect that if the masters list is used, then
ALL masters should always get the updates.

Thanks in advance.

--
Gordon A. Lang

- Original Message - 
From: "Mark Andrews" 

To: "Gordon A. Lang" 
Cc: 
Sent: Friday, April 09, 2010 5:58 PM
Subject: Re: Bind Clustering




In message ,
"Gordon
A. Lang" writes:

Regarding my wild idea for synchronizing mulitiple dynamic masters..
my idea is flawed.

Evidently, the "allow-update-forwarding" only forwards to the MNAME
configured in the SOA.  I was thinking it forwarded to the masters
configured in the conf file.  Oh well.  I guess we'll just have to
wait for ISC to implement multi-master replication.  Anyone know
when this might occur?


What makes you say that?   If you look at the implementation it walks
the list of masters trying each one in turn.


--
Gordon A. Lang
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dynamically add zones

[Mike Flathers]

Hey guys,

It looks like bind 10 will address this, but I might as well check here.

Is there a patch for bind 9 to add new zones dynamically without
having to run rndc reconfig?  The server stops answering queries when
reconfig is loading in the new config as the config grows this timeout
increases.  I haven't hit the source code yet, but something like rndc
addzone zonename [config options | clone zone] would be nice :)

-m
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dynamically add zones

[Alan Clegg]

On 7/28/2010 10:41 PM, Mike Flathers wrote:

> Is there a patch for bind 9 to add new zones dynamically without
> having to run rndc reconfig?  The server stops answering queries when
> reconfig is loading in the new config as the config grows this timeout
> increases.  I haven't hit the source code yet, but something like rndc
> addzone zonename [config options | clone zone] would be nice :)

Look for it in BIND 9.7.2

Here's what I have that creates zones, makes them dynamic and signs them
with no human interference (producing the DS record for the parent):

==SNIP==
#!/bin/bash
cd /etc/namedb
cp template master/${1}

rndc addzone ${1} { type master\;\
file \"master/${1}\"\;\
update-policy local\; \
auto-dnssec maintain\; \
}\;

dnssec-keygen -f KSK -K /etc/namedb/keys $1
dnssec-dsfromkey -2 /etc/namedb/keys/K${1}.*.key > ds/${1}

dnssec-keygen -K /etc/namedb/keys $1

rndc sign ${1}
==SNIP==

Yes, no error checking, etc, but it works well as a proof-of-concept...



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question on query-source, transfer-source, notify-source

[Chris Buxton]

Why do you need 3 DNS interfaces on one box? Why do you need the extra
interface?

Perhaps you could simplify, or split the three addresses across
multiple hosts, or even run multiple instances of named on each box.

Regards,
Chris

On 7/28/10, Barry Finkel  wrote:
> I have a BIND config question.  First some history.
>
> My initial two DNS servers (A and B) had three NICs and three IP
> addresses.  Then I installed two additional servers (C and D),
> each with one NIC; each server has one base address and one DNS address.
> All four servers run Solaris.  When I installed C and D, I placed in
> the config file
>
>  query-source address ;
>  transfer-source ;
>  notify-source ;
>
> Then we changed servers A and B to new hardware, and we have in
> addition to the three NICs each, a base, non-DNS address for each.
> We made no config file changes, and no users have reported problems.
> These "new" servers A and B have been running for a few years.
>
> Now, I am converting all four servers to an Ubuntu platform, and I am
> revisiting the config file.  In looking through various firewall and
> DNS query logs, I see that machines A and B are using the non-DNS
> address for DNS activity.  A and B are sending queries to the Internet
> and queries to the hidden BIND master via the non-DNS addresses.
> The Internet queries are being blocked at the firewall because we do
> not allow non-registered DNS addresses to send DNS queries to the
> Internet, and the non-DNS addresses have no firewall conduits.
> I can add three options directives above, as I have done on servers
> C and D, but the ARM seems to imply that I can list only one address
> in each directive, and I have three DNS addresses for each server.
>
> The BIND is 9.7.x on all machines.  Does anyone have suggestions?
> Thanks.
> --
> Barry S. Finkel
> Computing and Information Systems Division
> Argonne National Laboratory  Phone:+1 (630) 252-7277
> 9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
> Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
> Argonne, IL   60439-4828 IBMMAIL:  I1004994
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
Sent from my mobile device
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind Clustering

[Chris Buxton]

Updates are always forwarded to the zone masters, as configured in the
zone statement itself. And yes, the update is only forwarded
(successfully) once.

BIND assumes that each zone has exactly one "primary master". That's
why updates are forwarded only once. If you want a true multi-master
setup, you'll need to look at other options. For example:

- BIND with modifications or additional software.
- Microsoft DNS and AD-integrated zones.

There are other options.

Regards,
Chris Buxton
Bluecat Networks

On 7/28/10, Gordon A. Lang  wrote:
> This reply is a few months delayed, but this issue is still very important
> to me, and I'm hoping you can take a few minutes to help out.
>
> I finally took some time to read through the code, and unfortunately I was
> unable to identify where forward target(s) are obtained in the update
> forwarding action.  There's a lot of structure to reverse engineer -- too
> much for a casual effort.  So perhaps you can tell me where I can find the
> pertinent code...  ?
>
> My belief was that somewhere in the code, the SOA record is obtained, and
> the MNAME is used as the forward target -- this belief was based on trial
> and error observations.
>
> What you suggested is that the update forwarding actually uses the masters
> list from the named.conf file for forwarding targets.
>
> I was unable to find clues one way or another.
>
> But another thing about your response that leaves me wondering if I fully
> understand your response is that you say it "walks the list of masters
> trying each one in turn," and with the word "trying" in there, it suggests
> that it walks the list only until the first successful update.  Perhaps I am
> incorrectly reading into it, but if you could clarify that point, I would
> appreciate it.  ---  I would expect that if the masters list is used, then
> ALL masters should always get the updates.
>
> Thanks in advance.
>
> --
> Gordon A. Lang
>
> - Original Message -
> From: "Mark Andrews" 
> To: "Gordon A. Lang" 
> Cc: 
> Sent: Friday, April 09, 2010 5:58 PM
> Subject: Re: Bind Clustering
>
>
>>
>> In message ,
>> "Gordon
>> A. Lang" writes:
>>> Regarding my wild idea for synchronizing mulitiple dynamic masters..
>>> my idea is flawed.
>>>
>>> Evidently, the "allow-update-forwarding" only forwards to the MNAME
>>> configured in the SOA.  I was thinking it forwarded to the masters
>>> configured in the conf file.  Oh well.  I guess we'll just have to
>>> wait for ISC to implement multi-master replication.  Anyone know
>>> when this might occur?
>>
>> What makes you say that?   If you look at the implementation it walks
>> the list of masters trying each one in turn.
>>
>>> --
>>> Gordon A. Lang
>>> ___
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

-- 
Sent from my mobile device
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users