Re: one remaining error message in named log startup messages
On Nov 15, 2010, at 6:50 AM, Tony Finch wrote: > On Fri, 12 Nov 2010, Stewart Dean wrote: > >> "adjusted limit on open files from 1024 to 1048576" > >> The named service works just fine. > >> which says to add a line: >> named soft nofile 4096 >> to /etc/security/limits.conf >> >> Did that, then tried both restarting named and rebooting the machine, but it >> doesn't make a difference. > > Try upping it from 4096 to 1048576, since that is what BIND wants the > limit to be. No, the problem is that you found a Gentoo answer to a CentOS problem. Your issue is that the operating system is by default allowing named to own no more than 1024 open file handles. This affects files as well as sockets. You want a much higher number, such as 65536 or more. The 1048576 value is simply a nice large binary number (2^20) that will definitely be large enough. To set the limit for your operating system (as opposed to Gentoo Linux), you'll need to find the correct command for CentOS. Or you could just let named do it itself, as it does currently - the log message causes no harm and does not represent an error. Chris Buxton BlueCat Networks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MySQL BIND SDB
On Nov 15, 2010, at 10:58 PM, Tech W. wrote: > Is mysql Bind SDB suitable for a production application? To my understanding, yes, with caveats. However, I've never used it myself. Understand fully what you are doing and how it affects performance before you put it into production. That likely will require testing in your specific environment. > We have many dozens of domains in the bind servers, what's the best way to > maintain the zones and records? With a management solution, of course. :-) Seriously, there is no single answer to this vague question. The quantity of domains is not the issue, nor their size, but rather the frequency of updates and the number and competence of the administrators. "Many dozens of domains" does not scare me, as an administrator. Thousands of records in each does not scare me. What would scare me is too many edits to handle by myself; for me, if there are multiple admins touching the data on a routine basis, and a change volume greater than one admin could reasonably handle, then there should be a management solution in place. There are several good tools out there; I work for a company that makes one such tool, and previously worked for another. The advantages include: - Two admins with different ideas of how files should be named and laid out don't butt heads. The management solution makes the decision. - There is an audit trail showing who did what, so that when something goes wrong, the correct lesson can be learned. Integration with DHCP and IP address management is often another benefit. Chris Buxton BlueCat Networks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is DLV still usefull
Now that the root is signed, is DLV still usefull? Will there be any clash if I add the managed-keys statement without removing the DLV setup? Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is DLV still usefull
On 11/16/10 11:17, Thomas Schulz wrote: Now that the root is signed, is DLV still usefull? Yes. Not all TLDs are signed (although we're getting there), and not all registrars support adding DS records, even if the registry supports DNSSEC. Therefore, there are still islands of trust that can only be negotiated by DLV. Will there be any clash if I add the managed-keys statement without removing the DLV setup? Nope. I have this setup running on a few servers and it works fine. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
IPAM advantages (was Re: MySQL BIND SDB)
On Tue, 2010-11-16 at 11:16 -0800, Chris Buxton wrote: > With a management solution, of course. :-) > [...] > The advantages include: > > - Two admins with different ideas of how files should be named and > laid out don't butt heads. The management solution makes the decision. > - There is an audit trail showing who did what, so that when something > goes wrong, the correct lesson can be learned. > > Integration with DHCP and IP address management is often another benefit. Other advantages: - point and click, whatever the command-line weenies tell you, is more comfortable and, for the most common operations, usually faster :-) - a good IPAM has a permissions structure, so you can allow lower-skilled people to make certain changes, or distribute the management task. - you avoid whole classes of typo and typo-like errors, such as forgetting full-stops, misspelling "in-addr.arpa", putting in-addr.arpa instead of ip6.arpa or vice versa, making a timeout "6" instead of "6000", missing nibbles out of an IPv6 $ORIGIN or PTR, writing the PTR octets forwards instead of backwards in a PTR... - you avoid most consistency errors, within a zone, between zones, between views, between servers. You get the identical updates made identically on all relevant servers, in all relevant views, automatically. - there are generally bulk insert/delete/update methods - the tool looks after correctly stopping, starting, reloading etc, so you don't accidentally blow away your dynamic updates or end up with a stopped nameserver or failed zone load because the config was wrong and you didn't notice. - most IPAM tools do dynamic updates themselves, so you don't have to do reloads all the time. Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPAM advantages (was Re: MySQL BIND SDB)
Karl Auer wrote: On Tue, 2010-11-16 at 11:16 -0800, Chris Buxton wrote: With a management solution, of course. :-) [...] The advantages include: - Two admins with different ideas of how files should be named and laid out don't butt heads. The management solution makes the decision. - There is an audit trail showing who did what, so that when something goes wrong, the correct lesson can be learned. Integration with DHCP and IP address management is often another benefit. Other advantages: - point and click, whatever the command-line weenies tell you, is more comfortable and, for the most common operations, usually faster :-) - a good IPAM has a permissions structure, so you can allow lower-skilled people to make certain changes, or distribute the management task. - you avoid whole classes of typo and typo-like errors, such as forgetting full-stops, misspelling "in-addr.arpa", putting in-addr.arpa instead of ip6.arpa or vice versa, making a timeout "6" instead of "6000", missing nibbles out of an IPv6 $ORIGIN or PTR, writing the PTR octets forwards instead of backwards in a PTR... - you avoid most consistency errors, within a zone, between zones, between views, between servers. You get the identical updates made identically on all relevant servers, in all relevant views, automatically. - there are generally bulk insert/delete/update methods - the tool looks after correctly stopping, starting, reloading etc, so you don't accidentally blow away your dynamic updates or end up with a stopped nameserver or failed zone load because the config was wrong and you didn't notice. - most IPAM tools do dynamic updates themselves, so you don't have to do reloads all the time. Regards, K. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Nicely put Karl, There are several FOSS IPAM like systems*. IPAM is an Infloblox proprietary system that Cricket Liu is involved with. CPanel (and look-a-likes), webmin, among many other web GUI based apps have some basic DNS configuration capabilities. Just like the single-sign-on concept, IPAM like tools with a single DNS database that manages/configures many BIND DNS servers has proven to a useful model. Cheers! Gary *Even I put together one 10 years ago that is still being used and updated. http://openisp.net/openisp/unxsVZ/wiki ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
problem getting address record for google public dns server
Can someone explain the following dig results? The first dig @8.8.8.8 provides the expected result : dig +noall +answer google-public-dns-a.google.com @8.8.8.8 google-public-dns-a.google.com. 85040 IN A 8.8.8.8 We get the same result from KLOTH.NET (http://www.kloth.net/services/nslookup.php) But when we specify the public facing exacttarget.com server : dig +noall +answer google-public-dns-a.google.com @66.231.91.222 No answer And when we use +trace ... it seems to find it's way to the correct answer. : dig google-public-dns-a.google.com @66.231.91.222 +trace ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> google-public-dns-a.google.com @66.231.91.222 +trace ;; global options: printcmd . 360 IN NS A.ROOT-SERVERS.NET. . 360 IN NS B.ROOT-SERVERS.NET. . 360 IN NS C.ROOT-SERVERS.NET. . 360 IN NS D.ROOT-SERVERS.NET. . 360 IN NS E.ROOT-SERVERS.NET. . 360 IN NS F.ROOT-SERVERS.NET. . 360 IN NS G.ROOT-SERVERS.NET. . 360 IN NS H.ROOT-SERVERS.NET. . 360 IN NS I.ROOT-SERVERS.NET. . 360 IN NS J.ROOT-SERVERS.NET. . 360 IN NS K.ROOT-SERVERS.NET. . 360 IN NS L.ROOT-SERVERS.NET. . 360 IN NS M.ROOT-SERVERS.NET. ;; Received 228 bytes from 66.231.91.222#53(66.231.91.222) in 1 ms com.172800 IN NS g.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. ;; Received 504 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 35 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. ;; Received 184 bytes from 192.42.93.30#53(g.gtld-servers.net) in 75 ms google-public-dns-a.google.com. 86400 IN A 8.8.8.8 ;; Received 64 bytes from 216.239.34.10#53(ns2.google.com) in 39 ms What's going on? Thanks! Marty ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: got "BAD (HORIZONTAL) REFERRAL" error
Looks like there is a intercepting "transparent proxy" in the path. As dig +trace sends no-recursive queries the "transparent proxy" doesn't recurse and so you don't get better answers. I would be complaining to the ISP. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPAM advantages (was Re: MySQL BIND SDB)
On Nov 16, 2010, at 12:44 PM, Gary Wallis wrote: > IPAM is an Infloblox proprietary system that Cricket Liu is involved with. No. IPAM = IP Address Management. It is not a product, but rather a product category. I believe the term was coined by Lucent, or whoever owned QIP at the time, sometime in the mid-90's. (I could be wrong, though.) Infoblox offers an IPAM solution. I will make no comment on its relative merits versus the competition; I work in the industry. The following companies also offer commercial IPAM solutions (list is not exhaustive): BlueCat Networks (Proteus) Men & Mice (the eponymous Suite) Vital/Lucent/Alcatel (QIP) BT (DiamondIP) There is at least one real F/OSS IPAM solution, NetReg from Carnegie Mellon University. C/Panel, Webmin, and other systems like that are system management solutions, not IPAM solutions. Regards, Chris Buxton BlueCat Networks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SPF vs TXT with includes
Does anyone know what happens if a domain with an older TXT spf record is included in a newer SPF spf record? For example: foo.com IN TXT"v=spf1 mx a:mail1.foo.com a:mail2.foo.com ?all" bar.com IN SPF"v=spf1 mx a:mail1.bar.com a:mail2.bar.com include:foo.com ?all" Ideally the desire is that the authorized mail hosts at foo.com are also authorized to send mail on behalf of the bar.com domain. My question is will the SPF record for bar.com be valid if foo.com only has a TXT spf record or would foo.com need to have a record of the SPF record type? I'm guessing that BIND doesn't do the recursion to resolve the include statement itself and this may be dependent on the mail agent doing the query. -- Timothy A. Holtzen Campus Network Administrator Nebraska Wesleyan University ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MySQL BIND SDB
On 11/15/2010 10:58 PM, Tech W. wrote: Is mysql Bind SDB suitable for a production application? We have many dozens of domains in the bind servers, what's the best way to maintain the zones and records? Absolutely - I have maintained 10k+ zones using Bind-DLZ / MySQL. re: http://itsecureadmin.com/2010/09/bind-dlz-with-mysql/ Thanks, Josh Miller ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem getting address record for google public dns server
In article , "M. Meadows" wrote: > Can someone explain the following dig results? The first dig @8.8.8.8 > provides the expected result > > > : dig +noall +answer google-public-dns-a.google.com @8.8.8.8 > google-public-dns-a.google.com. 85040 IN A 8.8.8.8 > > We get the same result from KLOTH.NET > (http://www.kloth.net/services/nslookup.php) > > > But when we specify the public facing exacttarget.com server > > : dig +noall +answer google-public-dns-a.google.com @66.231.91.222 > > No answer If you hadn't use +noall, you would have seen: ;; WARNING: recursion requested but not available Does that answer your question? -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MySQL BIND SDB
Thanks a lot. That looks much helpful for me. --- On Wed, 17/11/10, Josh Miller wrote: > From: Josh Miller > Subject: Re: MySQL BIND SDB > To: bind-users@lists.isc.org > Received: Wednesday, 17 November, 2010, 9:38 AM > On 11/15/2010 10:58 PM, Tech W. > wrote: > > Is mysql Bind SDB suitable for a production > application? > > We have many dozens of domains in the bind servers, > what's the best way to maintain the zones and records? > > Absolutely - I have maintained 10k+ zones using Bind-DLZ / > MySQL. > > re: http://itsecureadmin.com/2010/09/bind-dlz-with-mysql/ > > > Thanks, > Josh Miller > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MySQL BIND SDB
Interesting. I store my zones in MySQL (great for maintaining them) but dump them to flat file format to hand to BIND. This allows me to DNSSEC sign some of my zones. (I also hold the DNSKEY records in the DB). How would BIND sign a zone that is in a Database? Can BIND do this? ALL examples of using DNSSEC have been with flat files. On Tue, 2010-11-16 at 17:38 -0800, Josh Miller wrote: > On 11/15/2010 10:58 PM, Tech W. wrote: > > Is mysql Bind SDB suitable for a production application? > > We have many dozens of domains in the bind servers, what's the best way to > > maintain the zones and records? > > Absolutely - I have maintained 10k+ zones using Bind-DLZ / MySQL. > > re: http://itsecureadmin.com/2010/09/bind-dlz-with-mysql/ > > > Thanks, > Josh Miller > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
