Re: problem getting address record for google public dns server

2010-11-17 Thread Stacey Jonathan Marshall 
This crops up time and time again - perhaps +trace should have been +mimic.

The '+trace' option causes dig to act as a recursive server would,
asking each server in turn for a none recursive answer.  Thus when you
say +trace its your instance of dig that's doing the work.

The details in the response hold your answer:

$ dig @66.231.91.222 google-public-dns-a.google.com   

; <<>> DiG 9.3.6-P1 <<>> @66.231.91.222 google-public-dns-a.google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 503
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;google-public-dns-a.google.com.IN  A

;; AUTHORITY SECTION:
.   360 IN  NS  A.ROOT-SERVERS.NET.
.   360 IN  NS  B.ROOT-SERVERS.NET.
.   360 IN  NS  C.ROOT-SERVERS.NET.
.   360 IN  NS  D.ROOT-SERVERS.NET.
.   360 IN  NS  E.ROOT-SERVERS.NET.
.   360 IN  NS  F.ROOT-SERVERS.NET.
.   360 IN  NS  G.ROOT-SERVERS.NET.
.   360 IN  NS  H.ROOT-SERVERS.NET.
.   360 IN  NS  I.ROOT-SERVERS.NET.
.   360 IN  NS  J.ROOT-SERVERS.NET.
.   360 IN  NS  K.ROOT-SERVERS.NET.
.   360 IN  NS  L.ROOT-SERVERS.NET.
.   360 IN  NS  M.ROOT-SERVERS.NET.

;; Query time: 111 msec
;; SERVER: 66.231.91.222#53(66.231.91.222)
;; WHEN: Wed Nov 17 09:50:35 2010
;; MSG SIZE  rcvd: 259


Looking at the flags in the response note the lack of 'ra'; Recursion
Available!

Thus the server is saying I don't know (or I wont tell you what's in my
cache) and I'm not going to find an answer for you, go start looking at
the root servers.  Hence the +trace works.



Regards
Stacey
On 16/11/2010 21:00, M. Meadows wrote:
> Can someone explain the following dig results? The first dig @8.8.8.8
> provides the expected result
>  
>  
> : dig +noall +answer google-public-dns-a.google.com @8.8.8.8
> google-public-dns-a.google.com. 85040 IN A  8.8.8.8
>
> We get the same result from KLOTH.NET
> (http://www.kloth.net/services/nslookup.php)
>  
>  
> But when we specify the public facing exacttarget.com server
>  
> : dig +noall +answer google-public-dns-a.google.com @66.231.91.222
>  
> No answer
>  
> And when we use +trace ... it seems to find it's way to the correct
> answer.
>  
> : dig google-public-dns-a.google.com @66.231.91.222 +trace
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>>
> google-public-dns-a.google.com @66.231.91.222 +trace
> ;; global options:  printcmd
> .   360 IN  NS  A.ROOT-SERVERS.NET.
> .   360 IN  NS  B.ROOT-SERVERS.NET.
> .   360 IN  NS  C.ROOT-SERVERS.NET.
> .   360 IN  NS  D.ROOT-SERVERS.NET.
> .   360 IN  NS  E.ROOT-SERVERS.NET.
> .   360 IN  NS  F.ROOT-SERVERS.NET.
> .   360 IN  NS  G.ROOT-SERVERS.NET.
> .   360 IN  NS  H.ROOT-SERVERS.NET.
> .   360 IN  NS  I.ROOT-SERVERS.NET.
> .   360 IN  NS  J.ROOT-SERVERS.NET.
> .   360 IN  NS  K.ROOT-SERVERS.NET.
> .   360 IN  NS  L.ROOT-SERVERS.NET.
> .   360 IN  NS  M.ROOT-SERVERS.NET.
> ;; Received 228 bytes from 66.231.91.222#53(66.231.91.222) in 1 ms
> com.172800  IN  NS  g.gtld-servers.net.
> com.172800  IN  NS  f.gtld-servers.net.
> com.172800  IN  NS  l.gtld-servers.net.
> com.172800  IN  NS  h.gtld-servers.net.
> com.172800  IN  NS  j.gtld-servers.net.
> com.172800  IN  NS  c.gtld-servers.net.
> com.172800  IN  NS  i.gtld-servers.net.
> com.172800  IN  NS  d.gtld-servers.net.
> com.172800  IN  NS  k.gtld-servers.net.
> com.172800  IN  NS  m.gtld-servers.net.
> com.172800  IN  NS  a.gtld-servers.net.
> com.172800  IN  NS  e.gtld-servers.net.
> com.172800  IN  NS  b.gtld-servers.net.
> ;; Received 504 bytes from 198.41.0.4#53(A.ROOT-SERVERS.NET) in 35 ms
> google.com. 172800  IN  NS  ns2.google.com.
> google.com. 172800  IN  NS  ns1.google.com.
> google.com. 172800  IN  NS  ns3.google.com.

Re: IPAM advantages (was Re: MySQL BIND SDB)

2010-11-17 Thread Gary Wallis 

Chris Buxton wrote:

On Nov 16, 2010, at 12:44 PM, Gary Wallis wrote:

IPAM is an Infloblox proprietary system that Cricket Liu is involved with.


No.

IPAM = IP Address Management. It is not a product, but rather a product 
category. I believe the term was coined by Lucent, or whoever owned QIP at the 
time, sometime in the mid-90's. (I could be wrong, though.)

Infoblox offers an IPAM solution. I will make no comment on its relative merits 
versus the competition; I work in the industry. The following companies also 
offer commercial IPAM solutions (list is not exhaustive):

BlueCat Networks (Proteus)
Men & Mice (the eponymous Suite)
Vital/Lucent/Alcatel (QIP)
BT (DiamondIP)

There is at least one real F/OSS IPAM solution, NetReg from Carnegie Mellon 
University.

C/Panel, Webmin, and other systems like that are system management solutions, 
not IPAM solutions.

Regards,
Chris Buxton
BlueCat Networks


Thanks for the correction and the updated list of IPAM software providers.

My main point is that I think that Karl was right about the advantages 
of managed DNS systems. IPAM is much more than DNS management (too much 
more for some in many cases.) Centralized DNS management is cool, 
especially FOSS tools that may help you manage a large cluster of 
ISC/BIND servers.


(If we use FOSS BIND why should we support anti FOSS businesses like 
many mentioned above?)


Cheers!
Gary
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: IPAM advantages (was Re: MySQL BIND SDB)

2010-11-17 Thread Alan Clegg 
On 11/17/2010 7:15 AM, Gary Wallis wrote:

[.. Discussion of non-open-source IPAM solutions ..]

> (If we use FOSS BIND why should we support anti FOSS businesses like
> many mentioned above?)

Several of the businesses listed in the original post are BIND Forum
members and are supporting ISC in that manner.

BIND forum memberships are also available to individuals and to
companies that like/use BIND and feel the need to help with its upkeep..  :)

For more information:   http://www.isc.org/software/guild/bf

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it Possible to Log nxdomain Responses?

2010-11-17 Thread Martin McCormick 
We are chasing down some problems in which clients are trying to
resolve lookups to a domain related to Microsoft Active
Directory zones. We were able to determine that clients were
querying this AD zone when it was thought they weren't needing
to do so.

We enabled querylogging for a short time and saw a
specific test system querying the domain and we were able to
dump the cache of the master DNS running bind9.7.1 and saw
numerous nxdomains for that zone. It would be nice to log each
nxdomain for a while so we can verify that the new deligated
zone we are about to install fixed the problem.

Thank you.

Martin McCormick WB5AGZ  Stillwater, OK 
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it Possible to Log nxdomain Responses?

2010-11-17 Thread Phil Mayers 

On 17/11/10 13:48, Martin McCormick wrote:

We are chasing down some problems in which clients are trying to
resolve lookups to a domain related to Microsoft Active
Directory zones. We were able to determine that clients were
querying this AD zone when it was thought they weren't needing
to do so.

We enabled querylogging for a short time and saw a
specific test system querying the domain and we were able to
dump the cache of the master DNS running bind9.7.1 and saw
numerous nxdomains for that zone. It would be nice to log each
nxdomain for a while so we can verify that the new deligated
zone we are about to install fixed the problem.


You could maybe do this with wireshark:

tshark -R dns.flags.rcode==3 -s 1600 -i any -T fields \
 -e ip.src -e ip.dst -e dns.qry.name
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it Possible to Log nxdomain Responses?

2010-11-17 Thread Stephane Bortzmeyer 
On Wed, Nov 17, 2010 at 07:48:55AM -0600,
 Martin McCormick  wrote 
 a message of 22 lines which said:

> It would be nice to log each nxdomain for a while so we can verify
> that the new deligated zone we are about to install fixed the
> problem.

May be with dnscap :

dnscap -e x -g -w nxdomain-%s-%u.pcap
   
   This will keep NXDOMAIN responses

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Nslookup not working for external domain

2010-11-17 Thread Moore, Mark A. 
We are running into a issue where one of our slave servers isn't resolving 
non-local domain names.  For the two domains hosted on this server, we can 
resolve any entry. However, if we try to do an nslookup to cnn, google, yahoo, 
etc. it fails. We have turned off iptables and verified internet connectivity. 
Below is the error we get. What other areas should we be looking at to 
troubleshoot?

Thx in advance for any help given.

nslookup www.cnn.com
;; Got SERVFAIL reply from 192.243.160.18, trying next server
Server: 192.243.130.42
Address: 192.243.130.42#53

Non-authoritative answer:
Name: www.cnn.com
Address: 157.166.226.26
Name: www.cnn.com
Address: 157.166.255.18
Name: www.cnn.com
Address: 157.166.255.19
Name: www.cnn.com
Address: 157.166.224.25
Name: www.cnn.com
Address: 157.166.224.26
Name: www.cnn.com
Address: 157.166.226.25


Mark

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MySQL BIND SDB

2010-11-17 Thread Evan Hunt 
> How would BIND sign a zone that is in a Database? Can BIND do this?
> ALL examples of using DNSSEC have been with flat files.

DNSSEC with SQL isn't supported in BIND 9 (yet?).  IIRC, it can return
signed responses for records that do exist, but it can't return proper
signed negative responses for records that don't.

BIND 10 does have a SQL data source that's fully DNSSEC compliant.  It's
not really production-ready yet, but you can check out the work in progress
if you like: https://bind10.isc.org.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

High named CPU every 10 minutes?

2010-11-17 Thread blrmaani 
I see a peculiar behavior on my DNS server. The named CPU reaches 90%
+ every 10 minutes and my monitoring software keeps paging me.

I have a DNS host running FreeBSD 7.x, running BIND 9.4.x on a 2-CPU
machine with 4GB RAM. It is a recursive DNS server.

Any pointers on how to find out the reason for high CPU. I know that
this machine is not DDOSed

Thanks

Maani
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Spaces in keys

2010-11-17 Thread Thomas Schulz 
When I copied the key for root from
http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers
I ended up with spaces in the key. I assumed that they should not be there
and removed them. I since noticed that the key in /etc/bind.keys supplied
with the bind distribution has spaces in it. Should the spaces be there or
does it not matter?

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Spaces in keys

2010-11-17 Thread Hugo Salgado 
On 11/17/2010 05:01 PM, Thomas Schulz wrote:
> When I copied the key for root from
> http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers
> I ended up with spaces in the key. I assumed that they should not be there
> and removed them. I since noticed that the key in /etc/bind.keys supplied
> with the bind distribution has spaces in it. Should the spaces be there or
> does it not matter?

It doesn't matter. From RFC4034 (Resource Records for the DNS Security
Extensions), section 2.2 (The DNSKEY RR Presentation Format):

  The Public Key field MUST be represented as a Base64 encoding of the
  Public Key.  Whitespace is allowed within the Base64 text.  For a
  definition of Base64 encoding, see [RFC 3548].

Hugo
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Nslookup not working for external domain

2010-11-17 Thread Barry Margolin 
In article ,
 "Moore, Mark A."  wrote:

> We are running into a issue where one of our slave servers isn't resolving 
> non-local domain names.  For the two domains hosted on this server, we can 
> resolve any entry. However, if we try to do an nslookup to cnn, google, 
> yahoo, etc. it fails. We have turned off iptables and verified internet 
> connectivity. Below is the error we get. What other areas should we be 
> looking at to troubleshoot?

Make sure your firewall allows the first server to go out to the 
Internet on UDP port 53.

Can you post its named.conf?

> 
> Thx in advance for any help given.
> 
> nslookup www.cnn.com
> ;; Got SERVFAIL reply from 192.243.160.18, trying next server
> Server: 192.243.130.42
> Address: 192.243.130.42#53
> 
> Non-authoritative answer:
> Name: www.cnn.com
> Address: 157.166.226.26
> Name: www.cnn.com
> Address: 157.166.255.18
> Name: www.cnn.com
> Address: 157.166.255.19
> Name: www.cnn.com
> Address: 157.166.224.25
> Name: www.cnn.com
> Address: 157.166.224.26
> Name: www.cnn.com
> Address: 157.166.226.25
> 
> 
> Mark

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: High named CPU every 10 minutes?

2010-11-17 Thread Dave Sparro 

On 11/17/2010 2:26 PM, blrmaani wrote:

I see a peculiar behavior on my DNS server. The named CPU reaches 90%
+ every 10 minutes and my monitoring software keeps paging me.

I have a DNS host running FreeBSD 7.x, running BIND 9.4.x on a 2-CPU
machine with 4GB RAM. It is a recursive DNS server.


Do you have the cache cleaning interval set to 10 in your configuration?

--
Dave
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users