Re: dotted hostname is bad IMO
In article , p...@mail.nsbeta.info wrote: > given the domain name of "126.com", and given an A RR in its zone is: > > s1.s2.s3 IN A 11.22.33.44 > > OK when a dns cache query for s1.s2.s3.126.com the first time, it will > follow the logic: > > #1, s1.s2.s3.126.com has NS RR in cache? (no) > #2, s2.s3.126.com has NS RR in cache? (no) > #3, s3.126.com has NS RR in cache? (no) > #4, 126.com has NS RR in cache? (yes most time, since 126.com is a famous > domain). > #5, Goto 126.com's NS fetch the result. > > The process is complicated. > But if the hostname is "s1-s2-s3.126.com", what will the dns cache do by > the first query? it will just do: > > #1, 126.com has NS RR in cache? (yes) > #2, go there fetching the reqult. > > It's much simple and fast. > > So I dont think dotted hostname is good pratical. I don't think it's something you need to worry about. DNS servers organize their cache data structures to make steps 1-4 easy to perform all at once. Time to pull out your copy of Knuth "Sorting and Searching". -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Querying the SOA timers
Hello, I have had a bit of a Google but I have been unsuccessful in finding an answer to this one. We currently have bind acting as a slave server for a number of different zones. The owners of these zones sometimes change configuration without letting us know, resulting in zones expiring. I would like to know if there is a way to query how long is left to run on the various timers listed in the SOA. What i would like is the following information about a given zone * The Date and time the last notify was received (was it successful) * The Date and time the zone was last refreshed (was it successful) * The Date and time of the next refresh * The Date and time the zone will expire Is this information readily available in bind and if so how would i query it. If not, does anyone have any ideas about how this information could be reliably collected. This information would more then likely be used in either a nagios check or a daily email. Thank you John ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying the SOA timers
I once wrote a perl script for nagios plugin and posted it to the list.
Just to check both master and slave's serial number to see if they are the
same to verify the zone data in every name server is correct.
#!/usr/bin/perl
use strict;
use Net::DNS;
use Getopt::Std;
my %opts;
getopts('hm:s:z:', \%opts);
if ($opts{'h'}) {
usage();
}
my $master = $opts{'m'} || usage();
my $slave = $opts{'s'} || usage();
my $zone = $opts{'z'} || usage();
my $s1 = qrsoa($master,$zone);
my $s2 = qrsoa($slave,$zone);
if ($s1 != -1 && $s1 == $s2) {
print "OK\n";
exit 0;
} else {
print "CRITICAL: zone $zone sync error\n";
exit 2;
}
sub qrsoa {
my $host = shift;
my $zone = shift;
my $res = Net::DNS::Resolver->new(nameservers => [$host]);
my $query = $res->query($zone, "SOA");
return $query ? ($query->answer)[0]->serial : -1;
}
sub usage {
print <}
HTH.
Regards.
Balder writes:
Hello,
I have had a bit of a Google but I have been unsuccessful in finding
an answer to this one. We currently have bind acting as a slave
server for a number of different zones. The owners of these zones
sometimes change configuration without letting us know, resulting in
zones expiring. I would like to know if there is a way to query how
long is left to run on the various timers listed in the SOA. What i
would like is the following information about a given zone
* The Date and time the last notify was received (was it successful)
* The Date and time the zone was last refreshed (was it successful)
* The Date and time of the next refresh
* The Date and time the zone will expire
Is this information readily available in bind and if so how would i
query it. If not, does anyone have any ideas about how this
information could be reliably collected. This information would more
then likely be used in either a nagios check or a daily email.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Querying the SOA timers
On 1 February 2011 10:04, wrote:
> I once wrote a perl script for nagios plugin and posted it to the list.
> Just to check both master and slave's serial number to see if they are the
> same to verify the zone data in every name server is correct.
Hello,
Thanks for this however it would be useful if i could query the timers
maintained at the slave server directly as It is still possible for a
slave server to have an up-to-date serial but still expire the zone.
The only way i can think of getting something close to what i want is
by checking the file modification time zone on disc and adding the
zone expiry to that. something like the following (this assumes you
have all zones in on folder and the file name is the same as the
zone). however i know this is not perfect if anyone has anything
better please let me know
for zone in $(ls);
do
zone_lastupdated=$(stat -c %Z ${zone});
expiry=$(dig +short SOA ${zone} @localhost | awk '{print $6}') ;
zone_expires=$((zone_lastupdated + expiry));
echo ${zone} Expires on $(date --date "$[$(date
+%s)-${zone_expires}] seconds ago");
done
thanks john
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] does deliveragent must have a PTR RR
See RFC1123 and RFC1912 which suggest that legitimate nodes on the Internet have appropriate forward/reverse DNS entries. By appropriate, I mean DNS entires which distinguish which hosts are static/business space from residential/dhcp space. Reason: So others on the Internet can make informed decisions on 3rd party source traffic. Example: Email admins seeing SMTP connections from foo.dynamic.bar verses foo.static.bar. One of these is most likely abusive. This is what AOL is doing to protect their customers. - Original Message > From: Mark Andrews > To: Lyle Giese > Cc: bind-users > Sent: Tue, February 1, 2011 12:40:11 AM > Subject: Re: [OT] does deliveragent must have a PTR RR > > > In message <4d4784c4.2020...@lcrcomputer.net>, Lyle Giese writes: > > p...@mail.nsbeta.info wrote: > > > Hi list, > > > I can't setup a ptr RR for my mailserver's IP. > > > Here the main ISPs who are owned by this garbage state take expensive > > > price for setup a reverse record for a public IP. It's about 30 USD > > > each month for each IP. > > > But some MTAs does require the peer deliveragent has a PTR RR,like > > > AOL's email systems. > > > Is there a special RFC for this requirement? > > > Regards. > > > Mail Delivery System writes: > > >> This is the mail system at host mail.nsbeta.info. > > >> I'm sorry to have to inform you that your message could not > > >> be delivered to one or more recipients. It's attached below. > > >> For further assistance, please send mail to postmaster. > > >> If you do so, please include this problem report. You can > > >> delete your own text from the attached returned message. > > >> The mail system > > >> : host mx1.beth.k12.pa.us[209.96.96.11] said: > > >> 450 4.7.1 > > >> Client host rejected: cannot find your reverse hostname, [121.9.221.212] > > >> (in reply to RCPT TO command) > > I do not believe this to be fully covered in an RFC, but came about as > > Best Practices as we fight SPAM. The best source for the Best Practices > > for this is at http://postmaster.aol.com > > And is also against RFC requirements. > > > Wonder through ALL of the pages that this area at AOL has to offer or > > you will miss some important points, like that 12 hrs is considered the > > min TTL for A and PTR records for mail servers. Less than 12 hrs TTL on > > these records are considered by default indicators of dynamic IP addresses. > > You can't infer diddly squat from a TTL. There are plenty of reasons > to want a low ttl other than it was assigned dynamically. > > * I'm going to renumber my whole network because I'm switchinhg > ISP's so I've reduced my TTL's to 5 minutes to reduce the impact > of the renumbering. > > * I have a warm spare in a different data center and as most client > behave badly when one of the addresses is unreachable I only advertise > one address. > > More stupid unrealistic hoops to jump through. > > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Some dnssec-signzone questions
I have three questions regarding dnssec-signzone: To clarify things, I'm using BIND 9.7.2-P2. First is about input file: you can specify on the command line either the signed version of the zone, or the unsigned one. What I'd like to do hovever, is to use both. The unsigned zone is much more readable, and can contain $INCLUDE directives, which makes modification easier. But specifying the signed zone has added benefit of reusing existing signatures, thus saving on computation time (not that I have a lot to save on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed zone, try to reuse RRSIG records as much as possible, taking them from signed zone, and write the result. Is this possible with dnssec-signzone? Other than writing a custom tool to filter only NSEC/RRSIG records from .signed and appending this file to unsigned zone? Which might not be that hard, probably a simple sed script would do. Another is about key management and -S option: Guessing by what I've read in the man page -S should use key metadata to decide when to include/exclude/use/revoke the key. However, I've been unable to make it work. I have 2 KSK keys, one of them set to revoke in the past, as dnssec-settime kindly tells me. But, when I do dnssec-signzone -S on the unsigned file, I get error message: dnssec-signzone: fatal: cannot find DNSKEY RRSIGs and nothing is signed. dnssec-signzone without -S can properly sign the zone, ignoring revokation time. Then, I do dnssec-signzone -S on the signed file, which only retains old signatures, also happily ignoring revokation time. What am I doing wrong, why it fails to behave as I'd expect? Third is about -N option: a well established practice (although I don't know what was the origin) is to set SOA serial number to eg 2011020101, which is current day and two-digit of daily version. This has benefit of being almost as good as putting unixtime of last modification, while being much more human-readable. How difficult would it be to implement this for dnssec-signzone -N, using a fourth format specifier? Regards, Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: dotted hostname is bad IMO
Thanks for all the responses...learned a thing or two ;-) What I was basically fishing for was whether using periods was acceptable practice, frowned upon, or discretionary. Thanks... Vyto > -Original Message- > From: bind-users-bounces+vyto=fnal@lists.isc.org [mailto:bind- > users-bounces+vyto=fnal@lists.isc.org] On Behalf Of Barry Margolin > Sent: Tuesday, February 01, 2011 1:57 AM > To: comp-protocols-dns-b...@isc.org > Subject: Re: dotted hostname is bad IMO > > In article , > p...@mail.nsbeta.info wrote: > > > given the domain name of "126.com", and given an A RR in its zone is: > > > > s1.s2.s3 IN A 11.22.33.44 > > > > OK when a dns cache query for s1.s2.s3.126.com the first time, it > will > > follow the logic: > > > > #1, s1.s2.s3.126.com has NS RR in cache? (no) > > #2, s2.s3.126.com has NS RR in cache? (no) > > #3, s3.126.com has NS RR in cache? (no) > > #4, 126.com has NS RR in cache? (yes most time, since 126.com is a > famous > > domain). > > #5, Goto 126.com's NS fetch the result. > > > > The process is complicated. > > But if the hostname is "s1-s2-s3.126.com", what will the dns cache do > by > > the first query? it will just do: > > > > #1, 126.com has NS RR in cache? (yes) > > #2, go there fetching the reqult. > > > > It's much simple and fast. > > > > So I dont think dotted hostname is good pratical. > > I don't think it's something you need to worry about. DNS servers > organize their cache data structures to make steps 1-4 easy to perform > all at once. > > Time to pull out your copy of Knuth "Sorting and Searching". > > -- > Barry Margolin, bar...@alum.mit.edu > Arlington, MA > *** PLEASE don't copy me on replies, I'll read them in the group *** > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind8 and bind9 installed on the same server: possible?
Dear all, I plan to upgrade my nameservers from bind8 to bind9. I guess I will encounter some compatibility problems notably in the layout of the zone files - can anybody give me the point of attention for this upgrade? Your experience will be appreciated. - is it possible to install bind9 without removing bind8 in order to could easily and quickly swith from bind8 to bind9 and vice versa? Thanks for your support. Hugo, ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind8 and bind9 installed on the same server: possible?
On 01/02/11 16:33, hugo hugoo wrote: Dear all, I plan to upgrade my nameservers from bind8 to bind9. I guess I will encounter some compatibility problems notably in the layout of the zone files - can anybody give me the point of attention for this upgrade? Your experience will be appreciated. - is it possible to install bind9 without removing bind8 in order to could easily and quickly swith from bind8 to bind9 and vice versa? We used to compile different versions of bind9 to different locations using ./configure --prefix=/usr/local/bind-$VER then use symlinks to switch between versions - that's probably your best approach. (We don't bother these days, and build OS packages and use cfengine to manage configs and versions) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind8 and bind9 installed on the same server: possible?
On Tue, 1 Feb 2011, hugo hugoo wrote: > I plan to upgrade my nameservers from bind8 to bind9. > I guess I will encounter some compatibility problems notably in the layout > of the zone files > > - can anybody give me the point of attention for this upgrade? Your > experience will be appreciated. The BIND 9 source includes "BIND 8 to BIND 9 Migration Notes". Please see doc/misc/migration > - is it possible to install bind9 without removing bind8 in order to could > easily and quickly swith from bind8 to bind9 and vice versa? If installing from source, you can build BIND 9 using ./configure --prefix=/usr/local/bind9 (change path has you like to not overwrite existing). Jeremy C. Reed ISC___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On Tue, 1 Feb 2011, Torinthiel wrote: To clarify things, I'm using BIND 9.7.2-P2. First is about input file: you can specify on the command line either the signed version of the zone, or the unsigned one. What I'd like to do hovever, is to use both. The unsigned zone is much more readable, and can contain $INCLUDE directives, which makes modification easier. But specifying the signed zone has added benefit of reusing existing signatures, thus saving on computation time (not that I have a lot to save on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed zone, try to reuse RRSIG records as much as possible, taking them from signed zone, and write the result. see ldns-read-zone -d (data without sigs) and ldns-read-zone -s (sigs only) combined with -n (dont print soa) for one of them. Basically run the signed zone through ldns-read-zone -s, concatenate it with your unsigned zone, and run it through dnssec-signzone. Paul ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On Tue, 1 Feb 2011, Torinthiel wrote: Third is about -N option: a well established practice (although I don't know what was the origin) is to set SOA serial number to eg 2011020101, which is current day and two-digit of daily version. This has benefit of being almost as good as putting unixtime of last modification, while being much more human-readable. How difficult would it be to implement this for dnssec-signzone -N, using a fourth format specifier? It's not hard. See my bind-users post of Oct 15 with subject: more flexible serial number handling in dnssec-signzone Since then I've quit using the serial number fiddling ability of dnssec-signzone. The problem is that it doesn't increment the serial number in the unsigned file, so future uses of "dnssec-signzone -N" could result with the same or even lower values. Instead, I created a zap-serial tool to zap the serial number in place within the unsigned zone file, either to a new literal value or incrementing the old number. My DNSSEC-related processes now zap the serial number before signing with dnssec-signzone. You can find the C source for zap-serial & some possibly useful other DNSSEC-related scripts here (at least for now): http://seatpost.its.uiowa.edu/bind_stuff Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what's a valid domain name?
On Sun, Jan 30, 2011 at 09:40:51AM +0800, p...@mail.nsbeta.info wrote: > Joseph S D Yao writes: > > > > > The labels must follow the rules for ARPANET host names. They must > > start with a letter, end with a letter or digit, and have as interior > > characters only letters, digits, and hyphen. There are also some > > restrictions on the length. Labels must be 63 characters or less. > > > > A label must start with a letter? oh I don't think so. > How about these domains which all have huge DNS traffic? > > 163.com > 126.com > 51.com > 56.com > > yes 163.com is a domain name but "163" also can be treated as a label for > domain "com.", is it? That's why I said it was modified later. Did you read the whole message I wrote? I spent hours slaving over a hot bit-griddle just to make it for you. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dotted hostname is bad IMO
On Tue, Feb 01, 2011 at 11:11:47AM +0800, p...@mail.nsbeta.info wrote: ... > So I dont think dotted hostname is good pratical. ... You need to read the whole posting. Another poster pointed out that the dot _ I S _ the DNS delimiter. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind8 and bind9 installed on the same server: possible?
> I plan to upgrade my nameservers from bind8 to bind9. > I guess I will encounter some compatibility problems notably in the layout > of the zone files Depends how freaky the zonefiles were before. You could end up having to _not_ change a thing except for a couple of changes in your named.conf. > - can anybody give me the point of attention for this upgrade? Your > experience will be appreciated. Well, I don't know if there are any oddities to your setup. At the very least, I'd recommend you run through your named.conf with "named-checkconf" from BIND 9. If it's an option, you could copy your named.conf + all the zonefiles etc to another server (or VM, zone, jail etc) and try to load it there. If you're running a pretty much standard authoritative server, it shouldn't be too hard to get this to work with BIND 9. > - is it possible to install bind9 without removing bind8 in order to could > easily and quickly swith from bind8 to bind9 and vice versa? As was suggested by others, if you compile from source it's easy to give each version a specific directory to live in. If you on the other hand like to go with some vendor supplied BIND for some operating system / distribution, I guess it depends on how it's packaged etc. Regards Eivind Olsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On 02/01/11 19:44, Paul Wouters wrote: > On Tue, 1 Feb 2011, Torinthiel wrote: > >> >> To clarify things, I'm using BIND 9.7.2-P2. >> >> First is about input file: you can specify on the command line either >> the >> signed version of the zone, or the unsigned one. >> What I'd like to do hovever, is to use both. >> The unsigned zone is much more readable, and can contain $INCLUDE >> directives, >> which makes modification easier. >> But specifying the signed zone has added benefit of reusing existing >> signatures, thus saving on computation time (not that I have a lot to >> save >> on ;). So, I'd like dnssec-signzone to take 'normal' records from >> non-signed >> zone, try to reuse RRSIG records as much as possible, taking them from >> signed zone, and write the result. > > see ldns-read-zone -d (data without sigs) and ldns-read-zone -s (sigs > only) > combined with -n (dont print soa) for one of them. Thanks, nice tool. I'd have to look at ldns-* as I've only used drill from ldns packages. > > Basically run the signed zone through ldns-read-zone -s, concatenate it > with your unsigned zone, and run it through dnssec-signzone. Or have a script that either strips the data from signed zone or creates an empty file and then $INCLUDE that file in original unsigned zone. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some dnssec-signzone questions
On 02/01/11 22:13, Jay Ford wrote: > On Tue, 1 Feb 2011, Torinthiel wrote: >> Third is about -N option: >> a well established practice (although I don't know what was the >> origin) is >> to set SOA serial number to eg 2011020101, which is current day and >> two-digit of daily version. This has benefit of being almost as good as >> putting unixtime of last modification, while being much more >> human-readable. >> How difficult would it be to implement this for dnssec-signzone -N, >> using a >> fourth format specifier? > > It's not hard. See my bind-users post of Oct 15 with subject: >more flexible serial number handling in dnssec-signzone > > Since then I've quit using the serial number fiddling ability of > dnssec-signzone. The problem is that it doesn't increment the serial > number > in the unsigned file, so future uses of "dnssec-signzone -N" could result > with the same or even lower values. Yes, that's a problem. Combined with ldns-read-zone and answer to my first question this could make dnssec-signzone read the good SOA record. I was also thinking of simply changing it by sed in a script. > > Instead, I created a zap-serial tool to zap the serial number in place > within > the unsigned zone file, either to a new literal value or incrementing > the old > number. My DNSSEC-related processes now zap the serial number before > signing > with dnssec-signzone. You can find the C source for zap-serial & some > possibly useful other DNSSEC-related scripts here (at least for now): >http://seatpost.its.uiowa.edu/bind_stuff Nice set of scripts. I was thinking of writing my own with probably similar functionality, but I'll start with those. Main difference is that I don't store keys online, so I'd like the scripts to notify me that signing is necessary instead of signing. Torinthiel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
