question about overlapping reverse zones
Hello,
I would like to know if it is possible to configure in Bind
overlapping reverse zones. For example, load all reverse zones for
IPv4 private addressing that come configured by default with the
package Bind of my Linux distribution:
zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
And only add one new zone for a specific zone for which I need reserve
resolution:
zone "10.10.10.in-addr.arpa" { type master; file
"/etc/bind/db.rev.10.10.10"; };
- Could I configure two overlapping in-addr.arpa zones in Bind?
- If I do a reverse zone resolution I suppose that the more specific
zone (for 10.10.10.10 zone 10.10.10.in-addr.arpa) would be the chosen
by Bind to respond (instead of 10.in-addr.arpa). Is that true?
Thanks,
--
Christian Pinedo Zamalloa (zako)
PGP keyID: 0x828D0C80
Fingerprint: 7BFF 4105 F46B 7977 BD96 348C 1007 4FF8 828D 0C80
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: question about overlapping reverse zones
On Tue, Aug 09, 2011 at 02:52:10PM +0200, Christian Pinedo Zamalloa
wrote:
> I would like to know if it is possible to configure in Bind
> overlapping reverse zones. For example, load all reverse zones for
> IPv4 private addressing that come configured by default with the
> package Bind of my Linux distribution:
>
> zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
BIND named does this by default now. Did you know that? Did your
distribution BIND packager know that? :) See the "Built-in Empty
Zones" section under "options Statement Definition and Usage" in
BIND 9 ARM chapter 6.
> And only add one new zone for a specific zone for which I need
> reserve resolution:
>
> zone "10.10.10.in-addr.arpa" { type master; file
> "/etc/bind/db.rev.10.10.10"; };
>
> - Could I configure two overlapping in-addr.arpa zones in Bind?
First off, understand that there is nothing "magical" about
in-addr.arpa zones. DNS is DNS, and it all works the same way.
The right way to do it, if you need both zones, is to put proper
delegation records in the parent domain.
The simple way to do it, if you only want records for
10.10.10.in-addr.arpa and NXDOMAIN for the rest of 10.in-addr.arpa,
would be to use 10.in-addr.arpa. Lo and behold, any reversed IP
addresses which do not have corresponding PTR records will come up
with NXDOMAIN results.
> - If I do a reverse zone resolution I suppose that the more
> specific zone (for 10.10.10.10 zone 10.10.10.in-addr.arpa) would
> be the chosen by Bind to respond (instead of 10.in-addr.arpa). Is
> that true?
I have no idea. You could try it and see? Or, just do it as I
suggested, which is easier and better anyway.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Memory utilisation problem on busy bind resolver
Hi folks, We are running a number of BIND 9.7.3-p3 caching nameservers. In the last couple of months, we've observed the memory utilisation of named increasing at a steady rate of 1-2% per day on our busiest resolver with no indication of subsiding - on occasion, there have been large step increases of 1 GB or so. All our other resolvers are configured identically but are behaving themselves with memory utilisation remaining at fairly constant levels. I've looked at all the named logs until my eyeballs have almost fallen out of my head but am unable to determine the cause of this. So I'm taking a step back and hoping to get some advice - what else can I do to find the cause of this? Or is it something I simply need to live with? We're looking at measures such as periodic cache flushes, and tuning max-cache-size, max-cache-ttl and max-cache-nttl params to limit memory usage, but this may only be treating the symptom and costs us extra cpu cycles. Regards Dennis ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Memory utilisation problem on busy bind resolver
Hi, Dennis-- On Aug 9, 2011, at 7:31 AM, Dennis Perisa wrote: > We are running a number of BIND 9.7.3-p3 caching nameservers. In the > last couple of months, we've observed the memory utilisation of named > increasing at a steady rate of 1-2% per day on our busiest resolver > with no indication of subsiding - on occasion, there have been large > step increases of 1 GB or so. Yeah, I've seen similar things on machines used to perform DNS resolution of busy webserver logfiles-- seemed like BIND-9.4 (.4.ESV.4) was ignoring max-cache-size setting entirely, but BIND-9.6.x seemed to do OK. I wonder if there's a regression with BIND-9.7.x? > All our other resolvers are configured identically but are behaving > themselves with memory utilisation remaining at fairly constant > levels. > > I've looked at all the named logs until my eyeballs have almost fallen > out of my head but am unable to determine the cause of this. So I'm > taking a step back and hoping to get some advice - what else can I do > to find the cause of this? Or is it something I simply need to live > with? It could be anything from memory leaks in named or the system libraries like libc, to a bug in named not honoring the cache size settings. Does a cache flush actually help reduce VM usage of named in your case? You haven't mentioned which platform you are using, but looking for leaks can involve anything from "env MALLOC_OPTIONS='U' ktrace named" for many BSD flavors, "leaks named" for OS X, mtrace() for GNU libc, to recompiling named and the libraries using Valgrind/Purify/etc. Or, one can also use gdb attach to a running named and try to see the current state of the cache and so forth; someone from ISC who is more familiar with the exact code there can probably give more specific debugging hints. > We're looking at measures such as periodic cache flushes, and tuning > max-cache-size, max-cache-ttl and max-cache-nttl params to limit > memory usage, but this may only be treating the symptom and costs us > extra cpu cycles. I hear this-- in my prior case, tuning max-cache-size, recursive-clients, etc didn't make any difference... Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
New version of nsdiff
The "nsdiff" program examines old and new versions of a DNS zone and outputs the differences as a script for use by BIND's nsupdate program. It allows you to continue to manually maintain flat text master files as before, and feed the changes you make into named's easy dynamic DNSSEC support. This version fixes the handling of TTL changes, and adds support for using TSIG when fetching the old version of the zone (e.g. to support views). It now has documentation. http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff Tony. -- f.anthony.n.finchhttp://dotat.at/ Sole, Lundy, Fastnet: West or northwest, backing southwest, 3 or 4, increasing 5 to 7 later. Slight or moderate, occasionally rough later. Mainly fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and MS AD
My company (as many) run Microsoft Active Directory internally and we use BIND for our Internet DNS presence. We have had our domain singed for some time. Now I've been tasked to look into Signing our AD implementation. MS has their own version of DNSSEC for their DNS but my question is would this work, at all? My (signed) external zone running on BIND is aaa.com, and my internal AD domain is aaa.com as well. I don't believe I can have two signatures (or DS records) for a child domain on the parent. The only solution I can think of is import my BIND keys into Active Directory DNS. I don't know if that is doable at this time. I know this is not uniquely a BIND issue but I'm hoping that someone has run into this and can possibly provide insight to a solution. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and MS AD
On Aug 9, 2011, at 9:13 AM, John Williams wrote: > My company (as many) run Microsoft Active Directory internally and we use > BIND for our Internet DNS presence. We have had our domain singed for some > time. Now I've been tasked to look into Signing our AD implementation. MS > has their own version of DNSSEC for their DNS but my question is would this > work, at all? > > My (signed) external zone running on BIND is aaa.com, and my internal AD > domain is aaa.com as well. I don't believe I can have two signatures (or DS > records) for a child domain on the parent. The only solution I can think of > is import my BIND keys into Active Directory DNS. I don't know if that is > doable at this time. With a private version of a domain, you should not need to worry about a DS record in the parent. Just make sure your internal caching servers not only can find the internal version of your domain, but also can validate the signatures therein, most likely using a trusted or managed key specific to that internal domain. I'll not try to get into the specifics of using MS DNS for this purpose because this is not the right forum. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: big improvement in BIND9 auth-server startup time
On Wed, 03 Aug 2011 15:45:25 -0500,Barry Finkel wrote: > >I did not see any improvement in start-up time. Neither did I at my first test on a primarily slave DNS with raw format zonefiles Next test was on a master and slave with 60K small different zones. The master now loaded about 650 zones/sec. The slave did not change from the usual 120 zones/sec. Difference ? Task pool 599. Hardware should be the same. The master is loading text format zone files. The slave is loading raw format zone files. Somebody should check, if there is something in raw format files, which is slowing things down. CPU and I/O seemed to be used very moderately. - Jørgen Thomsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and MS AD
--- On Tue, 8/9/11, Chris Buxton wrote: > From: Chris Buxton > Subject: Re: DNSSEC and MS AD > To: "John Williams" > Cc: bind-users@lists.isc.org > Date: Tuesday, August 9, 2011, 5:00 PM > On Aug 9, 2011, at 9:13 AM, John > Williams wrote: > > > My company (as many) run Microsoft Active Directory > internally and we use BIND for our Internet DNS > presence. We have had our domain singed for some > time. Now I've been tasked to look into Signing our AD > implementation. MS has their own version of DNSSEC for > their DNS but my question is would this work, at all? > > > > My (signed) external zone running on BIND is aaa.com, > and my internal AD domain is aaa.com as well. I don't > believe I can have two signatures (or DS records) for a > child domain on the parent. The only solution I can > think of is import my BIND keys into Active Directory > DNS. I don't know if that is doable at this time. > > With a private version of a domain, you should not need to > worry about a DS record in the parent. Just make sure your > internal caching servers not only can find the internal > version of your domain, but also can validate the signatures > therein, most likely using a trusted or managed key specific > to that internal domain. > > I'll not try to get into the specifics of using MS DNS for > this purpose because this is not the right forum. > > Regards, > Chris Buxton > BlueCat Networks Based on your response, I'm wondering how an application such as Exchange (SMTP, which clearly relies on DNS) will work in this model. Are there there any affects of the parent domain (.com, .net, whatever...) not having the DS records? for the domain? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: big improvement in BIND9 auth-server startup time
> The master now loaded about 650 zones/sec. > The slave did not change from the usual 120 zones/sec. Interesting, thanks for bringing that to my attention (it hadn't occurred to me to test with a mostly-slave system). I'm purely guessing, but I wonder if there's some rate-limiting due to the SOA queries slaves have to send to their masters. I very much doubt the raw zonefile format is the problem. Generally that'll reduce the zone loading time by almost half. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: big improvement in BIND9 auth-server startup time
On Tue, 9 Aug 2011 17:18:13 +,Evan Hunt wrote: >> The master now loaded about 650 zones/sec. >> The slave did not change from the usual 120 zones/sec. > >I'm purely guessing, but I wonder if there's some rate-limiting >due to the SOA queries slaves have to send to their masters. > You are probably right. Increasing transfers-in/out transfers-per-ns serial-query-rate on both master and slave improved the slave load time considerably to 577 zones/sec. Which one is the important one to increase, I don't know. - Jørgen Thomsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: big improvement in BIND9 auth-server startup time
On 08/09/2011 11:17, J. Thomsen wrote: > On Tue, 9 Aug 2011 17:18:13 +,Evan Hunt wrote: > >>> The master now loaded about 650 zones/sec. >>> The slave did not change from the usual 120 zones/sec. >> >> I'm purely guessing, but I wonder if there's some rate-limiting >> due to the SOA queries slaves have to send to their masters. >> > > You are probably right. > > Increasing > > transfers-in/out > transfers-per-ns > serial-query-rate > > on both master and slave improved the slave load time considerably to 577 > zones/sec. > Which one is the important one to increase, I don't know. Assuming that the zones were mostly up to date, it was serial-query-rate. Also, FYI, you're getting pretty close to the point where the master/slave configuration is going to become a bottleneck. If you plan to grow much beyond this point you should start looking at making all of your systems masters and using an out of band method to update the zones. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about overlapping reverse zones
On 08/09/2011 05:52, Christian Pinedo Zamalloa wrote: > I would like to know if it is possible to configure in Bind > overlapping reverse zones. It would have taken you less time to try it than it did to write the e-mail. :) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Memory utilisation problem on busy bind resolver
On 08/09/2011 07:31, Dennis Perisa wrote: > Hi folks, > > We are running a number of BIND 9.7.3-p3 9.7.4 is out. > caching nameservers. In the > last couple of months, we've observed the memory utilisation of named > increasing at a steady rate of 1-2% per day on our busiest resolver > with no indication of subsiding - on occasion, there have been large > step increases of 1 GB or so. > > All our other resolvers are configured identically but are behaving > themselves with memory utilisation remaining at fairly constant > levels. Are they getting the same amount of traffic? > I've looked at all the named logs until my eyeballs have almost fallen > out of my head but am unable to determine the cause of this. So I'm > taking a step back and hoping to get some advice - what else can I do > to find the cause of this? Or is it something I simply need to live > with? > > We're looking at measures such as periodic cache flushes, and tuning > max-cache-size, max-cache-ttl and max-cache-nttl params to limit > memory usage, but this may only be treating the symptom and costs us > extra cpu cycles. Why isn't the answer, "Put more RAM in the box?" IME if you have a busy resolver which is using a lot of RAM it's for a good reason. The amount of time you've already spent on this is worth more than the cost of the hardware upgrade. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and MS AD
On Aug 9, 2011, at 10:07 AM, John Williams wrote: > --- On Tue, 8/9/11, Chris Buxton wrote: > >> With a private version of a domain, you should not need to >> worry about a DS record in the parent. Just make sure your >> internal caching servers not only can find the internal >> version of your domain, but also can validate the signatures >> therein, most likely using a trusted or managed key specific >> to that internal domain. >> >> I'll not try to get into the specifics of using MS DNS for >> this purpose because this is not the right forum. >> >> Regards, >> Chris Buxton >> BlueCat Networks > > Based on your response, I'm wondering how an application such as Exchange > (SMTP, which clearly relies on DNS) will work in this model. Are there there > any affects of the parent domain (.com, .net, whatever...) not having the DS > records? for the domain? I don't follow your reasoning. For SMTP, the DNS-related operation is in looking up the MX and A/ records of other mail servers based on an outgoing message. If you're worried about other mail servers finding your Exchange server, there are two cases: - External. My comments had nothing to do with external (Internet-facing) DNS records. There, you would want to have DS records put into the parent zone to be able to authenticate the link from parent to child. - Internal. If you're using MX records internally, you're either very large or misguided. If you are large enough to warrant this, then your caching servers should be able to follow your internal chain of trust, starting at a private trust anchor. This is the point I was getting at. The use of internal, private namespace should be entirely transparent to any service other than DNS. Your mail server should not need to know about it, and should not be able to detect it (other than watching for private address space and obviously-private domain names like "corp.dom"). Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about overlapping reverse zones
2011/8/9 Doug Barton : > On 08/09/2011 05:52, Christian Pinedo Zamalloa wrote: >> I would like to know if it is possible to configure in Bind >> overlapping reverse zones. > > It would have taken you less time to try it than it did to write the > e-mail. :) > and I tried it before and it worked :-D. But I haven't find official documentation of Bind about it and I need to be sure that it worked yes, but it also had to work: That it's the normal behaivour and if it's a common practise of configuration. -- Christian Pinedo Zamalloa (zako) PGP keyID: 0x828D0C80 Fingerprint: 7BFF 4105 F46B 7977 BD96 348C 1007 4FF8 828D 0C80 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and MS AD
In message <37eb0c69-09a1-45a8-9d0e-1027ccbf8...@gmail.com>, Chris Buxton write s: > The use of internal, private namespace should be entirely transparent to any > service other than DNS. Your mail server should not need to know about it, an > d should not be able to detect it (other than watching for private address sp > ace and obviously-private domain names like "corp.dom"). Until it gets DANE support or something else that is DNSSEC aware, at which time you also add the internal trust anchors. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about overlapping reverse zones
In message , Christian Pinedo Zamalloa writes: > 2011/8/9 Doug Barton : > > On 08/09/2011 05:52, Christian Pinedo Zamalloa wrote: > >> I would like to know if it is possible to configure in Bind > >> overlapping reverse zones. > > > > It would have taken you less time to try it than it did to write the > > e-mail. :) > > > > and I tried it before and it worked :-D. > > But I haven't find official documentation of Bind about it and I need > to be sure that it worked yes, but it also had to work: That it's the > normal behaivour and if it's a common practise of configuration. Named will continue to use deepest/closest/nearest match when selecting zones to answer from. This is needed for built-in empty zones (RFC 1918 zones are enabled in the upcoming releases following the publication of RFC 6303) and for grafting on of private namespaces. This is also RFC 1034 behaviour so it should be applicable to all nameservers. 4.3.2. Algorithm 2. Search the available zones for the zone which is the nearest ancestor to QNAME. If such a zone is found, go to step 3, otherwise step 4. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Memory utilisation problem on busy bind resolver
Dennis What's the OS are you are using? What's the compiler version used and what are the compiler options used to build the binary? How are you measuring the memory utilization? Does the RSS of named grow over time? thanks Sam. On Wed, 2011-08-10 at 00:31 +1000, Dennis Perisa wrote: > Hi folks, > > We are running a number of BIND 9.7.3-p3 caching nameservers. In the > last couple of months, we've observed the memory utilisation of named > increasing at a steady rate of 1-2% per day on our busiest resolver > with no indication of subsiding - on occasion, there have been large > step increases of 1 GB or so. > > All our other resolvers are configured identically but are behaving > themselves with memory utilisation remaining at fairly constant > levels. > > I've looked at all the named logs until my eyeballs have almost fallen > out of my head but am unable to determine the cause of this. So I'm > taking a step back and hoping to get some advice - what else can I do > to find the cause of this? Or is it something I simply need to live > with? > > We're looking at measures such as periodic cache flushes, and tuning > max-cache-size, max-cache-ttl and max-cache-nttl params to limit > memory usage, but this may only be treating the symptom and costs us > extra cpu cycles. > > Regards > Dennis > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC and MS AD
Unless I'm very mistaken, an "AD Integrated" (as opposed to "primary"/"secondary") zone cannot be protected by DNSSEC. (remember having read this in the MS's DNSSEC document). Also (in that document) : max algorithm supported is 5 (RSASHA1). This means that using MS DNS as validating caching name server is pointless, as the root uses algorithm 8 and domains with unknown algorithms are treated as "unsigned". --> for MS DNS, the chain-of-trust breaks right at the top level, not ? Kind regards, Marc Lampo EURid Security Officer -Original Message- From: John Williams [mailto:john.1...@yahoo.com] Sent: 09 August 2011 06:13 PM To: bind-users@lists.isc.org Subject: DNSSEC and MS AD My company (as many) run Microsoft Active Directory internally and we use BIND for our Internet DNS presence. We have had our domain singed for some time. Now I've been tasked to look into Signing our AD implementation. MS has their own version of DNSSEC for their DNS but my question is would this work, at all? My (signed) external zone running on BIND is aaa.com, and my internal AD domain is aaa.com as well. I don't believe I can have two signatures (or DS records) for a child domain on the parent. The only solution I can think of is import my BIND keys into Active Directory DNS. I don't know if that is doable at this time. I know this is not uniquely a BIND issue but I'm hoping that someone has run into this and can possibly provide insight to a solution. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
