updating Bind made it slower
Hi, I just updated a couple of my DNS-servers from the rather old version 9.4.1 to a newer version 9.8.0-P4. After this I have problem with outages. Looking into it, I found that the time for a "rndc reload" has nearly doubled! I've made tests before the update and I have still a few old server with the exact same config & hardware to compare it. Updating from version 9.4.1 to version 9.8.0-P4 brought a increase for "rndc reload" from 25 seconds (yes, I have a lot of zones and quite big ones) to 45 seconds (these numbers are from a slower server, Sun T2000, for my faster servers I have no old servers to compare the numbers). Is this a knwon issue with the newer versions of named? Is there something I can do about it to tweak the numbers? Tom. -- NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie! Jetzt informieren: http://www.gmx.net/de/go/freephone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: updating Bind made it slower
On 26/09/11 08:48, Tom Schmitt wrote: Hi, I just updated a couple of my DNS-servers from the rather old version 9.4.1 to a newer version 9.8.0-P4. After this I have problem with outages. Looking into it, I found that the time for a "rndc reload" has nearly doubled! This has been pointed out to me before; do you really need "reload", or would "reconfig" suffice? It's entirely possible bind 9.8.0 does more checking of zone contents on load than previous versions; and by telling it to reload existing zones... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
2011/9/23 Kevin Darcy : NXDOMAIN is a *permanent* response; at least it's "permanent" in the absence of any change the relevant DNS RRset or zone. You're almost certainly getting the NXDOMAIN because you're spoofing the root servers, and your "fake" root servers don't have the same knowledge as the real ones, so they'll return NXDOMAIN for some queries (whereas dig +trace does not, because it follows the hierarchy down and asks different nameservers). In other words, you're shooting yourself in the foot with your hints-file trickery. On 23.09.11 08:49, Drunkard Zhang wrote: No, I got 2 layers of DNS, recursive resolution DNS and dns-cache which forward all it's queries to recursive DNS. Why? Can't your "recursive resolution DNS" cache records? I want the spoofing of root servers happened on dns-cache (still not by now), Why do you want to do the spoofing at all? if you want to implement local TLD or any king of zone visible locally, you can define it on recursive servers, or on different servers and forward requests for that zone from caches to those different servers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few (too) simple questions about DNS records
On Fri, Sep 23, 2011 at 12:57:58AM +0200, Yanek wrote a message of 58 lines which said: > >> mydomain.tld. IN A 1.2.3.4 ... > BTW, is it me or > > @ IN A 1.2.3.4 > > Could handily replace that record? Yes. @ = current zone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS-cache with custom gTLDs
2011/9/26 Matus UHLAR - fantomas : >> 2011/9/23 Kevin Darcy : >>> >>> NXDOMAIN is a *permanent* response; at least it's "permanent" in the >>> absence >>> of any change the relevant DNS RRset or zone. >>> >>> You're almost certainly getting the NXDOMAIN because you're spoofing the >>> root servers, and your "fake" root servers don't have the same knowledge >>> as >>> the real ones, so they'll return NXDOMAIN for some queries (whereas dig >>> +trace does not, because it follows the hierarchy down and asks different >>> nameservers). In other words, you're shooting yourself in the foot with >>> your >>> hints-file trickery. > > On 23.09.11 08:49, Drunkard Zhang wrote: >> >> No, I got 2 layers of DNS, recursive resolution DNS and dns-cache >> which forward all it's queries to recursive DNS. > > Why? Can't your "recursive resolution DNS" cache records? There're a lot of abnormal queries from user (We got about 0.4 millon users), to avoid script kids' attack or buggy program, I designed 2 layers. And the dns-caches took most of the traffic. And again, spoofing of root-servers on dns-cache is for the same reason. Here's the high traffic hour's queries of root-servers, which looks normal, it could be billon times when attacked. log2 /gwbn/dns/20110925 # grep \.root-servers.net 20110925_21 1981381 a.root-servers.net A 2 m.root-servers.net A 1 k.root-servers.net A 1 j.root-servers.net A 1 g.root-servers.net A 1 f.root-servers.net A 1 c.root-servers.net A ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: updating Bind made it slower
On 9/26/11 12:48 AM, "Tom Schmitt" wrote: > I just updated a couple of my DNS-servers from the rather old version 9.4.1 to > a newer version 9.8.0-P4. You want to get another cup of coffee, and plan an upgrade to 9.8.1 -- isn't adminspotting fun? :-) > After this I have problem with outages. Looking into it, I found that the time > for a "rndc reload" has nearly doubled! Hopefully this affects you: http://www.isc.org/community/blog/201107/major-improvement-bind-9-startup-pe rformance Good luck! -- By nature, men are nearly alike; by practice, they get to be wide apart. -- Confucius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A few (too) simple questions about DNS records
In message <20110926090036.ga10...@nic.fr>, Stephane Bortzmeyer writes: > On Fri, Sep 23, 2011 at 12:57:58AM +0200, > Yanek wrote > a message of 58 lines which said: > > > >> mydomain.tld. IN A 1.2.3.4 > ... > > BTW, is it me or > > > > @ IN A 1.2.3.4 > > > > Could handily replace that record? > > Yes. @ = current zone Current origin, starts out as current zone. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
