Re: Multiple BIND instances
On 06.02.12 23:09, sasa sasa wrote: I got a server with 16GB memory, want to install 2 BIND on CentOS, one cache only and another authoritative. Is it better to install 2 OS virtually and run BIND in them or run 2 instances of BIND on the same OS? According to what I've heard, virtualization has quite high overhead in such situations. I mean what is the best practice to take advantage of the hardware resources without risking having single DNS with cache and authoritative? You still have one server, virtualization would not change much about this. You can even run a single BIND instance with two separate views and that should not affect functionality. I suppose you are running 64bit OS, so you can have really huge cache (>4GB) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
Zitat von sasa sasa : Hi, I got a server with 16GB memory, want to install 2 BIND on CentOS, one cache only and another authoritative. Is it better to install 2 OS virtually and run BIND in them or run 2 instances of BIND on the same OS? I mean what is the best practice to take advantage of the hardware resources without risking having single DNS with cache and authoritative? If you really care about separating the cache and the authoritative part you should also use separation at OS level. There are light-weight virtualisation solutions like OpenVZ which does not add noticeable performance costs. On the other hand you might also go ahead with one instance and views. Regards Andreas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
On 2/7/2012 11:17 AM, Matus UHLAR - fantomas wrote: >You can even run a single BIND instance with two separate views and that >should not affect functionality. Wouldn't this have mixed (one) caches? >I suppose you are running 64bit OS, so you can have really huge cache (>4GB) Yes, it's 64bit. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
On 2/7/2012 11:17 AM, Matus UHLAR - fantomas wrote: You can even run a single BIND instance with two separate views and that should not affect functionality. On 07.02.12 04:02, sasa sasa wrote: Wouldn't this have mixed (one) caches? No, unless you use attach-cache directive. However, the cache won't be big for authoritative-only part. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
In message <1328616138.50948.yahoomail...@web120103.mail.ne1.yahoo.com>, sasa sasa writes: > On 2/7/2012 11:17 AM, Matus UHLAR - fantomas wrote: > >You can even run a single BIND instance with two separate views and that > >should not affect functionality. > > Wouldn't this have mixed (one) caches? Only if you configure it. > >I suppose you are running 64bit OS, so you can have really huge cache (>4GB) > Yes, it's 64bit. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Multiple BIND instances
Virtualization doesn't reduce use of resources but DOES separate into what are perceived to be multiple "servers" so I'm not sure what you mean by "you still have one server". -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Tuesday, February 07, 2012 3:18 AM To: bind-users@lists.isc.org Subject: Re: Multiple BIND instances On 06.02.12 23:09, sasa sasa wrote: >I got a server with 16GB memory, want to install 2 BIND on CentOS, one > cache only and another authoritative. > Is it better to install 2 OS virtually and run BIND in them or run 2 > instances of BIND on the same OS? According to what I've heard, virtualization has quite high overhead in such situations. > I mean what is the best practice to take advantage of the hardware > resources without risking having single DNS with cache and > authoritative? You still have one server, virtualization would not change much about this. You can even run a single BIND instance with two separate views and that should not affect functionality. I suppose you are running 64bit OS, so you can have really huge cache (>4GB) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
On Mon, 2012-02-06 at 23:09 -0800, sasa sasa wrote: > Hi, > I got a server with 16GB memory, want to install 2 BIND on CentOS, one cache > only and another authoritative. > Is it better to install 2 OS virtually and run BIND in them or run 2 > instances of BIND on the same OS? I mean what is the best practice to take > advantage of the hardware resources without risking having single DNS with > cache and authoritative? > > regards, > Sasa How many CPU cores do you have? I've been running Debian with BIND (some with multiple views) on Xen for a few years now. Each box has five virtual servers, some of them running >1,000 lookups/second with plenty of CPU overhead. The boxes are dual hex-core AMDs with 32GB RAM. The individual virtual servers are running 2 cores each. The boxes have up times of over 600 days with no issues. I'm not suggesting this is what you should do, but rather showing it has been a very successful and cost effective solution for me. You should evaluate the expected DNS load and test accordingly. I tested my servers with several times our current load before deployment. Steve. BIND Rocks. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
On Tue, Feb 07, 2012 at 03:17:45PM +0800, Jeff Peng wrote: > δΊ 2012-2-7 15:09, sasa sasa ει: > >I got a server with 16GB memory, want to install 2 BIND on > >CentOS, one cache only and another authoritative. > >Is it better to install 2 OS virtually and run BIND in them > >or run 2 instances of BIND on the same OS? I mean what is > >the best practice to take advantage of the hardware > >resources without risking having single DNS with cache and > >authoritative? > > One OS with two or more public IPs for different BIND instances > is better IMO. I would use different ports, and a NAT redirect of one of the IP addresses to the alternate port. Another possibility, if the caching server is only serving the processes on this machine, bind it on localhost, and put the authoritative server on the external IP. (Don't forget to use an alternate controls section for one of these instances; otherwise they're both going to try for 127.0.0.1:953.) To those who are suggesting views: sure, this can be done, but if another exploit like the last big one comes along and named crashes, both authoritative name service and the resolver are affected. I think the OP's goal (quite reasonable IMO) was to keep them separate, and what Jeff and I are talking about will do that. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
Hi everybody, sorry for my post i'm not read to bring a light to the 1st problem but to find help. I'm triying to sign a zone on Bind 9.8-P1 but i have this message: *dnssec-signzone: fatal: key myKSK.key not at origin* I just want help if someone has been confronted with this kind of message i'll be so happy to have a few idea to debugg my problem Thx. 2012/2/6 Tony Finch > Spain, Dr. Jeffry A. wrote: > > > > Checking your two name servers, 8.8.8.8 (google-public-dns-a.google.com) > > doesn't appear to offer DNSSEC validation, and 78.46.213.227 > > (rms.coozila.com) doesn't respond to my query at all. > > It's worse than that. Google Public DNS doesn't support DNSSEC at all, so > you cannot use it to query DNSSEC records. DNSSEC requires resolvers to > handle RRSIG and DS records in special ways even if they are not > validating the signatures. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > North Utsire, South Utsire: Cyclonic mainly southerly or southeasterly, 5 > to > 7, occasionally gale 8 in east at first. Rough. Rain or snow. Moderate or > poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Cordialement. Thierry *SAMEN.* ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to validate DNSSEC signed record with dig?
William Thierry SAMEN wrote: > > I'm triying to sign a zone on Bind 9.8-P1 but i have this message: > > *dnssec-signzone: fatal: key myKSK.key not at origin* It means the zone name in the key is not the same as the zone you are signing. Tony. -- f.anthony.n.finchhttp://dotat.at/ Rockall, Malin, Hebrides, Bailey: Southerly 6 to gale 8, occasionally severe gale 9 except in Malin, veering northwesterly 4 or 5 for a time except in Malin and east Hebrides. Very rough, occasionally high except in Malin. Occasional rain. Moderate or poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to validate DNSSEC signed record with dig?
> dnssec-signzone: fatal: key myKSK.key not at origin What are the contents of myKSK.key? The format is "mydomain.com. IN DNSKEY ..." where mydomain.com is the domain origin. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
I'm not sure why this answer has gone off into the weeds, but running 2 instances on the same host is quite simple. 1. Get 2 different (hopefully sets of v4 and v6) IP addresses, one for each instance. 2. Set up 2 different chroot environments, one for the authoritative and one for the resolver. Included in this setup will be the appropriate listen-on arguments in named.conf. 3. Run each instance with the appropriate command line arguments to chroot into its own environment. 4. Profit. Adding virtualization makes sense for some services, but it doesn't for BIND, which has a very intelligent chroot ability. hth, Doug -- It's always a long day; 86400 doesn't fit into a short. Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
PLEASE READ: An Important Security Announcement from ISC
PLEASE READ: An important security announcement from ISC ISC has been notified by Haixin Duan (a professor at Tsinghua University in Beijing China, who is currently visiting the International Computer Science Institute (ICSI) at the University of California, Berkeley) about a DNS resolver vulnerability that potentially allows a party to keep a domain name in the cache even after that domain name has been expired ISC is evaluating the risk of this vulnerability, but his published paper shows how this was demonstrated, live across the Internet. It lists several DNS implementations and open resolver deployments as vulnerable. All BIND 9 versions are currently considered vulnerable. A more detailed description of this vulnerability and ISC's planned response can be found at: https://www.isc.org/software/bind/advisories/cve-2012-1033 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
