Re: bind caching dns
Hi,
Any clue to resolve this.
BR
Ben
Hi Matthew,
Sorry for late response.I enabled statistics-channel , and it gives
web based output.What is caching hit ratio filed , i mean which option
/ filed tell us about how many queries comes from cache or...?
BR
Ben
On 08/05/2012 10:09, Ben wrote:
I am new with bind.I am trying to configure bind as caching server for
our network.I configure it and it works successfully.
Can we get report or statistics something which shows which queries
resolved from cache and which resolved from internet?
Yes. Add a section something like this (adapt for your own IP range and
whatever port number you prefer):
statistics-channels {
inet 192.0.2.1 port 8080 allow { trusted; };
inet 2001:db8::1 port 8080 allow { trusted; };
};
where 'trusted' is an ACL defining what IPs should be allowed to access
the statistical data. You can now make HTTP queries like so:
http://192.0.2.1:8080/
which will get you an XML document containing many statistics about the
performance of your named instance. If you ever decide to set up an
authoritative server, you might consider adding 'zone-statistics yes;'
in the options { } section, but this doesn't make any difference to
recursive-only resolvers.
bind has snmp mib for monitoring ?
Not to my knowledge. It should be possible to write an agentx plugin
that translates from the XML data provided natively, but you'll have to
write your own MIBs since the standard one from RFC1612 seems to have
received little development since. Indeed RFC3197
(https://www.ietf.org/rfc/rfc3197.txt) tells a cautionary tale.
Cheers,
Matthew
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on TTL Value
Hi Ramesh, When you query for rd1.ramesh40finalround.com. then you will get answer for all records but it will show minimum TTL value. -Ashok On Tue, May 15, 2012 at 3:00 PM, rams wrote: > Hi , > I have a setup as follows: > > rd1.ramesh40finalround.com. 98400 INA 11.11.11.11 > rd1.ramesh40finalround.com. 96400 INA 12.12.12.12 > rd1.ramesh40finalround.com. 99 IN A 13.13.13.13 > rd1.ramesh40finalround.com. 1 INA 14.14.14.14 > > > If i query "rd1.ramesh40finalround.com." against bind, Will I get all > records with different TTL values or all records with same TTL value. Which > TTL value will display for all records. could you please confirm. > > Thanks, > Ramesh > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on TTL Value
> rd1.ramesh40finalround.com. 98400 INA 11.11.11.11 > rd1.ramesh40finalround.com. 96400 INA 12.12.12.12 > rd1.ramesh40finalround.com. 99 IN A 13.13.13.13 > rd1.ramesh40finalround.com. 1 INA 14.14.14.14 RFC 2181, section 5.2 specifies: "the use of differing TTLs in an RRSet is hereby deprecated, the TTLs of all RRs in an RRSet must be the same." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named validating @0x...: ... SOA: no valid signature found
On 12-05-02 09:29 AM, Mark Andrews wrote: > > * a firewall blocking EDNS queries. > * using a non DNSSEC enabled forwarder so you don't get signatures. > * a firewall blocking fragmented UDP and named falling back to > plain DNS. > * other packet loss causing named to fallback to plain DNS. Given that I have confirmed EDNS works with: dig edns-v4-ok.isc.org TXT dig edns-v6-ok.isc.org TXT and that I don't have a firewall that would/should be dropping (properly) fragmented UDP[1] and I have no other indications of packet loss, are we looking at a bug in BIND9 to explain this (mis-)behavior? Cheers, b. [1] I'd be happy to test and provide evidence if anyone has a test that will do so. Perhaps a dig command targeted at one of the many failures that my logs are constantly showing? signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: named validating @0x...: ... SOA: no valid signature found
On 15/05/12 13:22, Brian J. Murrell wrote: On 12-05-02 09:29 AM, Mark Andrews wrote: * a firewall blocking EDNS queries. * using a non DNSSEC enabled forwarder so you don't get signatures. * a firewall blocking fragmented UDP and named falling back to plain DNS. * other packet loss causing named to fallback to plain DNS. Given that I have confirmed EDNS works with: dig edns-v4-ok.isc.org TXT dig edns-v6-ok.isc.org TXT and that I don't have a firewall that would/should be dropping (properly) fragmented UDP[1] and I have no other indications of packet loss, are we looking at a bug in BIND9 to explain this (mis-)behavior? Isn't it more likely it's a local problem? Which version of bind are you running? Does *any* zone validate e.g. try: dig +dnssec @localhost www.ic.ac.uk ...and you should see: ; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18199 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 8, ADDITIONAL: 11 Note the "ad" flag - "authenticated data". ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
You should NOT get A records. Wildcard works only for hostnames that have NO records of ANY type. >From wikipedia: To quote RFC 1912, "A common mistake is thinking that a wildcard MX for a zone will apply to all hosts in the zone. A wildcard MX will apply only to names in the zone which aren't listed in the DNS at all. " That is, if there is a wild card MX for *.example.com, and an A record (but no MX record) for www.example.com, the correct response (as per RFC 1034) to an MX request for www.example.com is "no error, but no data"; this is in contrast to the possibly expected response of the MX record attached to *.example.com. Regards, Alexander, net-me.net On Tue, May 15, 2012 at 9:34 AM, rams wrote: > Hi, > I have NS record points a record [A/] which is falls into wildcard . But > when I query for NS record against bind, we are not getting these records as > glue records. > > ex: > *.a.example.com A 1.1.1.1 > example.com. NS abc.a.example.com. > > Querying example.com with any or ns. > don't we get glue records for this scenario? please confirm. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
In article , Alexander Gurvitz wrote: > You should NOT get A records. Wildcard works only for hostnames > that have NO records of ANY type. Excuse me while I delirk, but this is interesting. Is a name on the RHS of an RR regarded as existing enough to prevent wildcard lookup? In this I would have expected the NS lookup to be followed by an A lookup for abc.a.example.com which would match the wildcard, assuming no other records match that name on the LHS. Sam > >From wikipedia: > To quote RFC 1912, "A common mistake is thinking that a wildcard > MX for a zone will apply to all hosts in the zone. A wildcard MX will > apply only to names in the zone which aren't listed in the DNS at all. > " That is, if there is a wild card MX for *.example.com, and an > A record (but no MX record) for www.example.com, the correct > response (as per RFC 1034) to an MX request for www.example.com > is "no error, but no data"; this is in contrast to the possibly expected > response of the MX record attached to *.example.com. > > Regards, > Alexander, > net-me.net > > On Tue, May 15, 2012 at 9:34 AM, rams wrote: > > Hi, > > I have NS record points a record [A/] which is falls into wildcard . But > > when I query for NS record against bind, we are not getting these records as > > glue records. > > > > ex: > > *.a.example.com A 1.1.1.1 > > example.com. NS abc.a.example.com. > > > > Querying example.com with any or ns. > > don't we get glue records for this scenario? please confirm. -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind caching dns
On May 15, 2012, at 4:05 AM, Ben wrote:
> Hi,
>
> Any clue to resolve this.
Lets see...
You posted a question on May 8th asking for some assistance. You worded your
initial question poorly, but within 2 hours you got a complete and well written
response from Matthew (and less than 24 hours after asking Eivind provided
additional info).
5 days later you finally responded, and then less then 24 hours after that are
surprised that you haven't gotten a response yet?
>
> BR
> Ben
>> Hi Matthew,
>>
>> Sorry for late response.I enabled statistics-channel , and it gives web
>> based output.What is caching hit ratio filed , i mean which option / filed
>> tell us about how many queries comes from cache or...?
Anyway, if you search google for "bind caching hit ratio", the very first
result gives you the answer...
W
>>
>> BR
>> Ben
>>> On 08/05/2012 10:09, Ben wrote:
I am new with bind.I am trying to configure bind as caching server for
our network.I configure it and it works successfully.
Can we get report or statistics something which shows which queries
resolved from cache and which resolved from internet?
>>> Yes. Add a section something like this (adapt for your own IP range and
>>> whatever port number you prefer):
>>>
>>> statistics-channels {
>>> inet 192.0.2.1 port 8080 allow { trusted; };
>>> inet 2001:db8::1 port 8080 allow { trusted; };
>>> };
>>>
>>> where 'trusted' is an ACL defining what IPs should be allowed to access
>>> the statistical data. You can now make HTTP queries like so:
>>>
>>>http://192.0.2.1:8080/
>>>
>>> which will get you an XML document containing many statistics about the
>>> performance of your named instance. If you ever decide to set up an
>>> authoritative server, you might consider adding 'zone-statistics yes;'
>>> in the options { } section, but this doesn't make any difference to
>>> recursive-only resolvers.
>>>
bind has snmp mib for monitoring ?
>>> Not to my knowledge. It should be possible to write an agentx plugin
>>> that translates from the XML data provided natively, but you'll have to
>>> write your own MIBs since the standard one from RFC1612 seems to have
>>> received little development since. Indeed RFC3197
>>> (https://www.ietf.org/rfc/rfc3197.txt) tells a cautionary tale.
>>>
>>>Cheers,
>>>
>>>Matthew
>>>
>>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
Sam Wilson wrote: > > Is a name on the RHS of an RR regarded as existing enough to prevent > wildcard lookup? No, only RR owner names. > In this I would have expected the NS lookup to be followed by an A > lookup for abc.a.example.com which would match the wildcard, assuming no > other records match that name on the LHS. Yes that should work. The latter answer might appear to be missing because additional section processing is a bit special. In your original question you mentioned glue, which is only necessary for delegations above the zone cut, and probably should not rely on wildcards. If this is a zone apex NS RRset then the server doesn't have to fill in the additional section. See the example below, from a nameserver that has minimal-responses turned on. ; <<>> DiG 9.8.1-P1 <<>> ns dotat.at ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41609 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dotat.at. IN NS ;; ANSWER SECTION: dotat.at. 3600IN NS ns1.gratisdns.dk. dotat.at. 3600IN NS black.dotat.at. dotat.at. 3600IN NS puck.nether.net. dotat.at. 3600IN NS ns3.gratisdns.dk. ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue May 15 15:52:19 2012 ;; MSG SIZE rcvd: 123 Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty, Forth, Tyne, Dogger: Northwest 5 to 7, occasionally 4 in Forth and Tyne. Moderate or rough, occasionally very rough in Forties and Dogger. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
In article , Tony Finch wrote: > Sam Wilson wrote: > > > > Is a name on the RHS of an RR regarded as existing enough to prevent > > wildcard lookup? > > No, only RR owner names. > > > In this I would have expected the NS lookup to be followed by an A > > lookup for abc.a.example.com which would match the wildcard, assuming no > > other records match that name on the LHS. > > Yes that should work. The latter answer might appear to be missing because > additional section processing is a bit special. In your original question > you mentioned glue, ... Not I - another poster. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
Sam Wilson wrote: > > Not I - another poster. Sorry! Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty, Forth, Tyne, Dogger: Northwest 5 to 7, occasionally 4 in Forth and Tyne. Moderate or rough, occasionally very rough in Forties and Dogger. Showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Clarification on wildcard falls into glue records
At 07:08 15-05-2012, Alexander Gurvitz wrote: From wikipedia: To quote RFC 1912, "A common mistake is thinking that a wildcard Using Wikipedia to quote RFC 1912 is odd ... Regards, -sm ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind caching dns
In message , Warren Kumari wri
tes:
>
> On May 15, 2012, at 4:05 AM, Ben wrote:
>
> > Hi,
> >
> > Any clue to resolve this.
>
> Lets see...
>
> You posted a question on May 8th asking for some assistance. You worded your
> initial question poorly, but within 2 hours you got a complete and well writt
> en response from Matthew (and less than 24 hours after asking Eivind provided
> additional info).
>
> 5 days later you finally responded, and then less then 24 hours after that ar
> e surprised that you haven't gotten a response yet?
>
> >
> > BR
> > Ben
> >> Hi Matthew,
> >>
> >> Sorry for late response.I enabled statistics-channel , and it gives web ba
> sed output.What is caching hit ratio filed , i mean which option / filed tell
> us about how many queries comes from cache or...?
>
> Anyway, if you search google for "bind caching hit ratio", the very first res
> ult gives you the answer...
>
> W
Ben,
you have the number of queries in, you have the number of times named
recursed (QryRecursion).
(queries in - recursed) / queries in
Mark
> >> BR
> >> Ben
> >>> On 08/05/2012 10:09, Ben wrote:
> I am new with bind.I am trying to configure bind as caching server for
> our network.I configure it and it works successfully.
>
> Can we get report or statistics something which shows which queries
> resolved from cache and which resolved from internet?
> >>> Yes. Add a section something like this (adapt for your own IP range and
> >>> whatever port number you prefer):
> >>>
> >>> statistics-channels {
> >>> inet 192.0.2.1 port 8080 allow { trusted; };
> >>> inet 2001:db8::1 port 8080 allow { trusted; };
> >>> };
> >>>
> >>> where 'trusted' is an ACL defining what IPs should be allowed to access
> >>> the statistical data. You can now make HTTP queries like so:
> >>>
> >>>http://192.0.2.1:8080/
> >>>
> >>> which will get you an XML document containing many statistics about the
> >>> performance of your named instance. If you ever decide to set up an
> >>> authoritative server, you might consider adding 'zone-statistics yes;'
> >>> in the options { } section, but this doesn't make any difference to
> >>> recursive-only resolvers.
> >>>
> bind has snmp mib for monitoring ?
> >>> Not to my knowledge. It should be possible to write an agentx plugin
> >>> that translates from the XML data provided natively, but you'll have to
> >>> write your own MIBs since the standard one from RFC1612 seems to have
> >>> received little development since. Indeed RFC3197
> >>> (https://www.ietf.org/rfc/rfc3197.txt) tells a cautionary tale.
> >>>
> >>>Cheers,
> >>>
> >>>Matthew
> >>>
> >>
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
> be from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
