Disable logging for a view

2013-03-29 Thread Francesco 
Hello,
i need to log queries into bind.log for all views except only one view (i
call it the deafult view, where it logs all attacks, flood, ecc.).

But i noticed i can not insert logging clause into a view.

Is there a way?

Thank you!
Francesco
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

2013-03-29 Thread Jim Bucks 
After working on this some more overnight.

I can add records interactively via nsupdate (as shown below).  But, cannot
get the same results from an ipconfig /release & /renew from a
workstation.  I am totally stumped at this point.

Any ideas (and yes, I did do over the "semicomplete" URL provided by
?Alex?").  The only difference I can see is that I used a 512 bit key vs
the examples 128bit key. And, I'm using a slaves/ directory vs internal/
directory for the "zones" files.

Jim


INTERACTIVE WORKS

[root@dns04 chroot]# nsupdate
> server 127.0.0.1
> key DHCP_UPDATER
TrlaHSJXel+L5hqtfev5Gdlwj7B+HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> update add 101.20.10.172.in-addr.arpa. 3600 in ptr
proccilap.dhcp.coloradostudios.com.
>
> update add proccilap.dhcp.coloradostudios.com. 86400 a 171.10.20.101
>
>

[root@dns04 slaves]# ll
total 24
-rw-r--r-- 1 named named  400 Mar 28 15:08 db.172.10.20
-rw-r--r-- 1 named named  792 Mar 29 05:54 db.172.10.20.jnl
-rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
-rwxrwx--- 1 named named  362 Mar 28 13:41 db.dhcp.coloradostudios.com
-rw-r--r-- 1 named named  782 Mar 29 05:56 db.dhcp.coloradostudios.com.jnl
[root@dns04 slaves]#



[root@dns04 chroot]# rndc freeze
[root@dns04 chroot]# rndc thaw


[root@dns04 slaves]# ll
total 16
-rw-r--r-- 1 named named  433 Mar 29 05:58 db.172.10.20
-rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
-rw-r--r-- 1 named named  381 Mar 29 05:58 db.dhcp.coloradostudios.com
[root@dns04 slaves]#


[root@dns04 slaves]# cat db.172.10.20
$ORIGIN .
$TTL 86400; 1 day
20.10.172.in-addr.arpaIN SOAdns04.coloradostudios.com. sysmgr.hd.net.
(
2013032605 ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
604800 ; expire (1 week)
86400  ; minimum (1 day)
)
NSdns04.den.coloradostudios.com.
$ORIGIN 20.10.172.in-addr.arpa.
$TTL 3600; 1 hour
101PTRproccilap.dhcp.coloradostudios.com.


[root@dns04 slaves]# cat db.dhcp.coloradostudios.com
$ORIGIN .
$TTL 86400; 1 day
dhcp.coloradostudios.com IN SOAdns04.coloradostudios.com. sysmgr.axs.tv.
(
2013032804 ; serial
10800  ; refresh (3 hours)
3600   ; retry (1 hour)
604800 ; expire (1 week)
86400  ; minimum (1 day)
)
NSdns04.coloradostudios.com.
$ORIGIN dhcp.coloradostudios.com.
proccilapA171.10.20.101
[root@dns04 slaves]#


IPCONFIG /RELEASE & /RENEW DOES NOT WORK

Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.
Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from
00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)
Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via eth1
Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from
dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101 (172.10.5.5)
from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to 00:0b:cd:33:b6:49
(proccilapxp) via eth1





On Thu, Mar 28, 2013 at 2:26 PM, Jim Bucks wrote:

> Hi Jim,
>
> Shouldn't there be quotes around the key string in the named .conf file?
> I have quotes around mine in named.conf.  I do not have quotes around the
> key string in the dhcpd.conf.
>
> If this is correct, I've made sure they match (I was trying to
> "genericize" the key string before), but not any longer.
>
> After making sure the key strings match, I'm still getting the error
> "unable to add forward map" when I do a release & renew from a windows
> laptop.
> Here are the current (and live) config files.
>
> named.conf
> =
> /*
>  Sample named.conf BIND DNS server 'named' configuration file
>  for the Red Hat BIND distribution.
>
>  See the BIND Administrator's Reference Manual (ARM) for details, in:
>file:///usr/share/doc/bind-{
> version}/arm/Bv9ARM.html
>  Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
>  its manual.
> */
>
> acl stapleton_hosts {
> 127.0.0.1;
> 172.10.0.0/16;
> };
>
> options
> {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named";// "Working" directory
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> zone-statistics yes;
>
>
> /*
>   Specify listenning interfaces. You can use list of addresses (';' is
>   delimiter) or keywords "any"/"none"
> *

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

2013-03-29 Thread Steven Carr 
On 29 March 2013 12:19, Jim Bucks  wrote:
> Any ideas (and yes, I did do over the "semicomplete" URL provided by
> ?Alex?").  The only difference I can see is that I used a 512 bit key vs the
> examples 128bit key. And, I'm using a slaves/ directory vs internal/
> directory for the "zones" files.

Have you tried taking some packet captures to see exactly what
communication is taking place between DHCP and DNS? Stepping back from
the config (assuming you think that configured is as it should be)
then look to see why the update itself is timing out by inspecting the
communication.

I would also set the log levels in both DHCP and DNS to debug and go
through them thoroughly after testing.

Steve
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

2013-03-29 Thread Mark Elkins 
Try using a more simple MD5, short key.

Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA)
There was also some sort of length bug? - try 128 bit length.

On Fri, 2013-03-29 at 06:19 -0600, Jim Bucks wrote:
> After working on this some more overnight.  
> 
> I can add records interactively via nsupdate (as shown below).  But,
> cannot get the same results from an ipconfig /release & /renew from a
> workstation.  I am totally stumped at this point.
> 
> Any ideas (and yes, I did do over the "semicomplete" URL provided
> by ?Alex?").  The only difference I can see is that I used a 512 bit
> key vs the examples 128bit key. And, I'm using a slaves/ directory vs
> internal/ directory for the "zones" files.
> 
> Jim
> 
> 
> INTERACTIVE WORKS
> 
> [root@dns04 chroot]# nsupdate 
> > server 127.0.0.1
> > key DHCP_UPDATER TrlaHSJXel+L5hqtfev5Gdlwj7B
> +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> > update add 101.20.10.172.in-addr.arpa. 3600 in ptr
> proccilap.dhcp.coloradostudios.com.  
> > 
> > update add proccilap.dhcp.coloradostudios.com. 86400 a 171.10.20.101
> > 
> > 
> 
> [root@dns04 slaves]# ll
> total 24
> -rw-r--r-- 1 named named  400 Mar 28 15:08 db.172.10.20
> -rw-r--r-- 1 named named  792 Mar 29 05:54 db.172.10.20.jnl
> -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> -rwxrwx--- 1 named named  362 Mar 28 13:41 db.dhcp.coloradostudios.com
> -rw-r--r-- 1 named named  782 Mar 29 05:56
> db.dhcp.coloradostudios.com.jnl
> [root@dns04 slaves]# 
> 
> 
> 
> [root@dns04 chroot]# rndc freeze
> [root@dns04 chroot]# rndc thaw
> 
> 
> [root@dns04 slaves]# ll
> total 16
> -rw-r--r-- 1 named named  433 Mar 29 05:58 db.172.10.20
> -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> -rw-r--r-- 1 named named  381 Mar 29 05:58 db.dhcp.coloradostudios.com
> [root@dns04 slaves]# 
> 
> 
> [root@dns04 slaves]# cat db.172.10.20 
> $ORIGIN .
> $TTL 86400; 1 day
> 20.10.172.in-addr.arpaIN SOAdns04.coloradostudios.com.
> sysmgr.hd.net. (
> 2013032605 ; serial
> 10800  ; refresh (3 hours)
> 3600   ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400  ; minimum (1 day)
> )
> NSdns04.den.coloradostudios.com.
> $ORIGIN 20.10.172.in-addr.arpa.
> $TTL 3600; 1 hour
> 101PTRproccilap.dhcp.coloradostudios.com.
> 
> 
> [root@dns04 slaves]# cat db.dhcp.coloradostudios.com 
> $ORIGIN .
> $TTL 86400; 1 day
> dhcp.coloradostudios.com IN SOAdns04.coloradostudios.com.
> sysmgr.axs.tv. (
> 2013032804 ; serial
> 10800  ; refresh (3 hours)
> 3600   ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400  ; minimum (1 day)
> )
> NSdns04.coloradostudios.com.
> $ORIGIN dhcp.coloradostudios.com.
> proccilapA171.10.20.101
> [root@dns04 slaves]# 
> 
> 
> IPCONFIG /RELEASE & /RENEW DOES NOT WORK
> 
> Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.
> Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)
> Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via
> eth1
> Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from
> dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
> Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101
> (172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to
> 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> 
> 
> 
> 
> 
> On Thu, Mar 28, 2013 at 2:26 PM, Jim Bucks
>  wrote:
> Hi Jim,
> 
> Shouldn't there be quotes around the key string in the
> named .conf file?  I have quotes around mine in named.conf.  I
> do not have quotes around the key string in the dhcpd.conf.
> 
> If this is correct, I've made sure they match (I was trying to
> "genericize" the key string before), but not any longer.
> 
> After making sure the key strings match, I'm still getting the
> error "unable to add forward map" when I do a release & renew
> from a windows laptop.
> Here are the current (and live) config files.
> 
> named.conf
> =
> /*
>  Sample named.conf BIND DNS server 'named' configuration file
>  for the Red Hat BIND distribution.
> 
>  See the BIND Administrator's Reference Manual (ARM) for
> details, in:
>file:///usr/share/doc/bind-{
> vers

Understanding rndc referral statistics

2013-03-29 Thread M. Meadows 
Question about rndc referral data. Running BIND 9.3 on an older nameserver and 
BIND 9.7 on a somewhat newer one. These 2 nameservers sit under a load balancer 
and get an equal number of queries. While examing rndc output on the 2 
nameservers I noticed that the older one does about 100 referrals for every 1 
that the newer nameserver does. Can anyone provide insight to explain why this 
may be happening. Does the newer rndc software calculate referrals differently? 
The older nameserver runs on Redhat 5.5. The newer one runs CentOS 5.8.

Thanks,
Marty

  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

2013-03-29 Thread Jim Bucks 
On Fri, Mar 29, 2013 at 6:39 AM, Mark Elkins  wrote:

> Try using a more simple MD5, short key.
>
> Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA)
> There was also some sort of length bug? - try 128 bit length.
>
> On Fri, 2013-03-29 at 06:19 -0600, Jim Bucks wrote:
> > After working on this some more overnight.
> >
> > I can add records interactively via nsupdate (as shown below).  But,
> > cannot get the same results from an ipconfig /release & /renew from a
> > workstation.  I am totally stumped at this point.
> >
> > Any ideas (and yes, I did do over the "semicomplete" URL provided
> > by ?Alex?").  The only difference I can see is that I used a 512 bit
> > key vs the examples 128bit key. And, I'm using a slaves/ directory vs
> > internal/ directory for the "zones" files.
> >
> > Jim
> >
> >
> > INTERACTIVE WORKS
> > 
> > [root@dns04 chroot]# nsupdate
> > > server 127.0.0.1
> > > key DHCP_UPDATER TrlaHSJXel+L5hqtfev5Gdlwj7B
> > +HqcXQiqXMdZ/8mGXhznkRXf6yMDaQ9rXbx45gFgVpW7PFRHXGsZfUKrFlw==
> > > update add 101.20.10.172.in-addr.arpa. 3600 in ptr
> > proccilap.dhcp.coloradostudios.com.
> > >
> > > update add proccilap.dhcp.coloradostudios.com. 86400 a 171.10.20.101
> > >
> > >
> >
> > [root@dns04 slaves]# ll
> > total 24
> > -rw-r--r-- 1 named named  400 Mar 28 15:08 db.172.10.20
> > -rw-r--r-- 1 named named  792 Mar 29 05:54 db.172.10.20.jnl
> > -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> > -rwxrwx--- 1 named named  362 Mar 28 13:41 db.dhcp.coloradostudios.com
> > -rw-r--r-- 1 named named  782 Mar 29 05:56
> > db.dhcp.coloradostudios.com.jnl
> > [root@dns04 slaves]#
> >
> >
> >
> > [root@dns04 chroot]# rndc freeze
> > [root@dns04 chroot]# rndc thaw
> >
> >
> > [root@dns04 slaves]# ll
> > total 16
> > -rw-r--r-- 1 named named  433 Mar 29 05:58 db.172.10.20
> > -rwxrwx--- 1 named named 7346 Feb 15 09:06 db.den.coloradostudios.com
> > -rw-r--r-- 1 named named  381 Mar 29 05:58 db.dhcp.coloradostudios.com
> > [root@dns04 slaves]#
> >
> >
> > [root@dns04 slaves]# cat db.172.10.20
> > $ORIGIN .
> > $TTL 86400; 1 day
> > 20.10.172.in-addr.arpaIN SOAdns04.coloradostudios.com.
> > sysmgr.hd.net. (
> > 2013032605 ; serial
> > 10800  ; refresh (3 hours)
> > 3600   ; retry (1 hour)
> > 604800 ; expire (1 week)
> > 86400  ; minimum (1 day)
> > )
> > NSdns04.den.coloradostudios.com.
> > $ORIGIN 20.10.172.in-addr.arpa.
> > $TTL 3600; 1 hour
> > 101PTRproccilap.dhcp.coloradostudios.com.
> >
> >
> > [root@dns04 slaves]# cat db.dhcp.coloradostudios.com
> > $ORIGIN .
> > $TTL 86400; 1 day
> > dhcp.coloradostudios.com IN SOAdns04.coloradostudios.com.
> > sysmgr.axs.tv. (
> > 2013032804 ; serial
> > 10800  ; refresh (3 hours)
> > 3600   ; retry (1 hour)
> > 604800 ; expire (1 week)
> > 86400  ; minimum (1 day)
> > )
> > NSdns04.coloradostudios.com.
> > $ORIGIN dhcp.coloradostudios.com.
> > proccilapA171.10.20.101
> > [root@dns04 slaves]#
> >
> >
> > IPCONFIG /RELEASE & /RENEW DOES NOT WORK
> >
> 
> > Mar 29 06:10:33 dns04 dhcpd: Wrote 2 leases to leases file.
> > Mar 29 06:10:33 dns04 dhcpd: DHCPRELEASE of 172.10.20.101 from
> > 00:0b:cd:33:b6:49 (proccilapxp) via eth1 (found)
> > Mar 29 06:10:43 dns04 dhcpd: DHCPDISCOVER from 00:0b:cd:33:b6:49 via
> > eth1
> > Mar 29 06:10:44 dns04 dhcpd: DHCPOFFER on 172.10.20.101 to
> > 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> > Mar 29 06:10:44 dns04 dhcpd: Unable to add forward map from
> > dhcp-172-10-20-101.coloradostudios.com to 172.10.20.101: timed out
> > Mar 29 06:10:44 dns04 dhcpd: DHCPREQUEST for 172.10.20.101
> > (172.10.5.5) from 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> > Mar 29 06:10:44 dns04 dhcpd: DHCPACK on 172.10.20.101 to
> > 00:0b:cd:33:b6:49 (proccilapxp) via eth1
> >
>

Hi Mark (and Steven Carr),

I just noticed (has been there all along), that the subdomain is not
showing up in the "automated" unable to line.
 I want it to add dhcp-172-10-20-101.dhcp.coloradostudios.com
  but it's trying to add dhcp-172-10-20-101.coloradostudios.com

I'm not seeing much of a difference on the output / log files.

I addedOPTIONS="-4 -d 99" to my
/etc/sysconfig/named file.

I addedlog-facility  local0; to my
/etc/dhcpd.conf file.

I addedlocal0.debug   /var/log/dhcp/dhcpd.logto my
/etc/rsyslog.conf  (and killall -1 rsyslogd)

I also started a tcpdump on the DNS /DHCP server.


/var/log/messages
Mar 29 08:00:44 dns04 named-sdb[9007]: received control channel command
'stop'
Mar 29 08:00:44 dns04 named-sdb[9007]: shutting down: flushing cha

RE: Understanding rndc referral statistics

2013-03-29 Thread M. Meadows 
Thinking about this ... perhaps this is more to do with the behavior of BIND 
9.3 versus BIND 9.7. Did the referral mechanism change? Here are my thoughts on 
the subject:

Nameserver A is the authority for zone1.com and it is the authority for 
sub.zone1.com. Sub.zone1.com is delegated from zone1.com. If a query comes to 
nameserver A from a resolver asking for info about host.sub.zone1.com and the 
namserver looks in zone1.com and sees the delegation of sub.zone1.com an 
inefficient method of handling the query would be to pass back a referral to 
sub.zone1.com (which just points back at itself). But that would work and would 
result in a referral. In a more efficient application ... the nameserver would 
recognize that the delegated authority for sub.zone1.com is ... itself. It 
would complete the query of host.sub.zone1.com and return an answer instead of 
a referral. Am I on the right track with this or just wasting my time with wild 
and inaccurate speculation?


From: sun-g...@live.com
To: bind-users@lists.isc.org
Subject: Understanding rndc referral statistics
Date: Fri, 29 Mar 2013 09:29:13 -0400




Question about rndc referral data. Running BIND 9.3 on an older nameserver and 
BIND 9.7 on a somewhat newer one. These 2 nameservers sit under a load balancer 
and get an equal number of queries. While examing rndc output on the 2 
nameservers I noticed that the older one does about 100 referrals for every 1 
that the newer nameserver does. Can anyone provide insight to explain why this 
may be happening. Does the newer rndc software calculate referrals differently? 
The older nameserver runs on Redhat 5.5. The newer one runs CentOS 5.8.

Thanks,
Marty

  

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users   
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Precautions for upgrading from 9.7.7 to 9.9.2-P2

2013-03-29 Thread Lawrence K. Chen, P.Eng. 


- Original Message -
> 
> In message <22783305.318587.1364508740276.javamail.r...@k-state.edu>,
> "Lawrence
>  K. Chen, P.Eng." writes:
> > Hmmm, I forget just what all I muttered when I upgraded from 9.7 to
> > 9.9.2-P1.
> >   I think the main beef I had was doing it the day before I left
> >   for LISA'12.
> > ... guess I didn't join this list until around that time.
> > 
> > As, I recall...the main thing that tripped me up was change in
> > empty-zones be
> > havior.  It needs to be explicitly disabled (either totally or just
> > for the z
> > ones you use).
> 
> Which is only a issues if you have a forward "zone" below a empty
> zone without a intervening master/slave/stub zone.
> 
> As I have stated before forward zones were designed for two purposes.
> * performance increases by accessing a centralised cache
> * work around firewall issues
> 
> Forward zones were not designed to graft on internal namespaces.
> That they sometimes succeed at doing this is down to good luck.
> Forward zones work by redirecting where a recursing request is sent.
> The do not create a delegation in zones loaded onto the nameserver.
> 
> Basic zone management (master/slave) zones is capable of grafting
> on namespaces and if you don't want to have a full zone transfered
> to slaves then stub zones were designed to allow you to graft on a
> namespace.

But, before 9.9, the default behavior was all emtpy zones except RFC1918.  In 
9.9, the default behavior became all empty zones including RFC1918.

Plus the forward zones that I have are only for forward DNS lookups.  The 
(windows) servers are in a tightly firewalled vlan...so that insecure processes 
can continue until somebody gets around to securing them.  Seems the admin 
assigned to fix that either gets fired or quits.  But, the hosts in those 
subdomains aren't confined to defined subnet(s)...so there are just 
master/slave zone definitions for our IP spaces.

Though there's a subset of caching servers that have forwards to direct 
zen.spamhaus.org/dbl.spamhaus.org lookups to our rbldnsd server

And, the forward zone definitions are at the end of my configuration fileso 
after all the master and slave zone blocks.

All the RFC1918 address are covered by master/slave zone definitions on my DNS 
servers.

> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> 

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

2013-03-29 Thread Jim Bucks 
On Fri, Mar 29, 2013 at 10:02 AM, Steven Carr  wrote:

> On 29 March 2013 14:57, Jim Bucks  wrote:
> > I just noticed (has been there all along), that the subdomain is not
> showing
> > up in the "automated" unable to line.
> >  I want it to add dhcp-172-10-20-101.dhcp.coloradostudios.com
> >   but it's trying to add dhcp-172-10-20-101.coloradostudios.com
>
> So by default (someone can correct me if I'm wrong) DHCPD will use the
> domain-name that you have configured in DHCP for the client (or will
> failback to the domain-name the client sends you if it doesn't exist).
> You can override this by specifying the following in the pool
> configuration:
> ddns-domainname "dhcp.coloradostudios.com";
>
> Steve
>


THAT DID IT!

Thanks you ALL for the hints & pointers!  It was good to get back into the
gory details of something "real".

Now, to get my other views & zones put back in to the named configuration.

Jim


-- 
Jim Bucks - IT Director
Colorado Studios , Mobile TV
Group,
HDNet , AXS.tv 
8269 E. 23rd Ave. Denver, CO 80238 Main  303-388-8500
jbu...@coloradostudios.comDirect 303-542-5520
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward First on Master Zone (bypass SOA)

2013-03-29 Thread Matus UHLAR - fantomas 

On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:

I've spent hours researching a way to accomplish this without any luck.
Is there any way to accomplish what I'm trying to do?


No, not unless you want to monkey around with static zones and $INCLUDE 
directives -- something like this:


On 28.03.13 17:00, Ben-Eliezer, Tal (ITS) wrote:

Hi Chris, this looks interesting, I'll do some testing and report back!


Note that this way you won't maintain two copies of the same file, but three
different files and with each change you'll have to choose where to put
it...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them, 
One OS to bring them all and into darkness bind them 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for a pointer on getting reverse mapping with DDNS to work with DHCPD & Named.

2013-03-29 Thread Doug Barton 

On 03/29/2013 05:39 AM, Mark Elkins wrote:

Try using a more simple MD5, short key.

Seem to remember that DHCP doesn't like non-MD5 keys (eg SHA)
There was also some sort of length bug? - try 128 bit length.


The ARM explains this correctly. It has to be HMAC-MD5, but the 512 
length is just fine.


Doug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward First on Master Zone (bypass SOA)

2013-03-29 Thread Lawrence K. Chen, P.Eng. 

- Original Message -
> On Mar 28, 2013, at 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:
> 
> > I’ve spent hours researching a way to accomplish this without any
> > luck. Is there any way to accomplish what I’m trying to do?
> 
> No, not unless you want to monkey around with static zones and
> $INCLUDE directives -- something like this:
> 
> Internal zone file:
> 
> $INCLUDE internal.zone.apex
> $INCLUDE example.com.common-records
> $TTL 86400
> some.internal.hostA   192.0.2.1
> [...]
> 
> External zone file:
> 
> $INCLUDE external.zone.apex
> $INCLUDE example.com.common-records
> $TTL 86400
> some.external.hostA   192.0.2.254
> [...]
> 
> where the *.zone.apex files look something like this:
> 
> $TTL 86400
> @ SOA [... 7 data fields ...]
>   NS  ns1.example.com.
>   NS  ns2.example.com.
>   MX  10 mx1.example.com.
> 
> This way, you mostly maintain 3 files of DNS records for the zone --
> external, internal, and common. Note that this is not compatible
> with dynamic zones.
> 
> If you need to support dynamic zones (and who doesn't, these days?),
> you're out of luck.
> 
> Chris Buxton
> BlueCat Networks

I/we maintain a 'single' zone file (with help of subversion/cfengine) which is 
then processed into 4 different zone files through a Makefile on my master 
nameserver.

Basically, the as-is zone file is the external view state.

All the internal (campus) view lines/$includes are prefixed with:

;CAMPUS;

where sed removes those comments to generate the 'campus' view zone file.

There there are lines that will have different comments after the line.

one is ;GUEST_NETWORK and another is ;DISASTER_RECOVERY

sed script will replace the IP part of ;GUEST_NETWORK with the IP of a static 
page informing the user that the resource is available from the guest network. 
(this is for services where we couldn't have the service owner to do this 
within their application.)  And, ;DISASTER_RECOVERY replaces the IP with the IP 
of the server at our DR site.  With the intent that the result is sent by 
alternate means to our off-campus secondaries, where they can switch to using 
this fileetc.  Due to DNSSEC, we have to generate a DR version of our zone 
file (instead of have secondary edit the transfer file and present that.)

These are also based off the external view (since internal services aren't 
exposed to the guest network, and DR is an alternate external).

All the different zone files are signed using dnssec-signzone with the '-N 
unixtime' optionto avoid serial number issues. (especially now that I'm not 
the only one handling dns requests)

Before split-DNS, we had created our own TLD ... but the problem with that was 
we couldn't buy SSL certificates for these services, and there was no interest 
in having our users to accept self-signed certs or to add a private CA to 
everything  so the TLD became a subdomain that was only in the internal 
view (originally)...though later added a stub in the external view to publish 
an MX record so that users/apps sending mail without setting a correct from 
address would still work. (sure I've told people they need to do this lots of 
times...but then an important app was upgraded and the setting lostbut it 
needed to work anyways.)

Though there were some issues the stub, that were helped by upgrading to bind 
9.9 wildcards and DNSSEC :)

Fortunately, I don't have to support dynamic zones on the central serverits 
a delegated subdomain.

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users