Stalling slave transfers

2013-05-08 Thread Tom Sommer 

Hi,

I have a problem with one of 3 slave servers, all set up the exact same 
way, with the exact same bind version and configuration.


One slave has a problem transfering zones from the master.

The logfiles are flooded with "received notify for zone" .. "refresh in 
progress, refresh check queued" lines and "rndc status" returns a 
constant high number of "soa queries in progress".
After a few hours the zones are transfers, so the connection to the 
master is working, but there is a major delay. I tried resetting the 
slave and transfering ALL slave zones again, which worked fine 
instantly. The problem still appeared again after a few hours though.


The master has three network-paths, one on external IP, one on internal 
IP and one on IPv6. All 3 paths work fine, because the transfers happen 
after an hour or so.


There is no hints in the master's log.
The other two slaves are running perfectly, no errors or delays what so 
ever.


Bind version 9.9.2-P2 (recently upgraded to).

Any hints would be appreciated, as I feel like I've exhausted most 
options.


Thank you.
--
Tom Sommer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stalling slave transfers

2013-05-08 Thread Cathy Almond 
On 08/05/13 08:26, Tom Sommer wrote:
> Hi,
> 
> I have a problem with one of 3 slave servers, all set up the exact same
> way, with the exact same bind version and configuration.
> 
> One slave has a problem transfering zones from the master.
> 
> The logfiles are flooded with "received notify for zone" .. "refresh in
> progress, refresh check queued" lines and "rndc status" returns a
> constant high number of "soa queries in progress".
> After a few hours the zones are transfers, so the connection to the
> master is working, but there is a major delay. I tried resetting the
> slave and transfering ALL slave zones again, which worked fine
> instantly. The problem still appeared again after a few hours though.
> 
> The master has three network-paths, one on external IP, one on internal
> IP and one on IPv6. All 3 paths work fine, because the transfers happen
> after an hour or so.
> 
> There is no hints in the master's log.
> The other two slaves are running perfectly, no errors or delays what so
> ever.
> 
> Bind version 9.9.2-P2 (recently upgraded to).
> 
> Any hints would be appreciated, as I feel like I've exhausted most options.
> 
> Thank you.

Have a look at this KB article (you'll need to register to view - but
registration is open to all):

https://kb.isc.org/article/AA-00726/30/Tuning-your-BIND-configuration-effectively-for-zone-transfers-particularly-with-many-frequently-updated-zones.html

Also - and this isn't covered in that article (yet) - if you're using
views, then use-alt-transfer-source defaults to 'yes'.  You might want
to set it explicitly to 'no' or to define alt-transfer-source
and/or alt-transfer-source-v6.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Classless PTR query issue

2013-05-08 Thread Michael Varre 
On Tuesday, May 7, 2013 9:06:53 PM UTC-4, Doug Barton wrote:
> On 05/07/2013 01:50 PM, Matus UHLAR - fantomas wrote:
> 
> > On 07.05.13 11:06, Michael Varre wrote:
> 
> >> So interestingly they did give me their setup and this is their
> 
> >> response, and my warm and fuzzy feeling continues to go out the window:
> 
> >>
> 
> >> They use SimpleDNS
> 
> >> Record Name: 65.246.59.108.in-addr.arpa
> 
> >> DNS Server (FQDN): dns1.kishmish.com.
> 
> >> TTL: 1 Hour
> 
> >
> 
> >> I'd imagine this is wrong since 65 is my starting IP rather than my
> 
> >> network IP, which is 64.
> 
> >
> 
> > they use that sucking djbdns-like way of delegating zones.
> 
> > Instead of creating one zone and pointing 16 CNAMEs into it, they want you
> 
> > to create 16 zones.
> 
> >
> 
> > Advise them to read RFC 2317 and do things right way.
> 
> 
> 
> https://dougbarton.us/DNS/2317.html

I sent them the RFC yesterday and even sent them the KB article from 
SimpleDNS.com but I think they still have something done incorrectly.  It's 
amazing how large hosts take proper DNS administration for granted these days.

I don't have time to teach them how to do this anymore, so unfortunately I 
think I'm going to throw in the towel and just have them create the PTR records 
for me...right now I just need them to resolve!

Thanks everyone for your input. I will reference this thread for them in the 
next few weeks if I'm able to fine someone able to make the proper changes.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

resolver, search command....

2013-05-08 Thread John Williams 
my resolv.conf looks  like

nameserver 10.10.10.10
nameserver 10.10.10.20
search path1.mydomain.com path2.mydomain.com

I would expect if I type the following:

dig myhost

It would search for that host in path1 or path2 listed above.  It does not, a 
+trace shows the resolver querying the root servers for myhost.  So it appears 
the search command does not work in environment.

[root@server1 # dig myhost +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> myhost +trace
;; global options: +cmd
.            98386    IN    NS    k.root-servers.net.
.            98386    IN    NS    m.root-servers.net.
.            98386    IN    NS    b.root-servers.net.
.            98386    IN    NS    i.root-servers.net.
.            98386    IN    NS    e.root-servers.net.
.            98386    IN    NS    f.root-servers.net.
.            98386    IN    NS    a.root-servers.net.
.            98386    IN    NS    d.root-servers.net.
.            98386    IN    NS    j.root-servers.net.
.            98386    IN    NS    c.root-servers.net.
.            98386    IN    NS    g.root-servers.net.
.            98386    IN    NS    l.root-servers.net.
.            98386    IN    NS    h.root-servers.net.
;; Received 512 bytes from 10.176.156.20#53(10.16.16.20) in 9 ms

^C[root@server1]# vi /etc/resolv.conf ^C


Any idea why?  Thanks in advance...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolver, search command....

2013-05-08 Thread Matthew Horsfall (alh) 
On 05/08/2013 10:32 AM, John Williams wrote:
> my resolv.conf looks  like
> 
> nameserver 10.10.10.10
> nameserver 10.10.10.20
> search path1.mydomain.com path2.mydomain.com
> 
> I would expect if I type the following:
> 
> dig myhost

You want dig +search myhost

By default it ignores the searchlist in /etc/resolv.conf.

-- Matthew Horsfall (alh)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolver, search command....

2013-05-08 Thread Chris Thompson 

On May 8 2013, John Williams wrote:


my resolv.conf looks  like

nameserver 10.10.10.10
nameserver 10.10.10.20
search path1.mydomain.com path2.mydomain.com

I would expect if I type the following:

dig myhost

It would search for that host in path1 or path2 listed above.  It does not,
a +trace shows the resolver querying the root servers for myhost.  
So it appears the search command does not work in environment.


[root@server1 # dig myhost +trace

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> myhost +trace
;; global options: +cmd
.98386INNSk.root-servers.net.
.98386INNSm.root-servers.net.
.98386INNSb.root-servers.net.
.98386INNSi.root-servers.net.
.98386INNSe.root-servers.net.
.98386INNSf.root-servers.net.
.98386INNSa.root-servers.net.
.98386INNSd.root-servers.net.
.98386INNSj.root-servers.net.
.98386INNSc.root-servers.net.
.98386INNSg.root-servers.net.
.98386INNSl.root-servers.net.
.98386INNSh.root-servers.net.
;; Received 512 bytes from 10.176.156.20#53(10.16.16.20) in 9 ms


[Presumably 10.16.16.20 is in your resolv.conf, rather than what you
said above.]


^C[root@server1]# vi /etc/resolv.conf ^C


Any idea why?  Thanks in advance...


You are (probably) under two misapprehensions. First, dig does not use
the search path by default - you have to use the +search option for that.
See the man page.

Secondly, +trace always goes to the root nameservers and works its way
down from there. That's what it is intended for - it's not some sort
of debugging option as you seem to think. The only thing it uses the
nameservers specified in resolv.conf, or by an @ option, for is to look
up the nameservers for "." to get it started.

It isn't actually useful to combine +trace and +search - dig could start
all over again with the search path(s) added after a "negative" result,
but it doesn't.

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

architecture question

2013-05-08 Thread Jeremy P 
I am building a lab environment where there are several separate domains,
all of them ending in .local

I've setup a server for the .local TLD, but I'm undecided (or perhaps
ignorant) as to the best way to have the individual domains (domain1.local,
domain2.local, etc) refer to the local zone on my TLD server.  Currently
I've also created a root server and set the root hints on domain1.local's
dns server to refer to it.  This works for local resolution, but this means
that domain1.local can't perform Internet lookups.

Thanks for any help,
Jeremy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolver, search command....

2013-05-08 Thread Evan Hunt 
> dig myhost

By default dig only uses fully qualified domain names. "dig +search"
does what you want.

> It would search for that host in path1 or path2 listed above.? It does
> not, a +trace shows the resolver querying the root servers for myhost.?
> So it appears the search command does not work in environment.
> 
> [root@server1 # dig myhost +trace

...but "dig +trace" behaves completely differently, searching for the
name from the root zone down and never touching the local resolver at
all, so this would have queried the root server even if you'd used a
FQDN.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: resolver, search command....

2013-05-08 Thread Sten Carlsen 
You probably want to use host myhost, that does use the resolv.conf as
the system normally would. And it works better than nslookup.

On 08/05/13 16:56, Evan Hunt wrote:
>> dig myhost
> By default dig only uses fully qualified domain names. "dig +search"
> does what you want.
>
>> It would search for that host in path1 or path2 listed above.? It does
>> not, a +trace shows the resolver querying the root servers for myhost.?
>> So it appears the search command does not work in environment.
>>
>> [root@server1 # dig myhost +trace
> ...but "dig +trace" behaves completely differently, searching for the
> name from the root zone down and never touching the local resolver at
> all, so this would have queried the root server even if you'd used a
> FQDN.
>

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Steven Carr 
Enable recursion on your .local TLD server and point the domain1.local
server to that server for DNS. Recursion will handle any internet
queries and as .local is authoritative it will provide responses when
queried.

On 8 May 2013 15:56, Jeremy P  wrote:
> I am building a lab environment where there are several separate domains,
> all of them ending in .local
>
> I've setup a server for the .local TLD, but I'm undecided (or perhaps
> ignorant) as to the best way to have the individual domains (domain1.local,
> domain2.local, etc) refer to the local zone on my TLD server.  Currently
> I've also created a root server and set the root hints on domain1.local's
> dns server to refer to it.  This works for local resolution, but this means
> that domain1.local can't perform Internet lookups.
>
> Thanks for any help,
> Jeremy
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Sten Carlsen 
Don't forget that Bonjour actually uses .local and will be very sour if
it is sued for other purposes, I have tried.


On 08/05/13 16:56, Jeremy P wrote:
> I am building a lab environment where there are several separate
> domains, all of them ending in .local
>  
> I've setup a server for the .local TLD, but I'm undecided (or perhaps
> ignorant) as to the best way to have the individual domains
> (domain1.local, domain2.local, etc) refer to the local zone on my TLD
> server.  Currently I've also created a root server and set the root
> hints on domain1.local's dns server to refer to it.  This works for
> local resolution, but this means that domain1.local can't perform
> Internet lookups.
>  
> Thanks for any help,
> Jeremy
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Mailing list "reply-to" setting

2013-05-08 Thread Steven Carr 
Any chance someone can correct the settings on this mailing list to
reply to the list by default instead of the user posting the message?

Thanks

Steve
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread btb 

On May 8, 2013, at 10.56, Jeremy P  wrote:

> I am building a lab environment where there are several separate domains, all 
> of them ending in .local

on a side note, i would strongly discourage you from using .local in dns.  
.local is a "pseudo" tld, reserved for use with mdns.

-ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Jeremy P 
Understood.  This is an isolated lab full of openBSD boxes, so I'm not too
worried about it.  The lab will be torn down in a month or two.

I will switch to something more "out there" in the future.  I take it that
.lan is safe?


On Wed, May 8, 2013 at 11:03 AM,  wrote:

>
> On May 8, 2013, at 10.56, Jeremy P  wrote:
>
> > I am building a lab environment where there are several separate
> domains, all of them ending in .local
>
> on a side note, i would strongly discourage you from using .local in dns.
>  .local is a "pseudo" tld, reserved for use with mdns.
>
> -ben
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Carlos M. martinez 
And, If I might add, adding a tag to the subject like [bind-users] would
be extremely nice.

regards

~Carlos

On 5/8/13 12:02 PM, Steven Carr wrote:
> Any chance someone can correct the settings on this mailing list to
> reply to the list by default instead of the user posting the message?
> 
> Thanks
> 
> Steve
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread WBrown 
> From: b...@bitrate.net

> on a side note, i would strongly discourage you from using .local in
> dns.  .local is a "pseudo" tld, reserved for use with mdns.

This just came up with a site I support.  Thanks to this list and the 
DNS-OARC list, I know better. Hopefully, I can redirect them to use 
something below their real domain for Active Directory such as 
ad.example.org.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Steven Carr 
On 8 May 2013 18:09,   wrote:
> This just came up with a site I support.  Thanks to this list and the
> DNS-OARC list, I know better. Hopefully, I can redirect them to use
> something below their real domain for Active Directory such as
> ad.example.org.

FWIW: MS now advises not to use .local for internal AD anymore. They
suggest you use your owned/registered namespace to prevent domain
collisions.

http://support.microsoft.com/kb/909264
Generally, we recommend that you register DNS names for internal and
external namespaces with an Internet registrar... Registering your DNS
name with an Internet registrar may help prevent a name collision.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread WBrown 
> From: Steven Carr 

> Any chance someone can correct the settings on this mailing list to
> reply to the list by default instead of the user posting the message?

Why, Are the settings wrong?

I have used and later run lists for years, and supported Listserv(tm) 
servers for others for most of those years.  There is no right or wrong 
for the reply settings.  It's really a personal preference of the list 
owner as to how replies should be handled.  If the message should go back 
to the list, use reply all.  That's supported by all the major mail 
clients.

Subject tagging is another preference item - no right or wrong.  I have my 
mail client filter on the sender moving list traffic into the appropriate 
folder.  Works just as well as filtering on the tag.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Jeremy P 
I understand letter of the law, spirit of the law and playing it safe to
avoid headaches.

However, there are times where registering a real domain just isn't
practical.  For example, I'm not going to ask all of the students in my
courses to go out and register a .com for the semester.  It would be a
waste of money as their systems never leave the local network, except
through a NAT connection.  So in those types of instances, I'm assuming
.lan or .test are safest?


On Wed, May 8, 2013 at 11:20 AM, Steven Carr  wrote:

> On 8 May 2013 18:09,   wrote:
> > This just came up with a site I support.  Thanks to this list and the
> > DNS-OARC list, I know better. Hopefully, I can redirect them to use
> > something below their real domain for Active Directory such as
> > ad.example.org.
>
> FWIW: MS now advises not to use .local for internal AD anymore. They
> suggest you use your owned/registered namespace to prevent domain
> collisions.
>
> http://support.microsoft.com/kb/909264
> Generally, we recommend that you register DNS names for internal and
> external namespaces with an Internet registrar... Registering your DNS
> name with an Internet registrar may help prevent a name collision.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Carlos M. martinez 
Agreed, but, subject tagging is very useful for those who prefer to have
things hit your inbox first, before archiving. And there seems to be a
lot more agreement on the tagging issue than on the reply to.

Out of dozens of MLs I'm subscribed to, this is the only one which does
not tag the subject, making it feel weird. The reply-to seems to be
50-50, again according to my personal subscriptions.

regards

~Carlos

On 5/8/13 12:27 PM, wbr...@e1b.org wrote:
>> From: Steven Carr 
> 
>> Any chance someone can correct the settings on this mailing list to
>> reply to the list by default instead of the user posting the message?
> 
> Why, Are the settings wrong?
> 
> I have used and later run lists for years, and supported Listserv(tm) 
> servers for others for most of those years.  There is no right or wrong 
> for the reply settings.  It's really a personal preference of the list 
> owner as to how replies should be handled.  If the message should go back 
> to the list, use reply all.  That's supported by all the major mail 
> clients.
> 
> Subject tagging is another preference item - no right or wrong.  I have my 
> mail client filter on the sender moving list traffic into the appropriate 
> folder.  Works just as well as filtering on the tag.
> 
> 
> 
> Confidentiality Notice: 
> This electronic message and any attachments may contain confidential or 
> privileged information, and is intended only for the individual or entity 
> identified above as the addressee. If you are not the addressee (or the 
> employee or agent responsible to deliver it to the addressee), or if this 
> message has been addressed to you in error, you are hereby notified that 
> you may not copy, forward, disclose or use any part of this message or any 
> attachments. Please notify the sender immediately by return e-mail or 
> telephone and delete this message from your system.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Steven Carr 
You could ask your institution for a subdomain to be reserved from their domain?

.lan isn't AFAIK reserved for anything or in the process of being
considered by ICANN.
.test is reserved and will never be advertised on the internet (as are
.example, .invalid and .localhost)


On 8 May 2013 18:33, Jeremy P  wrote:
> I understand letter of the law, spirit of the law and playing it safe to
> avoid headaches.
>
> However, there are times where registering a real domain just isn't
> practical.  For example, I'm not going to ask all of the students in my
> courses to go out and register a .com for the semester.  It would be a waste
> of money as their systems never leave the local network, except through a
> NAT connection.  So in those types of instances, I'm assuming .lan or .test
> are safest?
>
>
> On Wed, May 8, 2013 at 11:20 AM, Steven Carr  wrote:
>>
>> On 8 May 2013 18:09,   wrote:
>> > This just came up with a site I support.  Thanks to this list and the
>> > DNS-OARC list, I know better. Hopefully, I can redirect them to use
>> > something below their real domain for Active Directory such as
>> > ad.example.org.
>>
>> FWIW: MS now advises not to use .local for internal AD anymore. They
>> suggest you use your owned/registered namespace to prevent domain
>> collisions.
>>
>> http://support.microsoft.com/kb/909264
>> Generally, we recommend that you register DNS names for internal and
>> external namespaces with an Internet registrar... Registering your DNS
>> name with an Internet registrar may help prevent a name collision.
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jeremy P 
Date: Wednesday, May 8, 2013 1:33 PM
To: Steven Carr 
Cc: bind-users 
Subject: Re: architecture question

>I understand letter of the law, spirit of the law and playing it safe to
>avoid headaches.
>
>However, there are times where registering a real domain just isn't
>practical.  For example, I'm not going to ask all of the students in my
>courses to go out and register a .com for the semester.  It would be a
>waste of money as their systems never leave the
> local network, except through a NAT connection.  So in those types of
>instances, I'm assuming .lan or .test are safest?

I've seen .lan before, and .test should certainly suffice for student use.

http://tools.ietf.org/html/rfc2606

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Sten Carlsen 
You could also make a sub domain of your main domain and use that for
all students, unless of course the purpose is to teach how to set this up.

I have used .home my self, now I would take something that
nobody would ever think of using in the "real" world, in old days I did
consider .xxx, that is now a whole other thing than just something odd.
Generally you may want to consider the new options for people to make
actual TLDs to be their company name.

At the start of the course, you could make a draw among the students and
use the selected persons first name, that any coming thing like mdsn
would use that is not very likely. It also draws attention to the
significance of those letters.



On 08/05/13 19:33, Jeremy P wrote:
> I understand letter of the law, spirit of the law and playing it safe
> to avoid headaches.
>
> However, there are times where registering a real domain just isn't
> practical.  For example, I'm not going to ask all of the students in
> my courses to go out and register a .com for the semester.  It would
> be a waste of money as their systems never leave the local network,
> except through a NAT connection.  So in those types of instances, I'm
> assuming .lan or .test are safest?
>
>
> On Wed, May 8, 2013 at 11:20 AM, Steven Carr  > wrote:
>
> On 8 May 2013 18:09,  mailto:wbr...@e1b.org>> wrote:
> > This just came up with a site I support.  Thanks to this list
> and the
> > DNS-OARC list, I know better. Hopefully, I can redirect them to use
> > something below their real domain for Active Directory such as
> > ad.example.org .
>
> FWIW: MS now advises not to use .local for internal AD anymore. They
> suggest you use your owned/registered namespace to prevent domain
> collisions.
>
> http://support.microsoft.com/kb/909264
> Generally, we recommend that you register DNS names for internal and
> external namespaces with an Internet registrar... Registering your DNS
> name with an Internet registrar may help prevent a name collision.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Chip Marshall 
On 2013-05-08, Steven Carr  sent:
> Any chance someone can correct the settings on this mailing
> list to reply to the list by default instead of the user
> posting the message?

I'd argue the settings are already correct. Having the mailing
list software rewrite the Reply-to line causes information to be
lost, and can make it difficult to reply to the original poster
of a message.

Mail-Followup-To is more appropriate for replying to the
mailing list.

See: http://cr.yp.to/proto/replyto.html

-- 
Chip Marshall 
http://2bithacker.net/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread btb 

On 2013.05.08 13.20, Steven Carr wrote:

On 8 May 2013 18:09,   wrote:

This just came up with a site I support.  Thanks to this list and the
DNS-OARC list, I know better. Hopefully, I can redirect them to use
something below their real domain for Active Directory such as
ad.example.org.


FWIW: MS now advises not to use .local for internal AD anymore. They
suggest you use your owned/registered namespace to prevent domain
collisions.

http://support.microsoft.com/kb/909264
Generally, we recommend that you register DNS names for internal and
external namespaces with an Internet registrar... Registering your DNS
name with an Internet registrar may help prevent a name collision.


it's also mildly humorous that they used to quite religiously endorse .local, in some 
documents even categorizing use of the same domain name on an internal and external 
network as a "security risk".

-ben

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stalling slave transfers

2013-05-08 Thread Tom Sommer 


On 5/8/13 12:25 PM, Cathy Almond wrote:

On 08/05/13 08:26, Tom Sommer wrote:

Hi,

I have a problem with one of 3 slave servers, all set up the exact same
way, with the exact same bind version and configuration.

One slave has a problem transfering zones from the master.

The logfiles are flooded with "received notify for zone" .. "refresh in
progress, refresh check queued" lines and "rndc status" returns a
constant high number of "soa queries in progress".
After a few hours the zones are transfers, so the connection to the
master is working, but there is a major delay. I tried resetting the
slave and transfering ALL slave zones again, which worked fine
instantly. The problem still appeared again after a few hours though.

The master has three network-paths, one on external IP, one on internal
IP and one on IPv6. All 3 paths work fine, because the transfers happen
after an hour or so.

There is no hints in the master's log.
The other two slaves are running perfectly, no errors or delays what so
ever.

Bind version 9.9.2-P2 (recently upgraded to).

Any hints would be appreciated, as I feel like I've exhausted most options.

Thank you.

Have a look at this KB article (you'll need to register to view - but
registration is open to all):

https://kb.isc.org/article/AA-00726/30/Tuning-your-BIND-configuration-effectively-for-zone-transfers-particularly-with-many-frequently-updated-zones.html

Also - and this isn't covered in that article (yet) - if you're using
views, then use-alt-transfer-source defaults to 'yes'.  You might want
to set it explicitly to 'no' or to define alt-transfer-source
and/or alt-transfer-source-v6.

Thank you, great resource. I think I solved it with raising 
serial-query-limit, it's just odd that it's not required on the other 
two servers.


Another issue has arisen now though, the logfile is filled with lots of
named[5596]: zone example.com/IN: refresh: failure trying master 
1.2.3.4#53 (source 0.0.0.0#0): operation canceled


But if I do a "dig example.com @1.2.3.4" it's working just fine. Same 
server as with the previous issue.


Any thoughts? Thank you.

// Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Stalling slave transfers

2013-05-08 Thread Tom Sommer 


On 5/8/13 8:15 PM, Tom Sommer wrote:

Another issue has arisen now though, the logfile is filled with lots of
named[5596]: zone example.com/IN: refresh: failure trying master 
1.2.3.4#53 (source 0.0.0.0#0): operation canceled



and

named[5596]: zone example.com/IN: refresh: retry limit for master 
1.2.3.4#53 exceeded (source 0.0.0.0#0)


// Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Novosielski, Ryan 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I personally use localdomain. I'm not sure how safe it is, but I use
it at home so it probably doesn't matter.

On 05/08/2013 01:47 PM, Steven Carr wrote:
> You could ask your institution for a subdomain to be reserved from
> their domain?
> 
> .lan isn't AFAIK reserved for anything or in the process of being 
> considered by ICANN. .test is reserved and will never be advertised
> on the internet (as are .example, .invalid and .localhost)
> 
> 
> On 8 May 2013 18:33, Jeremy P  wrote:
>> I understand letter of the law, spirit of the law and playing it
>> safe to avoid headaches.
>> 
>> However, there are times where registering a real domain just
>> isn't practical.  For example, I'm not going to ask all of the
>> students in my courses to go out and register a .com for the
>> semester.  It would be a waste of money as their systems never
>> leave the local network, except through a NAT connection.  So in
>> those types of instances, I'm assuming .lan or .test are safest?
>> 
>> 
>> On Wed, May 8, 2013 at 11:20 AM, Steven Carr 
>> wrote:
>>> 
>>> On 8 May 2013 18:09,   wrote:
 This just came up with a site I support.  Thanks to this list
 and the DNS-OARC list, I know better. Hopefully, I can
 redirect them to use something below their real domain for
 Active Directory such as ad.example.org.
>>> 
>>> FWIW: MS now advises not to use .local for internal AD anymore.
>>> They suggest you use your owned/registered namespace to prevent
>>> domain collisions.
>>> 
>>> http://support.microsoft.com/kb/909264 Generally, we recommend
>>> that you register DNS names for internal and external
>>> namespaces with an Internet registrar... Registering your DNS 
>>> name with an Internet registrar may help prevent a name
>>> collision. ___ 
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users
>>> to unsubscribe from this list
>>> 
>>> bind-users mailing list bind-users@lists.isc.org 
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
>> 
> ___ Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> 
> bind-users mailing list bind-users@lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
> 


- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlGKl7EACgkQmb+gadEcsb4dJwCg2sJl6x8gteSR/rt+6CIp7wK8
iycAoLt+BiL/gWptUEWNBIzaIOHFZMd6
=4y/9
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread btb 

On 2013.05.08 13.33, Jeremy P wrote:

I understand letter of the law, spirit of the law and playing it safe to
avoid headaches.

However, there are times where registering a real domain just isn't
practical.  For example, I'm not going to ask all of the students in my
courses to go out and register a .com for the semester.  It would be a
waste of money as their systems never leave the local network, except
through a NAT connection.  So in those types of instances, I'm assuming
.lan or .test are safest?


well, the thing is, in reality, there is almost *never* not an actual domain name [or subdomain] 
which is applicable.  surely the organization has a domain name, within which there is plenty of 
latitude for various subdomains, to accommodate a given need.  that's kind of the whole entire 
point of how dns was designed to begin with.  even if formally sanctioned subdomains "aren't 
available" [e.g. non-technical issues], there's nothing at all stopping you from unilaterally 
inventing your own pretend subdomain to use for such things [effectively just the same as you'd do 
by inventing your own pretend tld - but without the potential for "upstream" collision].  
doing that involves little more than a modicum of effort towards avoiding collisions with other 
existing [or potentially existing] subdomains, but that's of course relatively trivial.  not only 
that, in an environment in which the goal is presumably instruction and learning, what better 
approach to take than actual particip
ation in
 
namespace?


all of that being said, i think you'll find the unspoken [and quite informal] 
consensus is that either the .site or .internal tld are tolerable for such use 
- but to reiterate my soliloquy above - why bother, when you probably don't 
need to?

-ben
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Novosielski, Ryan 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/08/2013 01:28 PM, wbr...@e1b.org wrote:
>> From: Steven Carr 
> 
>> Any chance someone can correct the settings on this mailing list
>> to reply to the list by default instead of the user posting the
>> message?
> 
> Why, Are the settings wrong?
> 
> I have used and later run lists for years, and supported
> Listserv(tm) servers for others for most of those years.  There is
> no right or wrong for the reply settings.  It's really a personal
> preference of the list owner as to how replies should be handled.
> If the message should go back to the list, use reply all.  That's
> supported by all the major mail clients.
> 
> Subject tagging is another preference item - no right or wrong.  I
> have my mail client filter on the sender moving list traffic into
> the appropriate folder.  Works just as well as filtering on the
> tag.

My personal preference is to have subject tagging, and I know of no
other list where it's not on.

Reply-To: my understanding is that the way this list set up is the
correct way to have the list set up. There are reply-to-list options
in most decent mail clients that can handle this.

- -- 
-  _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlGKnCAACgkQmb+gadEcsb6KHwCfVxQfOY41XVxF3KAO4BAjX/U5
T6UAn06xQqwKTZF4j3qe6FBMCUJDuq26
=cVwP
-END PGP SIGNATURE-

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Tony Finch 
Jeremy P  wrote:
>
> I will switch to something more "out there" in the future.  I take it that
> .lan is safe?

Don't use .lan either - it is very popular with malware and is likely to
get you blacklisted. Use a real domain.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND Configuration

2013-05-08 Thread Ward, Mike S 
Hello all, I was wondering if someone could me out. 

I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate 
networks Lets call them A and B. My Linux Server can listen on A's Network as 
well as B's network.
I'm using fictitious IPs and names

A 111.111.111.1  B 555.555.555.1
Secondary A 111.111.222.1

  Redhat & Bind

Bind is listening on both IP addresses and we have a secondary server at 
111.111.222.1


If A the ISP has a backbone router problem how can I get people trying to get 
to our web servers to use B's network? I have been think of different ways to 
do this, but have come up empty.

Our network is really simple I just want to be able to use diverse ISPS in case 
we lose one we still have the other. Can anyone help me out. Any help 
appreciated.

Thanks.

==
This email, and any files transmitted with it, is confidential and intended 
solely for the use of the individual or entity to which it is addressed. If you 
have received this email in error, please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee, you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this message by mistake and delete 
this e-mail from your system. If you are not the intended recipient, you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Lawrence K. Chen, P.Eng. 
Years ago we decided to create a private TLD of .campus 

What we did was make all our caching nameservers also be authoritative for this 
private TLD. And, this worksexcept for delegated subdomains, which are 
handled through using forwarding zones. 

later when the needed to be able to get real certificates for the systems, we 
went to split DNS -- for a number of subdomains, with .campus becoming 
campus.ksu.edu -- which has caused all sorts of problems... 

When we went split, all the names in .campus were copied over (minus their 
subdomain). And, it was decided that no more new hosts in .campus (except for 
the subdomains delegated to ADS - ads.campus & users.campus - and the subdomin 
for network devices - net.campus) 

Used to be iso systems were in the as.ksu.edu subdomain, so later then got 
hosts in the as.campus subdomainbut shortly after the creating of .campus, 
we went to functional hostnaming servers used to have theme names, like 
hawkeye, radar, klingeror eagle, hawk, falcon this switched to iso-xxx 
type names. 

So iso-xxx.as.campus became iso-xxx.campus.ksu.edu 

We tried to make .campus go away, (which would've helped the search problem, 
since as.campus, cc.campus, foo.campus would compress into just 
campus.ksu.edu), but there are systems that would require the application to be 
reinstalled from scratch to make the change. 

Just like there's no more cns department, but our netbackup server was 
installed with a cns subdomain name. And, just about every resolv.conf has 6 
entries in its search. Something about Oracle stuff needs search to have all 
the subdomains in it. So, along will come a request to add another entry to 
search (the big reason is the upgrades from Oracle 10 to 11 and needing those 
CRS ipswhich can't be in the same .campus domain as the rest of the 
system so need to add new subdomain to the list. 

Somebody will see cns.ksu.edu and say that hasn't been around for 
yearsremove that. And, then suddenly Oracle RMAN backups start failing 

- Original Message -

> I am building a lab environment where there are several separate
> domains, all of them ending in .local

> I've setup a server for the .local TLD, but I'm undecided (or perhaps
> ignorant) as to the best way to have the individual domains
> (domain1.local, domain2.local, etc) refer to the local zone on my
> TLD server. Currently I've also created a root server and set the
> root hints on domain1.local's dns server to refer to it. This works
> for local resolution, but this means that domain1.local can't
> perform Internet lookups.

> Thanks for any help,
> Jeremy
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list

> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 

Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator 
For: Enterprise Server Technologies (EST) -- & SafeZone Ally 
Snail: Computing and Telecommunications Services (CTS) 
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu 
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Matus UHLAR - fantomas 

On 2013-05-08, Steven Carr  sent:

Any chance someone can correct the settings on this mailing
list to reply to the list by default instead of the user
posting the message?


On 08.05.13 13:59, Chip Marshall wrote:

I'd argue the settings are already correct. Having the mailing
list software rewrite the Reply-to line causes information to be
lost, and can make it difficult to reply to the original poster
of a message.

Mail-Followup-To is more appropriate for replying to the
mailing list.

See: http://cr.yp.to/proto/replyto.html


I second this.
Changing subject is also something I don't like to see. The filtering or
diferentiating messages can be done on better way than modifying subject.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Configuration

2013-05-08 Thread Steven Carr 
You will need to have some form of automation in place to update the
DNS zone to change the IP address which should now be accessed when
one of the links goes down. You will also need to ensure you have a
low TTL value on the records you want to update on link change so that
the records are refreshed quickly.



On 8 May 2013 20:40, Ward, Mike S  wrote:
> Hello all, I was wondering if someone could me out.
>
> I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate 
> networks Lets call them A and B. My Linux Server can listen on A's Network as 
> well as B's network.
> I'm using fictitious IPs and names
>
> A 111.111.111.1  B 555.555.555.1  
>   Secondary A 111.111.222.1
>
>   Redhat & Bind
>
> Bind is listening on both IP addresses and we have a secondary server at 
> 111.111.222.1
>
>
> If A the ISP has a backbone router problem how can I get people trying to get 
> to our web servers to use B's network? I have been think of different ways to 
> do this, but have come up empty.
>
> Our network is really simple I just want to be able to use diverse ISPS in 
> case we lose one we still have the other. Can anyone help me out. Any help 
> appreciated.
>
> Thanks.
>
> ==
> This email, and any files transmitted with it, is confidential and intended 
> solely for the use of the individual or entity to which it is addressed. If 
> you have received this email in error, please notify the system manager. This 
> message contains confidential information and is intended only for the 
> individual named. If you are not the named addressee, you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this message by mistake and delete 
> this e-mail from your system. If you are not the intended recipient, you are 
> notified that disclosing, copying, distributing or taking any action in 
> reliance on the contents of this information is strictly prohibited.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Configuration

2013-05-08 Thread Sten Carlsen 
I believe your major point is the routing tables because they determine
how the response is trying to get out.


On 08/05/13 22:22, Steven Carr wrote:
> You will need to have some form of automation in place to update the
> DNS zone to change the IP address which should now be accessed when
> one of the links goes down. You will also need to ensure you have a
> low TTL value on the records you want to update on link change so that
> the records are refreshed quickly.
>
>
>
> On 8 May 2013 20:40, Ward, Mike S  wrote:
>> Hello all, I was wondering if someone could me out.
>>
>> I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on separate 
>> networks Lets call them A and B. My Linux Server can listen on A's Network 
>> as well as B's network.
>> I'm using fictitious IPs and names
>>
>> A 111.111.111.1  B 555.555.555.1 
>>Secondary A 111.111.222.1
>>
>>   Redhat & Bind
>>
>> Bind is listening on both IP addresses and we have a secondary server at 
>> 111.111.222.1
>>
>>
>> If A the ISP has a backbone router problem how can I get people trying to 
>> get to our web servers to use B's network? I have been think of different 
>> ways to do this, but have come up empty.
>>
>> Our network is really simple I just want to be able to use diverse ISPS in 
>> case we lose one we still have the other. Can anyone help me out. Any help 
>> appreciated.
>>
>> Thanks.
>>
>> ==
>> This email, and any files transmitted with it, is confidential and intended 
>> solely for the use of the individual or entity to which it is addressed. If 
>> you have received this email in error, please notify the system manager. 
>> This message contains confidential information and is intended only for the 
>> individual named. If you are not the named addressee, you should not 
>> disseminate, distribute or copy this e-mail. Please notify the sender 
>> immediately by e-mail if you have received this message by mistake and 
>> delete this e-mail from your system. If you are not the intended recipient, 
>> you are notified that disclosing, copying, distributing or taking any action 
>> in reliance on the contents of this information is strictly prohibited.
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
   "MALE BOVINE MANURE!!!"

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Jonathan Reed 
>
> It would be a waste of money as their systems never leave the local
> network, except through a NAT connection.


Godaddy is selling .coms for $0.99 right now (US/Canada). In the spirit of
an educational setting, it might be a viable exercise for students to
understand how easy and affordable it is to establish a legitimate digital
entity.


On Wed, May 8, 2013 at 1:33 PM, Jeremy P  wrote:

> I understand letter of the law, spirit of the law and playing it safe to
> avoid headaches.
>
> However, there are times where registering a real domain just isn't
> practical.  For example, I'm not going to ask all of the students in my
> courses to go out and register a .com for the semester.  It would be a
> waste of money as their systems never leave the local network, except
> through a NAT connection.  So in those types of instances, I'm assuming
> .lan or .test are safest?
>
>
> On Wed, May 8, 2013 at 11:20 AM, Steven Carr  wrote:
>
>> On 8 May 2013 18:09,   wrote:
>> > This just came up with a site I support.  Thanks to this list and the
>> > DNS-OARC list, I know better. Hopefully, I can redirect them to use
>> > something below their real domain for Active Directory such as
>> > ad.example.org.
>>
>> FWIW: MS now advises not to use .local for internal AD anymore. They
>> suggest you use your owned/registered namespace to prevent domain
>> collisions.
>>
>> http://support.microsoft.com/kb/909264
>> Generally, we recommend that you register DNS names for internal and
>> external namespaces with an Internet registrar... Registering your DNS
>> name with an Internet registrar may help prevent a name collision.
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND Configuration

2013-05-08 Thread Lawrence K. Chen, P.Eng. 
That's kind of how we do our DR...

I have things scripted so that every update to our zone, results two versions 
of the zone file...the master server signs the first one and does its usual 
notifies, then the master signs the second and its scp'd to secondaries in 
another network.

In the event we lose our connectivitywe can direct the remote slave to take 
over with with the alternate signed zone file.  So that our main web presence 
will resolve to servers at our DR site.which we don't yet have :)

- Original Message -
> You will need to have some form of automation in place to update the
> DNS zone to change the IP address which should now be accessed when
> one of the links goes down. You will also need to ensure you have a
> low TTL value on the records you want to update on link change so
> that
> the records are refreshed quickly.
> 
> 
> 
> On 8 May 2013 20:40, Ward, Mike S  wrote:
> > Hello all, I was wondering if someone could me out.
> >
> > I am using Bind 9.2 on a Redhat Linux server. We have two ISPS on
> > separate networks Lets call them A and B. My Linux Server can
> > listen on A's Network as well as B's network.
> > I'm using fictitious IPs and names
> >
> > A 111.111.111.1  B 555.555.555.1
> >Secondary A 111.111.222.1
> >
> >   Redhat & Bind
> >
> > Bind is listening on both IP addresses and we have a secondary
> > server at 111.111.222.1
> >
> >
> > If A the ISP has a backbone router problem how can I get people
> > trying to get to our web servers to use B's network? I have been
> > think of different ways to do this, but have come up empty.
> >
> > Our network is really simple I just want to be able to use diverse
> > ISPS in case we lose one we still have the other. Can anyone help
> > me out. Any help appreciated.
> >
> > Thanks.
> >
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Mike Hoskins (michoski) 
-Original Message-

From: Jonathan Reed 
Date: Wednesday, May 8, 2013 4:38 PM
To: Jeremy P 
Cc: bind-users 
Subject: Re: architecture question

>It would be a waste of money as their systems never leave the local
>network, except through a NAT connection.
>
>Godaddy is selling .coms for $0.99 right now (US/Canada). In the spirit
>of an educational setting, it might be a viable exercise for students to
>understand how easy and affordable
> it is to establish a legitimate digital entity.

The spirit of education is often saving money based on a former life as a
lab tech.  While cheap, the proposal to "just go register a real one!"
seems good for $registrar, but potentially bad for the Internet (will we
end up with a bunch of garbage domains that are never used again, and
might actually want to be used by someone else, but will then be squatted
when they expire? yada yada), and better suited for business vs school
networks.

Also, I had a digital entity long before entering a college setting.  I
suspect kids these days are even more likely to have similar.  If real is
the answer, maybe most students wouldn't have to do anything at all.

I really think a lab experiment would be fine using local TLDs, but I
guess it's impossible to really know how valid some of the concerns are
unless we sit through the class or see the course material.  :-)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread John Levine 
>> Any chance someone can correct the settings on this mailing list to
>> reply to the list by default instead of the user posting the message?

This is a religious argument.  Please, leave it alone.

>And, If I might add, adding a tag to the subject like [bind-users] would
>be extremely nice.

It's twelve years after RFC 2919 and people are still using mail
software that can't filter on List-ID?  Aw, come on.

In gmail, it takes about 15 seconds to add a rule to apply a label to
mail with a particular list-ID.



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Dave Warren 

On 2013-05-08 13:50, Mike Hoskins (michoski) wrote:

The spirit of education is often saving money based on a former life as a
lab tech.  While cheap, the proposal to "just go register a real one!"
seems good for $registrar, but potentially bad for the Internet (will we
end up with a bunch of garbage domains that are never used again, and
might actually want to be used by someone else, but will then be squatted
when they expire? yada yada), and better suited for business vs school
networks.

Also, I had a digital entity long before entering a college setting.  I
suspect kids these days are even more likely to have similar.  If real is
the answer, maybe most students wouldn't have to do anything at all.

I really think a lab experiment would be fine using local TLDs, but I
guess it's impossible to really know how valid some of the concerns are
unless we sit through the class or see the course material.  :-)




A reasonable compromise might be a single domain purchased for use in 
course, with students using subdomains. This would cover a 
best-of-all-worlds, including internal and external considerations.


It would also let the students' environments talk to each other, if this 
is desirable (and if the teacher adds appropriate DNS records, and the 
students configure properly)


This is the approach my girlfriend used with a WordPress course she 
taught since one of the goals was to allow students to experiment and 
play from home and it worked well, but it would just as well with NS 
delegations.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Noel Butler 
On Wed, 2013-05-08 at 13:59 -0400, Chip Marshall wrote:

> On 2013-05-08, Steven Carr  sent:
> > Any chance someone can correct the settings on this mailing
> > list to reply to the list by default instead of the user
> > posting the message?
> 
> I'd argue the settings are already correct. Having the mailing
> list software rewrite the Reply-to line causes information to be
> lost, and can make it difficult to reply to the original poster
> of a message.
> 



I argue different, If I post on a list, I want anyone replying to my
list post, to also be on list, and same expectation for others posting
on list, ie, if you post on list like now, you replies should go on
list, unless you (or I) specifically ask for off-list replies. 

If I want direct, I'll be bad and scrape the list and mail you all
direct :)

POC: This email address is for lists only, it is not my personal
address, anything not put in its appropriate mailing list folder is
placed in   "z_lists direct"  not my inbox, now I am a member of some 37
mailing lists, of which 26 are active non-new/announce types, so the
z_lists direct folder named deliberately to sit at the bottom may not be
noticed, and frankly I don't always bother checking it for days, given
99% of the posts in it ends up being spam that gets passed our anti-spam
rules - years of lists web archiving see's to that.


<>

signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Lawrence K. Chen, P.Eng. 
Though there are plenty of students who are capable of getting their own 
domains, and some temporary web presence.which popup for SGA 
electionsand probably are only needed for a couple of weeks.

Plus after the class, what would stop them from using the domain for something 
else

OTOH, back in the day we went out and acquired IP space for 
something.now that IP space is getting tight, I've wanted to find out how 
to return the class C block I had acquired.  But, most of the contact 
information on the IP block is invalid (all except for one technical 
contactme), and the named organizational entity no longer exists.  So, I 
haven't been able to prove to ARIN that I am the same person that had acquired 
the IP space so I can't do anything like return the IP space.

IIRC, it was basically for the same reason the network IP space at LISA is a 
real IP.

Wonder how hard it would be do that with my home network (years ago at a 
previous employerpeople could never get VPN to work if they had a home 
routerlater they figured it out and said if you have a home router you need 
to use 192.168.255.0/24 as your home networkI didn't bother with that, 
since I lived across the street  not sure what ranges are safe to use if I 
were to VPN to current job, since days of ssh tunnel into work are numbered.)

- Original Message -
> On 2013-05-08 13:50, Mike Hoskins (michoski) wrote:
> > The spirit of education is often saving money based on a former
> > life as a
> > lab tech.  While cheap, the proposal to "just go register a real
> > one!"
> > seems good for $registrar, but potentially bad for the Internet
> > (will we
> > end up with a bunch of garbage domains that are never used again,
> > and
> > might actually want to be used by someone else, but will then be
> > squatted
> > when they expire? yada yada), and better suited for business vs
> > school
> > networks.
> >
> > Also, I had a digital entity long before entering a college
> > setting.  I
> > suspect kids these days are even more likely to have similar.  If
> > real is
> > the answer, maybe most students wouldn't have to do anything at
> > all.
> >
> > I really think a lab experiment would be fine using local TLDs, but
> > I
> > guess it's impossible to really know how valid some of the concerns
> > are
> > unless we sit through the class or see the course material.  :-)
> >
> 
> 
> A reasonable compromise might be a single domain purchased for use in
> course, with students using subdomains. This would cover a
> best-of-all-worlds, including internal and external considerations.
> 
> It would also let the students' environments talk to each other, if
> this
> is desirable (and if the teacher adds appropriate DNS records, and
> the
> students configure properly)
> 
> This is the approach my girlfriend used with a WordPress course she
> taught since one of the goals was to allow students to experiment and
> play from home and it worked well, but it would just as well with NS
> delegations.
> 

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Noel Butler 
On Wed, 2013-05-08 at 13:59 -0400, Chip Marshall wrote:

> On 2013-05-08, Steven Carr  sent:
> > Any chance someone can correct the settings on this mailing
> > list to reply to the list by default instead of the user
> > posting the message?
> 
> I'd argue the settings are already correct. Having the mailing
> list software rewrite the Reply-to line causes information to be
> lost, and can make it difficult to reply to the original poster
> of a message.
> 
> Mail-Followup-To is more appropriate for replying to the
> mailing list.
> 
> See: http://cr.yp.to/proto/replyto.html
> 


And just because DJB says it, doesn't make it so, it is just his
opinion, and one only needs look at his track history to know that.



signature.asc
Description: This is a digitally signed message part
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread Michael McNally 

On 5/8/13 9:43 AM, Carlos M. martinez wrote:

Agreed, but, subject tagging is very useful for those who prefer to have
things hit your inbox first, before archiving. And there seems to be a
lot more agreement on the tagging issue than on the reply to.


Unless your mail setup is extremely restricted in what it can filter
on, you have several choices of header which can be used by an
automated filter to detect and classify appropriately according to list.

Personally I have procmail file bind-users traffic based on the
"List-Id:" header, but I realize you may be in a different environment
with different tools available.)

   List-Id: BIND Users Mailing List 

Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mailing list "reply-to" setting

2013-05-08 Thread staticsafe 
On 5/8/2013 23:53, Michael McNally wrote:
> On 5/8/13 9:43 AM, Carlos M. martinez wrote:
>> Agreed, but, subject tagging is very useful for those who prefer to have
>> things hit your inbox first, before archiving. And there seems to be a
>> lot more agreement on the tagging issue than on the reply to.
> 
> Unless your mail setup is extremely restricted in what it can filter
> on, you have several choices of header which can be used by an
> automated filter to detect and classify appropriately according to list.
> 
> Personally I have procmail file bind-users traffic based on the
> "List-Id:" header, but I realize you may be in a different environment
> with different tools available.)
> 
>List-Id: BIND Users Mailing List 
> 
> Michael McNally
> ISC Support

I use Sieve, this is my filter syntax for bind-users:

if header :contains "list-id" "" {
  fileinto "INBOX/ML/bind-users";
  stop;
}

Works with any other list that uses the list-id header.

-- 
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post - http://goo.gl/YrmAb
Don't CC me! I'm subscribed to whatever list I just posted on.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Michael McNally 

On 5/8/13 9:33 AM, Jeremy P wrote:

However, there are times where registering a real domain just isn't
practical.  For example, I'm not going to ask all of the students in my
courses to go out and register a .com for the semester.  It would be a
waste of money as their systems never leave the local network, except
through a NAT connection.  So in those types of instances, I'm assuming
.lan or .test are safest?


The flip side of this is that whatever you teach them they are going
to take out into the wider world with them.  If you teach them to use
.local or .lan, some of them (at least) are going to continue using
.local or .lan long after your class is over, at least until they run
into enough problems to frustrate them into something more compatible
with current practice.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: architecture question

2013-05-08 Thread Dave Warren 

On 2013-05-08 20:58, Michael McNally wrote:

The flip side of this is that whatever you teach them they are going
to take out into the wider world with them.  If you teach them to use
.local or .lan, some of them (at least) are going to continue using
.local or .lan long after your class is over, at least until they run
into enough problems to frustrate them into something more compatible
with current practice. 


I made the same mistake many moons ago and I'm still stuck with it. I 
wish I'd known better.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users