RE: bind-users Digest, Vol 1909, Issue 1
; ;losscontrol360.com [2]. IN A >> >> ;; ANSWER SECTION: >> losscontrol360.com [2]. 586 IN A 74.208.98.80 >> >> ;; Query time: 174 msec >> ;; SERVER: 8.8.8.8#53(8.8.8.8) >> ;; WHEN: Wed Aug 6 16:01:07 2014 >> >> ;; MSG SIZE rcvd: 52 >> > > > Apart from stupid SOA values, losscontrol360.com seems OK, and from your > two examples here even proves that, if your customers don't see what > your cache server does, they cant be using the same cache server as you > showed here. what error does bind log when your customer looks it up? Actually the response my cache server receives has been pulled from the resolver.log with trace level 10 turned on. If I do a dig from my cache server the cache server will also fail to receive a response. if I do a dig +trace I get a response as +trace bypasses cache. > > > > -- > > Message: 4 > Date: Thu, 07 Aug 2014 00:40:16 +0200 > From: Reindl Harald > To: bind-users@lists.isc.org > Subject: Re: ISP caching server setup > Message-ID: <53e2aed0@thelounge.net> > Content-Type: text/plain; charset="windows-1252" > > > > Am 07.08.2014 um 00:33 schrieb Noel Butler: >> Apart from stupid SOA values, losscontrol360.com seems OK > > OK? the failing NS query is caused by the errors below > this domain only works by luck from time to time > > [harry@srv-rhsoft:~]$ dig NS losscontrol360.com > ; <<>> DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 <<>> NS losscontrol360.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49902 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > http://www.intodns.com/losscontrol360.com > > Error Nameservers are lameERROR: looks like you have lame > nameservers. The following nameservers are lame: > 54.241.6.128 > 54.243.153.234 > 107.6.6.8 > > Error Missing nameservers reported by parent FAIL: The following > nameservers are listed at your nameservers as > nameservers for your domain, but are not listed at the parent nameservers > (see RFC2181 5.4.1). You need to make > sure that these nameservers are working.If they are not working ok, you may > have problems! > b1.uberns.com > a1.uberns.com > > Error Missing nameservers reported by your nameservers ERROR: One or > more of the nameservers listed at the parent > servers are not listed as NS records at your nameservers. The problem NS > records are: > ns22.netriplex.com > ns21.netriplex.com > ns23.netriplex.com > ns20.netriplex.com > This is listed as an ERROR because there are some cases where nasty problems > can occur (if the TTLs vary from the > NS records at the root servers and the NS records point to your own domain, > for example) > > Error Stealth NS records sent Stealth NS records were sent: > b1.uberns.com > a1.uberns.com > >> if your customers don't see what your cache server does, they cant be using >> the same cache server as you showed here > > true > > -- next part -- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 181 bytes > Desc: OpenPGP digital signature > URL: > <https://lists.isc.org/pipermail/bind-users/attachments/20140807/350d67b1/attachment-0001.bin> > > -- > > Message: 5 > Date: Thu, 07 Aug 2014 08:48:29 +1000 > From: Noel Butler > To: bind-users@lists.isc.org > Subject: Re: ISP caching server setup > Message-ID: <90d33a3b80bb02f70dacd57b7711b...@ausics.net> > Content-Type: text/plain; charset="us-ascii" > > > > You are in fact correct Harry, I never bothered with a whois, had I done > so I would have picked it up, put it down to too early in the morning, > so this problem is out of Jared's control, unless he also manages that > domain. This is out of my control. My first step would be to resolve the glue/ns record inconsistency which I have already informed the domain owner of the issue. What I?m looking to accomplish is to have a googleish cache server that will resolve even poorly configured domains for my customers with out actually pointing all of my traffic at Google. > > Ohh and nice to see you are actually behaving yourself on this list :) > > On 07/08/2014 08:40, Reindl Harald wrote: > >> Am 07.08.2014 um 00:33 schrieb Noel Butler: >> >>> Apart from stupid SOA values, losscontrol360.com seems OK >> >> OK? the failing NS query is caused by the errors below >> this do
Re: bind-users Digest, Vol 1909, Issue 1
nt FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems! b1.uberns.com a1.uberns.com Error Missing nameservers reported by your nameservers ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are: ns22.netriplex.com ns21.netriplex.com ns23.netriplex.com ns20.netriplex.com This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example) Error Stealth NS records sent Stealth NS records were sent: b1.uberns.com a1.uberns.com if your customers don't see what your cache server does, they cant be using the same cache server as you showed here true -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140807/350d67b1/attachment-0001.bin> -- Message: 5 Date: Thu, 07 Aug 2014 08:48:29 +1000 From: Noel Butler To: bind-users@lists.isc.org Subject: Re: ISP caching server setup Message-ID: <90d33a3b80bb02f70dacd57b7711b...@ausics.net> Content-Type: text/plain; charset="us-ascii" You are in fact correct Harry, I never bothered with a whois, had I done so I would have picked it up, put it down to too early in the morning, so this problem is out of Jared's control, unless he also manages that domain. This is out of my control. My first step would be to resolve the glue/ns record inconsistency which I have already informed the domain owner of the issue. What I?m looking to accomplish is to have a googleish cache server that will resolve even poorly configured domains for my customers with out actually pointing all of my traffic at Google. Ohh and nice to see you are actually behaving yourself on this list :) On 07/08/2014 08:40, Reindl Harald wrote: Am 07.08.2014 um 00:33 schrieb Noel Butler: Apart from stupid SOA values, losscontrol360.com seems OK OK? the failing NS query is caused by the errors below this domain only works by luck from time to time [harry@srv-rhsoft:~]$ dig NS losscontrol360.com ; <<>> DiG 9.9.4-P2-RedHat-9.9.4-15.P2.fc20 <<>> NS losscontrol360.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49902 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 http://www.intodns.com/losscontrol360.com [1] Error Nameservers are lame ERROR: looks like you have lame nameservers. The following nameservers are lame: 54.241.6.128 54.243.153.234 107.6.6.8 Error Missing nameservers reported by parent FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems! b1.uberns.com a1.uberns.com Error Missing nameservers reported by your nameservers ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are: ns22.netriplex.com ns21.netriplex.com ns23.netriplex.com ns20.netriplex.com This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example) Error Stealth NS records sent Stealth NS records were sent: b1.uberns.com a1.uberns.com if your customers don't see what your cache server does, they cant be using the same cache server as you showed here true ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users [2] to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users [2] Links: -- [1] http://www.intodns.com/losscontrol360.com [2] https://lists.isc.org/mailman/listinfo/bind-users -- next part -- An HTML attachment was scrubbed... URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140807/dd0cbb44/attachment.html> -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users End of bind-users Digest, Vol 1908, Issue 3 *** -- Message: 4 Date: Wed, 06 Aug 2014 23:39:08 -0400 From: Robert Moskowitz To: bin
Re: bind-users Digest, Vol 1909, Issue 1
Paste the result of the following command. dig @203.113.188.3 dep123.com +trace Abdul Khader On 07-Aug-14 1:27 PM, Xuan Hung wrote: Dear Partner ! I set recursive-clients = 2. I sent myserver log. Can you help me ? version: 9.9.5 (x.x.x) CPUs found: 24 worker threads: 24 UDP listeners per interface: 24 number of zones: 5537 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 3686/19900/2 tcp clients: 0/100 server is up and running [root@dns data]# dig @203.113.188.3 dep123.com ; <<>> DiG 9.9.5 <<>> @203.113.188.3 dep123.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38458 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;dep123.com. IN A ;; Query time: 280 msec ;; SERVER: 203.113.188.3#53(203.113.188.3) ;; WHEN: Thu Aug 07 16:15:49 ICT 2014 ;; MSG SIZE rcvd: 39 Thanks./. %%- Nguyễn Xuân Hùng 0084-966581518 P.ISP– TT CNTT – VTNet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
Make your firewall allows DNS packets > 512 bytes.
In the meantime, do the following.
do dig with "+noedns +bufsize=0"
if the dig with "+noedns +bufsize=0" gives you answer, then add the
following to named.conf
server 0.0.0.0/0 {
edns no;
};
This should fix your issue. Once your firewall allows DNS packets > 512,
you can remove the named.conf entry.
Abdul Khader
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
Am 07.08.2014 um 12:09 schrieb Abdul Khader: To: Xuan Hung , bind-users@lists.isc.org, bind-users-boun...@lists.isc.org, jared.emp...@zitomedia.com, dave.berna...@zitomedia.com, ma...@isc.org, h.rei...@thelounge.net PLEASE don't do that * just respond to the list * quote what you refer to * the subject "bind-users Digest, Vol 1909, Issue 1" is not very helpful signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to figure out QPS in bind 9.9
Dear Team, I am running authoritative server on bind 9.9.5 . I want to figure out how many queries am receiving per second at any point of time (or average QPS). I had enabled the statistics-channel in the bind conf, but there also I am getting total number of queries and not the QPS. Is there any way out to figure out the same ? Regards, Gaurav Kansal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1909, Issue 1
Comment the following line
edns-udp-size 512;
Abdul Khader
Engineer/Network Services/SOM
Mobile : 050-153-5461
Extension : 86-7292
On 07-Aug-14 2:15 PM, Xuan Hung wrote:
DearAbdul Khader !
My Named.conf
edns-udp-size 512;
max-cache-size 4096M;
recursive-clients 2;
have no
server 0.0.0.0/0 {
edns no;
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: bind-users Digest, Vol 1909, Issue 1
Dear Abdul Khader !
I comment
//edns-udp-size 512;
But, I check is fail. L
[root@dns data]# dig @203.113.188.3 +noedns +bufsize=0
vodafone-com.mail.protection.outlook.com
; <<>> DiG 9.9.5 <<>> @203.113.188.3 +noedns +bufsize=0
vodafone-com.mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54802
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;vodafone-com.mail.protection.outlook.com. IN A
;; Query time: 24 msec
;; SERVER: 203.113.188.3#53(203.113.188.3)
;; WHEN: Thu Aug 07 17:23:06 ICT 2014
;; MSG SIZE rcvd: 58
Thanks./.
%%-
Nguyễn Xuân Hùng
0084-966581518
P.ISP– TT CNTT – VTNet.
From: Abdul Khader [mailto:akha...@ies.etisalat.ae]
Sent: Thursday, August 07, 2014 5:30 PM
To: Xuan Hung; bind-users@lists.isc.org; bind-users-boun...@lists.isc.org;
jared.emp...@zitomedia.com; dave.berna...@zitomedia.com; ma...@isc.org;
h.rei...@thelounge.net
Subject: Re: bind-users Digest, Vol 1909, Issue 1
Comment the following line
edns-udp-size 512;
Abdul Khader
Engineer/Network Services/SOM
Mobile : 050-153-5461
Extension : 86-7292
On 07-Aug-14 2:15 PM, Xuan Hung wrote:
Dear Abdul Khader !
My Named.conf
edns-udp-size 512;
max-cache-size 4096M;
recursive-clients 2;
have no
server 0.0.0.0/0 {
edns no;
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: bind-users Digest, Vol 1909, Issue 1
Dear Abdul Khader! I send result command dig. I think command dig without cache. [root@dns data]# dig @203.113.188.3 vodafone-com.mail.protection.outlook.com ; <<>> DiG 9.9.5 <<>> @203.113.188.3 vodafone-com.mail.protection.outlook.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31268 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;vodafone-com.mail.protection.outlook.com. IN A ;; Query time: 24 msec ;; SERVER: 203.113.188.3#53(203.113.188.3) ;; WHEN: Thu Aug 07 16:45:32 ICT 2014 ;; MSG SIZE rcvd: 69 [root@dns data]# dig @203.113.188.3 vodafone-com.mail.protection.outlook.com +trace ; <<>> DiG 9.9.5 <<>> @203.113.188.3 vodafone-com.mail.protection.outlook.com +trace ; (1 server found) ;; global options: +cmd . 513431 IN NS m.root-servers.net. . 513431 IN NS i.root-servers.net. . 513431 IN NS b.root-servers.net. . 513431 IN NS h.root-servers.net. . 513431 IN NS k.root-servers.net. . 513431 IN NS l.root-servers.net. . 513431 IN NS a.root-servers.net. . 513431 IN NS e.root-servers.net. . 513431 IN NS d.root-servers.net. . 513431 IN NS j.root-servers.net. . 513431 IN NS c.root-servers.net. . 513431 IN NS g.root-servers.net. . 513431 IN NS f.root-servers.net. . 518395 IN RRSIG NS 8 0 518400 2014081300 2014080523 8230 . YpfIt5TMtHS8+Mz/aIqH7OYoQCsqi5/YBfuOc5cwUKwjmuT9x/4epgVG sri7CGAR9cWj0fzPpP7OVY30G40xP0i8MHtMHl1Hk7d8yaumYAtjU2ja rHLqyIRGUJNFRO6c5MDZ5zxAqQXtohyKCYR+vcZjjxKpd4sfnW2aFxDs WUU= ;; Received 913 bytes from 203.113.188.3#53(203.113.188.3) in 26 ms com.172800 IN NS l.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com.86400 IN RRSIG DS 8 1 86400 2014081300 2014080523 8230 . lvQ4DhP9fXhtfUeuS/UDKT04cbmtyRY4K5cPF/G3d93ySC3RRcmjNnXa IbRiX1gkZYPc5cJZmd+WvCRx2xNbR3+/H0EbRVj93Nk3AyqlZBLBrxLs AuDe4NpGvM6c0KWdomOBtBuhtjlC9UbWsiZAWk80YZ/WTBkBsqkvmibE UZE= ;; Received 764 bytes from 192.36.148.17#53(i.root-servers.net) in 86 ms outlook.com.172800 IN NS ns3.msft.net. outlook.com.172800 IN NS ns1.msft.net. outlook.com.172800 IN NS ns5.msft.net. outlook.com.172800 IN NS ns2.msft.net. outlook.com.172800 IN NS ns4.msft.net. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0QFMDQRCSRU0651QLVA1JQB21IF7UR NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20140813045124 20140806034124 6122 com. H9FvdCqRkAbrdX/XuLmrpyB+Ov7VLSUuvseyCCqA/Z+lem0rN+nG6wBd E3v0AzmfVlk5AYHneO888bRkGQB7lpJlTr9ODRq/YAyhLbVsVUlS3AcU J7zDjGq13l2/CXuN0xDGAv9TU1rQ9YnJgczWKBuqTzeHlHxkzoSnYY59 THc= 4N81UGBNL2VRPL7UPJG4NLIVQEP5TRPR.com. 86400 IN NSEC3 1 1 0 - 4N82D5351BNS9FH0PEU6Q9C12GEGP681 NS DS RRSIG 4N81UGBNL2VRPL7UPJG4NLIVQEP5TRPR.com. 86400 IN RRSIG NSEC3 8 2 86400 20140814043311 20140807032311 6122 com. sQ8v2RHmCM/sUgmMV3mTVp1qr+UyHB+uW878WsviWSROzuk3QIIApz38 hhqXnZaZJw1gDrj0MdyjwWf/qgtH5YEUo2YvsFmGlUNWdBjYEDyqGJqn 2QZDdoC7G3f+f5Hzm2d/33VBYOmeeLCUxZrO/uzMZYr5xevRu6shSpAV aWQ= ;; Received 872 bytes from 192.12.94.30#53(e.gtld-servers.net) in 2308 ms protection.outlook.com. 7200IN NS ns1-gtm.glbdns.o365filtering.com. protection.outlook.com. 7200IN NS ns2-gtm.glbdns.o365filtering.com. ;; Received 204 bytes from 65.55.37.62#53(ns1.msft.net) in 768 ms
Re: bind-users Digest, Vol 1909, Issue 1
please add the following.
server 0.0.0.0/0 {
edns no;
};
Then do dig and then check +trace
Abdul Khader
On 07-Aug-14 2:33 PM, Xuan Hung wrote:
DearAbdul Khader !
I comment
//edns-udp-size 512;
But, I check is fail. L
[root@dns data]# dig @203.113.188.3 +noedns +bufsize=0
vodafone-com.mail.protection.outlook.com
; <<>> DiG 9.9.5 <<>> @203.113.188.3 +noedns +bufsize=0
vodafone-com.mail.protection.outlook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54802
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;vodafone-com.mail.protection.outlook.com. IN A
;; Query time: 24 msec
;; SERVER: 203.113.188.3#53(203.113.188.3)
;; WHEN: Thu Aug 07 17:23:06 ICT 2014
;; MSG SIZE rcvd: 58
Thanks./.
%%-
Nguyễn Xuân Hùng
0084-966581518
P.ISP– TT CNTT – VTNet.
*From:*Abdul Khader [mailto:akha...@ies.etisalat.ae]
*Sent:* Thursday, August 07, 2014 5:30 PM
*To:* Xuan Hung; bind-users@lists.isc.org;
bind-users-boun...@lists.isc.org; jared.emp...@zitomedia.com;
dave.berna...@zitomedia.com; ma...@isc.org; h.rei...@thelounge.net
*Subject:* Re: bind-users Digest, Vol 1909, Issue 1
Comment the following line
edns-udp-size 512;
Abdul Khader
On 07-Aug-14 2:15 PM, Xuan Hung wrote:
DearAbdul Khader !
My Named.conf
edns-udp-size 512;
max-cache-size 4096M;
recursive-clients 2;
have no
server 0.0.0.0/0 {
edns no;
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: bind-users Digest, Vol 1909, Issue 1
Dear Abdul Khader !
When I use dig, then I receive immediately.
I think edns not use in this case.
L
Can you help me fix this problem ??
Thanks./.
%%-
Nguyễn Xuân Hùng
0084-966581518
P.ISP– TT CNTT – VTNet.
From: Abdul Khader [mailto:akha...@ies.etisalat.ae]
Sent: Thursday, August 07, 2014 5:30 PM
To: Xuan Hung; bind-users@lists.isc.org; bind-users-boun...@lists.isc.org;
jared.emp...@zitomedia.com; dave.berna...@zitomedia.com; ma...@isc.org;
h.rei...@thelounge.net
Subject: Re: bind-users Digest, Vol 1909, Issue 1
Comment the following line
edns-udp-size 512;
Abdul Khader
Engineer/Network Services/SOM
Mobile : 050-153-5461
Extension : 86-7292
On 07-Aug-14 2:15 PM, Xuan Hung wrote:
Dear Abdul Khader !
My Named.conf
edns-udp-size 512;
max-cache-size 4096M;
recursive-clients 2;
have no
server 0.0.0.0/0 {
edns no;
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Value of memory
Also remember that "used" reported by "free" in Linux on the first line includes memory pre-allocated to cache and buffers that is readily usable on demand so isn't really allocated to specific processes like you'd see in a similarly configured UNIX system. Be sure when trying to determine "used" that you're looking at the values on the second line instead as that shows what you have when buffers/cached are not included in the totals. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Fajar A. Nugraha Sent: Thursday, August 07, 2014 12:07 AM To: Robert Moskowitz Cc: bind-us...@isc.org Subject: Re: Value of memory On Thu, Aug 7, 2014 at 10:39 AM, Robert Moskowitz wrote: > I have a server that is only running bind 9.8.2 (Centos 6.5). It has > 2Gb memory and free reports ~1.7Gb used. > > I am looking at replacing this server with an armv7 board running > Redsleeve (until Centos 7 is out and stable for armv7). I have a > choice of boards, one with 1Gb memory ($60) and one with 2Gb memory ($90). > > This server servers out my zones and supports the couple handfull of > systems on my net. I would like to eventually get to DNSSEC, but that > is another stalled project. > > About the only meaningful difference between the two boards (btw, > Cubieboard2 and Cubietruck) for my needs is the memory. I know more > memory is better, but how much better? > > Oh, why the move to arm? Power consumption. ROI for the C2 board is > one year just on power saving. It depends on how much load your server currently handle, and how your cache is configured. I'd start with looking at your server load. Arm still have lower per-core performance compared to x86, so if you currently see high CPU utilization by named, I'd stick with x86. Next see how your memory cache is configured. That should be where bind uses most memory. AFAIK by default max-cache-size is unlimited and max-cache-ttl is set to several days. See how much memory bind currently uses for cache, and then you can try configuring those two parameters (e.g. set an explicit max-cache-size to 512MB) and see how much memory bind (and the rest of the OS) uses then, and how well it performs. If it's still acceptable, then you can probably go with the 1GB board. Cache can reduce the number of queries issued upstream and is very important on busy servers, but if you serve a relatively low number of queries from your clients then you won't see much difference between (e.g.) 512MB and 1GB cache. -- Fajar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer __ CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Log Monitoring
I am looking for scripts that can be used to parse and monitor the DNS logs for suspicious activity. I have enabled full logging and am currently using the DNSAnomalyDetection script written by Dr. Johannes Ulrich. This script gives me the daily top 10 requests based on the query logs. Does anyone have other scripts they are willing to share? I do not have Splunk. Thanks, Don ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Value of memory
Robert, I'm running a minimal install of CentOS7 on x86 hardware. This system provides authoritative and recursive roles across two separate BIND views. I also have rbldnsd serving a few zones on this system. free reports the following after ~24 hrs of uptime: total used free sharedbuffers cached Mem: 10071492 9128089158684 16880764 319180 -/+ buffers/cache: 5928649478628 Swap: 5185532 05185532 I, too, find that my CentOS 6 systems are using ~ 2GB of RAM. Memory usage on C7 appears to be down compared to a similarly configured C6 name server. Hope this provides a reference point. --Blake Robert Moskowitz wrote the following on 8/6/2014 10:39 PM: I have a server that is only running bind 9.8.2 (Centos 6.5). It has 2Gb memory and free reports ~1.7Gb used. I am looking at replacing this server with an armv7 board running Redsleeve (until Centos 7 is out and stable for armv7). I have a choice of boards, one with 1Gb memory ($60) and one with 2Gb memory ($90). This server servers out my zones and supports the couple handfull of systems on my net. I would like to eventually get to DNSSEC, but that is another stalled project. About the only meaningful difference between the two boards (btw, Cubieboard2 and Cubietruck) for my needs is the memory. I know more memory is better, but how much better? Oh, why the move to arm? Power consumption. ROI for the C2 board is one year just on power saving. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to figure out QPS in bind 9.9
At about 3:26 AM on 07 AUG 2014 Gaurav Kansal asked: ... >Is there any way out to figure out the same ? Here are two easy approaches: Create a simple database or sequence of files containing the results of an "all star" crontab entry. The persistent storage entries coming over the statistics channel from the cron job can be queried for whatever resolution floats your boat. Simple math will give you the desired QPS value. An alternative would be scripted output of, say, tcpdump to obtain the counts for each interval and use them just like the statistics channel data. The database and graphing can be performed by your favorite open source packages. For ad-hoc questions you could use your favorite shell, Perl, etc. hth, Len ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to figure out QPS in bind 9.9
On Thu, Aug 07, 2014 at 03:55:56PM +0530, Gaurav Kansal wrote: > I had enabled the statistics-channel in the bind conf, but there also I am > getting total number of queries and not the QPS. > > Is there any way out to figure out the same ? Poll the stats channel every 60 seconds, subtract the previous value for total queries from the new value, and divide by 60. (Or every 5 minutes, or 15, or whatever.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Log Monitoring
Hi there, On Thu, 7 Aug 2014, Davis, Donald W wrote: I am looking for scripts that can be used to parse and monitor the DNS logs for suspicious activity. If Nagios didn't exist, I'd have to invent it: http://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS http://www.nagios.com/solutions/dns-monitoring -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.10-P2 dnssec keys management
Hi, 1. my server use key id 23412 first and then 40767 [root@dnssec keys]# dnssec-settime -p all Kexample.com.+005+23412 Created: Wed Jul 30 14:56:09 2014 Publish: Wed Jul 30 14:56:09 2014 Activate: Fri Aug 1 14:56:09 2014 Revoke: UNSET Inactive: Sun Aug 31 14:56:09 2014 Delete: Mon Sep 1 14:56:09 2014 [root@dnssec keys]# dnssec-settime -p all Kexample.com.+005+40767 Created: Thu Aug 7 15:59:03 2014 Publish: Fri Aug 29 14:56:09 2014 Activate: Sun Aug 31 14:56:09 2014 Revoke: UNSET Inactive: Tue Sep 30 14:56:09 2014 Delete: Wed Oct 1 14:56:09 2014 2. In order to test changing a new ZSK,I set the OS clock to be future time at Aug 31 14:56:08 2014..Now it is Aug 7 2014. Then I wait 2-3 secs to ensure that bind activate new ZSK id 40767 and inactivate old ZSK id 23412. 3. I use dig to check whether bind activate new key correctly or not but I notice there is some dns records which are signed by new key and some dns records are signed by old key. In therory,After new ZSK is activated.All dns records must be signed with new key. 4. This is result. [root@dnssec keys]# dig @10.10.10.203 example.com any +dnssec +multiline ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.10.10.203 example.com any +dnssec +multiline ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5421 ;; flags: qr aa rd; QUERY: 1, ANSWER: 15, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;example.com. IN ANY ;; ANSWER SECTION: example.com.86400 IN RRSIG NS 5 2 86400 20140928075513 ( 20140829070015 23412 example.com. lggwXqqh5PwYcNFqjVQEPKuLoJANDzsLJ7pAFtgIF6wh EMtxKFN+Y4SXx6O/OcHrGgxcwYRV+/yN3YHAj55sq0ax sp3uBI0YvOrwrmQeqaIqeMynzafehrwTHLeMxTMkimlT JakSvRLglpCtpNw0n2xUMkFo4MM6dN/0NzANSdw= ) example.com.86400 IN RRSIG NSEC 5 2 86400 20140928075513 ( 20140829070015 23412 example.com. PkgjBT8SE24O5gFktr6XncfoB/KHcW1chVvlDhiFtzS+ bagayzo5r8uzw0frlVSN3JEbxRJSVX/55uahgYuzhCj/ F/dfGnQ9PRn1+1DjhFTFO0IzHBqN0LmyAhbOTrwQMyrN aJnckwAFAJoPOIA+N8dcT8rIT9jK/Bhdmi0+NRo= ) example.com.86400 IN NSEC ns.example.com. NS SOA RRSIG NSEC DNSKEY TYPE65534 example.com.86400 IN RRSIG SOA 5 2 86400 20140930075609 ( 20140831065609 40767 example.com. dA4v0mEU0stMci6TcwH3iWKc2iqgx/tt5fjfMdHqHSoG XnzDMiQBxT7qucQ7ixN9ocaQUsCqCWgOgGL6SLW4/Qja iIi78dvtlU2JKVNCC5qnJudn5MlUS1/VSToDY9CqKO4Z BnrvlfvoRWJv/IlRqSXdG5taB8zvAw3drzaHO/E= ) example.com.0 IN RRSIG TYPE65534 5 2 0 20140928075513 ( 20140829070015 23412 example.com. ynK/o9xUhkLTxmfUMsUZ+Lroi9ov5n6p1X2adr0PsNbY WQqG0qBQgzQqH6a6TDcCS/d8SFMJCl0duf8y4nlytDUV 6z2psdUNt6or8xPHTdCDPJKFLMxzFV8gpD5oxPLS3DeU C27+SFEpCzKtgwjxGkHzZabNesK6WKSoPwQFvaw= ) example.com.86400 IN RRSIG DNSKEY 5 2 86400 20140930075609 ( 20140831065609 5554 example.com. Vb502xsTCsQDRMDt3/f5Q28XC9c908GGIZzgAP4jeHXa hGdhXP/lVcZw38bJplw7t9ysgJyyeSzdULTAQbyMy+Fd gTzjGqRz1elme1AkrguUHNmee/MvP1Sgkmj+UOENBaN/ ubqh9ywJcRsYK7RqfN1B6xLIyB8WDwcrpvroD8iwJmP1 CZYN+xrhvq/0ancfMUguLAHsfRh4ldxKZ4oy/NrkJJbp 3a2yO0O99D6RZQ== ) example.com.86400 IN RRSIG DNSKEY 5 2 86400 20140930075609 ( 20140831065609 40767 example.com. dH6x9qaiE49/jMve7Uv7cOIYh6L4YPz9WEFydRv6euqQ B7Zj4tX2aoruJxvupHn0hgzVyS4EtIfdsXTOOyLCxghl j3//Gfv7Y+kf14hm+MCVIHqbpq9J2FHAHTK3WgTgMAXX 2SfYcrW676TQ1zWlpAUHKFPDwPwGB3CTzszu3vE= ) example.com.0 IN TYPE65534 \# 5 ( 059F3F ) example.com.0 IN TYPE65534 \# 5 ( 0515B20001 ) example.com.0 IN TYPE65534 \# 5 ( 055B740001 ) example.com.86400 IN DNSKEY 256 3 5 ( AwEAAaB5OP8VxbRihmF2d6woYO266+SFlGsj5xwcDiF2 ctMKazuasvGyCtkuqbfEJWYfyAumQlObAbKuuR59qoQo hCSwmzXH67gUrKjhAQfQKFa2KmzrcVe+hyQtAVzWoHgK ff7t8LgbESPwEqwgmvT97rxjyZHHFVkttXxXfZ+GkzZj ) ; key id = 40767 example.com.86400 IN DNSKEY 256 3 5 ( AwEAAdz+HnGTt4MKPecTfEmTgdGLKT1AAFzub8vkmpSu 3J8phU4GHEXFl81I8klDIC2vMbgXRL4ZbOe1wBvK7tq+ i4m6YliYOm4rIiWX2lc7hh+pj2WI4h2KgHalUCjB4Zwf U5vR4biVdCJ6p+JEvo7AJMDXyWUhJsLRqcpHDtao3Rn/ ) ; key id = 23412 example.com.86400 IN DNSKEY 257 3 5 ( AwEAAb2FS/90WOx0xXHkaYRth7DTvdeEoIhsWAsOx8TR rdjwx7gtr5f/ZQvcnQM7FMzM8f18iBm51SclpipYeNMF FRaYAp+mdqnHeO+B63q/E3+cBiKrmdVUyvJwuS8MzXuA ZyVkPMr4U1EUJpONYD5nVmlc/RzexcGc9fj/
Re: bind 9.10-P2 dnssec keys management
> 3. I use dig to check whether bind activate new key correctly or > not but I notice there is some dns records which are signed by new key > and some dns records are signed by old key. In therory,After new ZSK is > activated.All dns records must be signed with new key. After a new ZSK is activated, records will be signed with the new key *when their signatures need to be refreshed*. Signatures normally have a 30 day lifetime and are refreshed at least 7 days before they expire. As long as the old ZSK is still in the DNSKEY rrset, there's no reason to hurry the process up, so the old signatures are not immediately removed when a new ZSK is activated. If you were to publish a new ZSK on September 1, deactivate the old one and activate the new one on October 1, and delete the old one on November 1, everything should run smoothly. (By November 1 all the signatures from the old key would be gone, so you could delete the key from the DNSKEY rrset without causing problems.) The "dnssec-coverage" tool can be used to check your key set for timing consistency. If you need to force the entire zone to be signed with the new key without waiting out the usual re-signing period, use "rndc sign ". -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.10-P2 dnssec keys management
Please FIX your email client. It really stuffs up the text/plain by adding in additional lines. In message <102153bef555e7489ca5d54165c431a301301...@exchbsi02.ttt.co.th>, "Jit tinan Suwanruengsri" writes: > > Hi, > > 1. my server use key id 23412 first and then 40767 > > > > [root@dnssec keys]# dnssec-settime -p all Kexample.com.+005+23412 > > Created: Wed Jul 30 14:56:09 2014 > > Publish: Wed Jul 30 14:56:09 2014 > > Activate: Fri Aug 1 14:56:09 2014 > > Revoke: UNSET > > Inactive: Sun Aug 31 14:56:09 2014 > > Delete: Mon Sep 1 14:56:09 2014 > > [root@dnssec keys]# dnssec-settime -p all Kexample.com.+005+40767 > > Created: Thu Aug 7 15:59:03 2014 > > Publish: Fri Aug 29 14:56:09 2014 > > Activate: Sun Aug 31 14:56:09 2014 > > Revoke: UNSET > > Inactive: Tue Sep 30 14:56:09 2014 > > Delete: Wed Oct 1 14:56:09 2014 > > > > 2. In order to test changing a new ZSK,I set the OS clock to be > future time at Aug 31 14:56:08 2014..Now it is Aug 7 2014. Then I wait > 2-3 secs to ensure that bind activate new ZSK id 40767 and inactivate > old ZSK id 23412. > > 3. I use dig to check whether bind activate new key correctly or > not but I notice there is some dns records which are signed by new key > and some dns records are signed by old key. In therory,After new ZSK is > activated.All dns records must be signed with new key. No. Once a key is activated it will be used to sign rrsets as they fall due for re-signing. Named does NOT walk the zone and re-sign every rrset. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Metazones or Something Else?
Il 04/ago/2014 18:33 "John Anderson" ha scritto: > > Greetings Bind-Users List, > > I've recently inherited a project that is going to require some method of automatically disseminating zone information to slave DNS servers running BIND. While searching for an industry standard method of accomplishing this task, I came across this rather dated document that Paul Vixie wrote on accomplishing exactly this task. [ http://dotat.at/tmp/metazones.pdf ] Since reading that document, I have been unsuccessful in locating any documentation of this feature on ISC's website. > > Has this metazone idea gained any traction? Is there a distributable implementation? If not, has another technology emerged which essentially injects restart-persistent zone SOA record information into BIND so that it may then receive AXFR/IXFR for the zone from the master? I don't know metazone, but webmin permits to deploy automatically new zone to a predefined dns slaves "cluster". Work perfectly, very simple to use. Best regards > > Any nudge in the right direction would be appreciated. > > John A. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc zonestatus meaning
Hi, 1. #rncd zonestatus example.com name: example.com type: master files: /usr/local/named/zone/example.com.zone serial: 2013122402 signed serial: 2013122405 nodes: 5 last loaded: Fri, 29 Aug 2014 08:00:15 GMT secure: yes inline signing: yes key maintenance: automatic next key event: Mon, 01 Sep 2014 04:56:09 GMT next resign node: ns.example.com/NSEC next resign time: Sat, 20 Sep 2014 19:55:13 GMT dynamic: yes frozen: no 2. example.com.zone $ORIGIN . $TTL 86400 ; 1 day example.com IN SOA ns.example.com. hostmaster.example.com. ( 2013122402 ; serial 86400 ; refresh (1 day) 7200 ; retry (2 hours) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.example.com. $ORIGIN example.com. ns A 10.10.10.203 sub NS ns.sub DS 19264 8 1 ( EA38AD65596500B2D6A4BC04478FFD5C13FF7600 ) DS 19264 8 2 ( A68BF3856CA9AF1A669EA10DEC8BA72E174108EEB5AA D1CF5A3C919E5AB9B60B ) DS 36579 7 1 ( 83F190FDEBF79DFEC93571D2C06240834C059414 ) DS 36579 7 2 ( EAFB90C1EB610CF566EC677A381D5F9DCAFB8B0E2B6D C78A7788E501D523187C ) $ORIGIN sub.example.com. ns A 10.10.10.204 $ORIGIN example.com. www A 2.2.2.2 3. how does bind count number of nodes in zonestatus ?(Mine is 5) 4. What is nex key event? 5. What is next resign node? 6. Where can I get more information about DNSSec of Bind 9.10-P2 beside BIND 9 Administrator Reference Manual because personally, I think it does not has detials enough? Thank You Jittinan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc zonestatus meaning
In message <102153bef555e7489ca5d54165c431a301301...@exchbsi02.ttt.co.th>, "Jittinan S uwanruengsri" writes: > > Hi, > > 1. #rncd zonestatus example.com > name: example.com > type: master > files: /usr/local/named/zone/example.com.zone > serial: 2013122402 > signed serial: 2013122405 > nodes: 5 > last loaded: Fri, 29 Aug 2014 08:00:15 GMT > secure: yes > inline signing: yes > key maintenance: automatic > next key event: Mon, 01 Sep 2014 04:56:09 GMT > next resign node: ns.example.com/NSEC > next resign time: Sat, 20 Sep 2014 19:55:13 GMT > dynamic: yes > frozen: no > > 2. example.com.zone > $ORIGIN . > $TTL 86400 ; 1 day > example.com IN SOA ns.example.com. hostmaster.example.com. > ( > 2013122402 ; serial > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 604800 ; expire (1 week) > 86400 ; minimum (1 day) > ) > NS ns.example.com. > $ORIGIN example.com. > ns A 10.10.10.203 > sub NS ns.sub > DS 19264 8 1 ( > EA38AD65596500B2D6A4BC04478FFD5C13FF7600 > ) > DS 19264 8 2 ( > A68BF3856CA9AF1A669EA10DEC8BA72E174108EEB5AA > D1CF5A3C919E5AB9B60B ) > DS 36579 7 1 ( > 83F190FDEBF79DFEC93571D2C06240834C059414 > ) > DS 36579 7 2 ( > EAFB90C1EB610CF566EC677A381D5F9DCAFB8B0E2B6D > $ORIGIN sub.example.com. > ns A 10.10.10.204 > $ORIGIN example.com. > www A 2.2.2.2 > 3. how does bind count number of nodes in zonestatus ?(Mine is 5) They are counted by the database implementation. example.com, ns.example.com, sub.example.com. ns.sub.example.com and www.example.com would be the 5 nodes in this zone. > 4. What is nex key event? This is the next time something needs to be done with respect to the keys for this zone based on the times stored in the .private files. Named will re-read the keys and workout what to do at this time. > 5. What is next resign node? Next re-sign rrset would be a better description. It is the next RRset that is due to be re-signed based on sig-validity-interval and the timestamps in the RRSIGs. In the example above the NSEC record for ns.example.com is the next RRset that needs to be re-signed. > 6. Where can I get more information about DNSSec of Bind 9.10-P2 > beside BIND 9 Administrator Reference Manual because personally, I think > it does not has detials enough? > > > > Thank You > > Jittinan > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: rndc zonestatus meaning
> 3. how does bind count number of nodes in zonestatus ?(Mine is 5) The number of nodes in the zone database that have data (not counting NSEC3 nodes). In your case: example.com, ns.example.com, sub.example.com, ns.sub.example.com, and www.example.com makes five. > 4. What is nex key event? The next time the zone keys are scheduled to be refreshed. At that time, named will perform the equivalent of "rndc loadkeys" on itself to see whether it needs to make any changes to the DNSKEY rrset. > 5. What is next resign node? The next RRSIG that's scheduled to be refreshed. > 6. Where can I get more information about DNSSec of Bind 9.10-P2 > beside BIND 9 Administrator Reference Manual because personally, I think > it does not has detials enough? I don't know of any detailed guides I can point you to at this time. However, ISC provides a thorough training course on the subject; see http://www.dns-co.com/services/training. http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-04 has guidance about scheduling key rollovers that you may find useful. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
