debug 1: received control channel command 'null' - linked to amazon.de zone problem?
The recursive dns server for my home network keeps crashing. There is nothing in the logs, so I upped the log severity to debug. I see this: 16-Jan-2015 09:46:44.314 general: debug 1: received control channel command 'null' 16-Jan-2015 09:46:44.319 general: info: received control channel command 'stop -p' 16-Jan-2015 09:46:44.320 general: info: shutting down: flushing changes 16-Jan-2015 09:46:44.323 general: notice: stopping command channel on 127.0.0.1#953 16-Jan-2015 09:46:44.323 general: notice: stopping command channel on ::1#953 16-Jan-2015 09:46:44.351 network: info: no longer listening on ::#53 16-Jan-2015 09:46:44.352 network: info: no longer listening on 127.0.0.1#53 16-Jan-2015 09:46:44.353 database: debug 1: calling free_rbtdb(.) 16-Jan-2015 09:46:44.353 database: debug 1: done free_rbtdb(.) 16-Jan-2015 09:46:44.354 database: debug 1: calling free_rbtdb(.) 16-Jan-2015 09:46:44.355 database: debug 1: done free_rbtdb(.) 16-Jan-2015 09:46:44.355 database: debug 1: calling free_rbtdb(0.in-addr.arpa) 16-Jan-2015 09:46:44.356 database: debug 1: done free_rbtdb(0.in-addr.arpa) 16-Jan-2015 09:46:44.356 database: debug 1: calling free_rbtdb(127.in-addr.arpa) 16-Jan-2015 09:46:44.356 database: debug 1: done free_rbtdb(127.in-addr.arpa) 16-Jan-2015 09:46:44.357 database: debug 1: calling free_rbtdb(255.in-addr.arpa) 16-Jan-2015 09:46:44.357 database: debug 1: done free_rbtdb(255.in-addr.arpa) 16-Jan-2015 09:46:44.377 database: debug 1: calling free_rbtdb(.) 16-Jan-2015 09:46:44.378 database: debug 1: done free_rbtdb(.) 16-Jan-2015 09:46:44.391 database: debug 1: calling free_rbtdb(.) 16-Jan-2015 09:46:44.392 database: debug 1: done free_rbtdb(.) 16-Jan-2015 09:46:44.393 database: debug 1: calling free_rbtdb(.) 16-Jan-2015 09:46:44.396 database: debug 1: adjust_quantum -> 295 16-Jan-2015 09:46:44.397 database: debug 1: calling free_rbtdb(localhost) 16-Jan-2015 09:46:44.398 database: debug 1: done free_rbtdb(localhost) 16-Jan-2015 09:46:44.407 database: debug 1: done free_rbtdb(.) 16-Jan-2015 09:46:44.424 general: notice: exiting Then I have to restart it. It keeps happening. I think it's related to a SERVFAIL I keep seeing: debug 1: client 10.8.0.6#50541: query failed (SERVFAIL) for www.amazon.de/IN/A at query.c:7002 squish.net finds a few problems with www.amazon.de: 14.6% maxdepth 3% resulted in an exception Running bind 1:9.8.4.dfsg.P1-6+nmu2+deb7u3 rpi Anyone know what's going on? -- http://www.fastmail.com - The professional email service ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: debug 1: received control channel command 'null' - linked to amazon.de zone problem?
James Patterson wrote: > The recursive dns server for my home network keeps crashing. It looks to me like it is stopping gracefully in response to an `rndc stop -p` command. > 16-Jan-2015 09:46:44.319 general: info: received control channel command > 'stop -p' > 16-Jan-2015 09:46:44.424 general: notice: exiting Tony. -- f.anthony.n.finchhttp://dotat.at/ German Bight, Humber: Southwest 6 to gale 8, occasionally severe gale 9 at first in German Bight, veering west 5 to 7. Rough or very rough becoming moderate or rough. Squally wintry showers. Moderate or good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tcp only forwarder
wu shuangrong wrote: > > I want to set BIND up as a forwarder, using only TCP connection to query the > google public DNS, because UDP is poisoned. Is this possible? I don't think BIND supports that. And Google Public DNS's TCP support is not very good: it drops the connection if you try to make concurrent queries. Tony. -- f.anthony.n.finchhttp://dotat.at/ Lundy, Fastnet, Irish Sea: Northwest backing west 5 to 7. Very rough at first in south Fastnet and southwest Lundy, otherwise moderate or rough. Squally showers, wintry in Irish Sea. Moderate or good, occasionally poor in Irish Sea. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to alias a domain
I have three domains two of which are aliases for the other (klam.ca - aliases klam.biz and klam.com). Within the these domains I have TLSA records for things like the email system and some web services. I originally thought of using dname records for the domain aliases and cname records for the TLSA records. But for this to work I would need to enable recursion on the authoritative server for masters, I understand that for very good reasons this is considered a very bad idea. So how best to provide aliasing? -- John Allen KLaM -- I just go lost in thought. It was unfamiliar territory. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
On 16/01/2015 13:00, John wrote: But for this to work I would need to enable recursion on the authoritative server for masters Why? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
On 1/16/2015 8:59 AM, Phil Mayers wrote: On 16/01/2015 13:00, John wrote: But for this to work I would need to enable recursion on the authoritative server for masters Why? ___ Further problem is that DNSSEC tests show problem with NS records. -- John Allen KLaM -- Save the whales. Collect the whole set. smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
On 1/16/2015 8:59 AM, Phil Mayers wrote: On 16/01/2015 13:00, John wrote: But for this to work I would need to enable recursion on the authoritative server for masters Why? Because the last time I tried it, it did not work! I have just tried it again and I don't get the answers I expect? I see the DNAME but the system does not seem to be following it. Suggestions? -- John Allen KLaM -- we should be careful not to ascribe to malice what could equally be explained by incompetence smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
On 16/01/2015 15:07, John wrote: On 1/16/2015 8:59 AM, Phil Mayers wrote: On 16/01/2015 13:00, John wrote: But for this to work I would need to enable recursion on the authoritative server for masters Why? Because the last time I tried it, it did not work! Authoritative servers don't need to enable recursion to use DNAME. They'll either serve a DNAME (to DNAME-capable recursive clients) or a synthesised CNAME (to DNAME-incapable). DNAME might not be working, but whatever the reason, it's not because your authoritative isn't recursing. And yes, doing recursion on an auth server isn't a good idea. I have just tried it again and I don't get the answers I expect? I see the DNAME but the system does not seem to be following it. More details please. What names do you have in the zones, what queries are you making, and what results are you getting? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
DNAME will not work with DNSSEC. DNAME only work with the sub-tree, while DNSSEC is at the domain level. taking the example: klam.biz IN DNAME klam.com DNSSEC will try to find keys for klam.biz NOT klam.com, which results in DNSSEC failure. It looks like the only way to do this is to point the zones at a single zone file. however I am not sure that that will work as smoothly as I would like. -- John Allen KLaM -- Why do psychics have to ask your name?! smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
In article , Phil Mayers wrote: > On 16/01/2015 15:07, John wrote: > > On 1/16/2015 8:59 AM, Phil Mayers wrote: > >> On 16/01/2015 13:00, John wrote: > >>> But for this to work I would need to enable recursion on the > >>> authoritative server for masters > >> > >> Why? > >> > > Because the last time I tried it, it did not work! > > Authoritative servers don't need to enable recursion to use DNAME. > They'll either serve a DNAME (to DNAME-capable recursive clients) or a > synthesised CNAME (to DNAME-incapable). > > DNAME might not be working, but whatever the reason, it's not because > your authoritative isn't recursing. > > And yes, doing recursion on an auth server isn't a good idea. And even if you enable it, it won't help. The queries to auth servers usually come from caching servers, and they don't request recursion. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
Hi John, On Fri, Jan 16, 2015 at 10:36 AM, John wrote: > DNAME will not work with DNSSEC. > Not true. DNAMEs enable CNAME synthesis to other domains, after which synthesis the response works just like regular CNAME response would. The authentication works by authenticating the DNAME (using the RRSIG covering the DNAME). The CNAME requires to RRSIG because it is known that all names under the DNAME are synthesized (to the target domain), which has been proven by the existence of the DNAME record itself. DNSSEC will try to find keys for klam.biz NOT klam.com, which results in > DNSSEC failure. > > Actually, it must try to find authentication chains for the appropriate records in *both* klam.biz and klam.com. http://dnsviz.net/d/www.klam.biz/VLkuUA/dnssec/ Again, this is not unlike regular (non-DNAME) out-of-zone CNAME examples, such as: http://dnsviz.net/d/seas-web-test.huque.com/VLkyFA/dnssec/ Cheers, Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
On Fri, Jan 16, 2015 at 10:49 AM, Casey Deccio wrote: > ... The CNAME requires to RRSIG... > Typo: That should read: "... The CNAME requires no RRSIG..." Cheers, Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
On 16/01/2015 15:36, John wrote: > DNAME will not work with DNSSEC. > DNAME only work with the sub-tree, while DNSSEC is at the domain level. > > taking the example: > klam.biz IN DNAME klam.com > > DNSSEC will try to find keys for klam.biz NOT klam.com, which results in > DNSSEC failure. DNAME and DNSSEC certainly do work together - take a look at http://dnsviz.net/d/www.lancaster.ac.uk/dnssec/ The klam.biz zone would need to be signed (I suppose you could use the same key material as for klam.com, but I am not sure what benefit that would bring) and biz to provide DS records, but there's nothing special there from a DNSSEC point of view. 74.116.186.178 (one of two nameservers for klam.biz) is currently returning SERVFAIL to my queries regarding klam.biz, which may be obscuring the real problem. Graham ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to alias a domain
>> I have just tried it again and I don't get the answers I expect? I see >> the DNAME but the system does not seem to be following it. DNAMEs provide aliases for names below the one at the DNAME, but not for the name itself. That is, if you do this: bar.example DNAME foo.example you will get an alias for www.bar.example, but not for bar.example itself. This is a well known limitation and is why DNAMES such as the ones in the .CAT TLD are less useful than one might hope. In answer to the obvious next question, the concise wisdom is "you lose." R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
