Re: RPZ - override TXT records
Hi Wolfgang On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote: > Hi Folks, > > I am currently struggling with using RPZ for inserting or overriding TXT > resource records. > > This is my goal: > >; do not rewrite www.cisco.com (so, PASSTHRU) and add or override >missing metadata >www.cisco.com CNAME rpz-passthru. >www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD" > > What work's is that I can do one or the other but not both at the same time > if I need to use a CNAME. > > This works: > >wolfgang.dns-as.org A 193.34.28.108 >wolfgang.dns-as.org TXT "CISCO-CLS=app-name:RPZ|app-class:TD" > > but in reality this will not work for CDN or load-balanced sites which don't > have fixed IP address. > > Any hint's what I am doing wrong? You aren't doing anything wrong. Yours is a corner case. I hope I understood what you're trying to do correctly: From the zone comment, perhaps you want the TXT query type to return the TXT RDATA you've supplied and everything else passthru to regular processing. It can't be done as triggers don't use the question's TYPE field. An alternative is to include all the RRs for that QNAME in the answer (your second example). Yours is a weird case, because you can't use the following in the policy zone which named wouldn't allow loading (it won't allow CNAME to coexist): www.cisco.com CNAME www.cisco.com.akadns.net. www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD" So using the A record (your second example) or adding triggers for the target of the CNAME record chain are your best bet. As the latter varies, perhaps the former for your region would be best. Mukund signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.9.8 Assertion Failure
Hi Bind Community,
Had a BIND Crash on 9.9.8.
Any ideas?
12-Oct-2015 02:09:06.457 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:09:06.458 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 02:59:08.850 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:59:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 04:55:34.944 general: error: socket.c:5407: unexpected error:
12-Oct-2015 04:55:34.944 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 06:15:35.638 general: error: socket.c:5407: unexpected error:
12-Oct-2015 06:15:35.638 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 07:55:37.894 general: error: socket.c:5407: unexpected error:
12-Oct-2015 07:55:37.894 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:29:12.235 security: error: client 12.168.40.21#32469: view
host_resolver_trusted: request has invalid signature: TSIG
alexlembke.members.mac.com: tsig verify failure (BADKEY)
12-Oct-2015 08:35:39.175 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:35:39.176 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:49:17.268 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:49:17.268 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:50:37.524 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:50:37.524 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 09:39:10.215 general: error: socket.c:5407: unexpected error:
12-Oct-2015 09:39:10.215 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:15:40.924 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:15:40.924 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:29:08.849 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:29:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 11:15:41.259 general: error: socket.c:5407: unexpected error:
12-Oct-2015 11:15:41.260 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 12:49:38.443 general: error: socket.c:5407: unexpected error:
12-Oct-2015 12:49:38.443 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 19:39:08.302 general: error: socket.c:5407: unexpected error:
12-Oct-2015 19:39:08.302 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:15:49.022 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:15:49.023 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:35:49.056 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:35:49.056 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 21:01:47.916 general: critical: resolver.c:1784:
INSIST(fctx->references > 1) failed
12-Oct-2015 21:01:47.916 general: critical: exiting (due to assertion
failure)
Neil
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund Sivaraman
Sent: Monday, 12 October 2015 7:59 PM
To: Wolfgang Riedel [CISCO]
Cc: bind-users@lists.isc.org
Subject: Re: RPZ - override TXT records {REP=5.6}
Hi Wolfgang
On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
> Hi Folks,
>
> I am currently struggling with using RPZ for inserting or overriding
> TXT resource records.
>
> This is my goal:
>
>; do not rewrite www.cisco.com (so, PASSTHRU) and add or override
>missing metadata
>www.cisco.com CNAME rpz-passthru.
>www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
>
> What work's is that I can do one or the other but not both at the same
> time if I need to use a CNAME.
>
> This works:
>
>wolfgang.dns-as.org A 193.34.28.108
>wolfgang.dns-as.org TXT "CISCO-CLS=app-name:RPZ|app-class:TD"
>
> but in reality this will not work for CDN or load-balanced sites which
> don't have fixed IP address.
>
> Any hint's what I am doing wrong?
You aren't doing anything wrong. Yours is a corner case.
I hope I understood what you're trying to do correctly: From the zone
comment, perhaps you want the TXT query type to return the TXT RDATA you've
supplied and everything else passthru to regular processing. It can't be
done as triggers don't use the question's TYPE field.
An alternative is to include all the RRs for that QNAME in the answer (your
second example). Yours is a weird case, because you can't use the following
in the policy zone which named wouldn't allow loading (it won't allow CNAME
to coexist):
www.cisco.com CNAME www.cisco.com.akadns.net.
www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
So using the A record (your second example) or adding triggers for the
target of the CNAME record chain are your best bet. As the latter varies,
perhaps the former for your region would be best.
Mukund
___
Pleas
Re: BIND 9.9.8 Assertion Failure
What system and what release of BIND?
I met this similiar issue months ago and I just recompiled from the source
then the problem got fixed.
regards,
Wah.
2015-10-12 18:30 GMT+08:00 Neil :
> Hi Bind Community,
>
> Had a BIND Crash on 9.9.8.
> Any ideas?
>
> 12-Oct-2015 02:09:06.457 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 02:09:06.458 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 02:59:08.850 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 02:59:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 04:55:34.944 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 04:55:34.944 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 06:15:35.638 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 06:15:35.638 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 07:55:37.894 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 07:55:37.894 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 08:29:12.235 security: error: client 12.168.40.21#32469: view
> host_resolver_trusted: request has invalid signature: TSIG
> alexlembke.members.mac.com: tsig verify failure (BADKEY)
> 12-Oct-2015 08:35:39.175 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 08:35:39.176 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 08:49:17.268 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 08:49:17.268 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 08:50:37.524 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 08:50:37.524 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 09:39:10.215 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 09:39:10.215 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 10:15:40.924 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 10:15:40.924 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 10:29:08.849 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 10:29:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 11:15:41.259 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 11:15:41.260 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 12:49:38.443 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 12:49:38.443 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 19:39:08.302 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 19:39:08.302 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 20:15:49.022 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 20:15:49.023 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 20:35:49.056 general: error: socket.c:5407: unexpected error:
> 12-Oct-2015 20:35:49.056 general: error: connect(0.0.0.1#53) 22/Invalid
> argument
> 12-Oct-2015 21:01:47.916 general: critical: resolver.c:1784:
> INSIST(fctx->references > 1) failed
> 12-Oct-2015 21:01:47.916 general: critical: exiting (due to assertion
> failure)
>
> Neil
> -Original Message-
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund Sivaraman
> Sent: Monday, 12 October 2015 7:59 PM
> To: Wolfgang Riedel [CISCO]
> Cc: bind-users@lists.isc.org
> Subject: Re: RPZ - override TXT records {REP=5.6}
>
> Hi Wolfgang
>
> On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
> > Hi Folks,
> >
> > I am currently struggling with using RPZ for inserting or overriding
> > TXT resource records.
> >
> > This is my goal:
> >
> >; do not rewrite www.cisco.com (so, PASSTHRU) and add or override
> >missing metadata
> >www.cisco.com CNAME rpz-passthru.
> >www.cisco.com TXT "CISCO-CLS=app-name:HTTP|app-class:TD"
> >
> > What work's is that I can do one or the other but not both at the same
> > time if I need to use a CNAME.
> >
> > This works:
> >
> >wolfgang.dns-as.org A 193.34.28.108
> >wolfgang.dns-as.org TXT "CISCO-CLS=app-name:RPZ|app-class:TD"
> >
> > but in reality this will not work for CDN or load-balanced sites which
> > don't have fixed IP address.
> >
> > Any hint's what I am doing wrong?
>
> You aren't doing anything wrong. Yours is a corner case.
>
> I hope I understood what you're trying to do correctly: From the zone
> comment, perhaps you want the TXT query type to return the TXT RDATA you've
> supplied and everything else passthru to regular processing. It can't be
> done as triggers don't use the question's TYPE field.
>
> An alternative is to include all the RRs for that QNAME in the answer (your
> second example). Yours is a weird case, because you can't use the following
> in the policy zone which named wouldn't allow loading (it won't allow CNAME
> to coexist):
>
> www.cisco.com
Re: FW: SRV Request to DNS
On 06.10.15 09:21, Harshith Mulky wrote: Let us say we are having a FQDN and we need to Resolve it. It goes through the procedure of determining the IP and Port using NAPTR/SRV/A query mechanisms no, the ordinary resolution does NOT use NAPTR and SRV records, only A and/or records. The question I have is if I have a FQDN with a Port Number already determined, will it go through the Procedure of NAPTR/SRV/A query (or) simply do a A query (or) Is this left to the client to apply the Logic? DNS does NOT care about port numbers. Some upper-level protocols do, but they must take care themselves. please provide more detailesd question, or search archives if it hasn't been answered already. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9.9.8 Assertion Failure {REP=5.5}
Hi Wah,
RHEL 6.7
BIND 9.9.8 (Extended Support Version)
built by make with '--prefix=/usr/local' '--enable-threads'
'--enable-fixed-rrset' '--enable-fetchlimit' '--with-openssl=/usr'
'--with-libtool' '--with-make-clean'
Just did another recompile as you said, What would the cause be?
Thinking of going back to some other version.
From: Wah Peng [mailto:wah_p...@yahoo.com.sg]
Sent: Monday, 12 October 2015 10:37 PM
To: Neil
Cc: bind-users@lists.isc.org
Subject: Re: BIND 9.9.8 Assertion Failure {REP=5.5}
What system and what release of BIND?
I met this similiar issue months ago and I just recompiled from the source then
the problem got fixed.
regards,
Wah.
2015-10-12 18:30 GMT+08:00 Neil mailto:nei...@iprimus.com.au> >:
Hi Bind Community,
Had a BIND Crash on 9.9.8.
Any ideas?
12-Oct-2015 02:09:06.457 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:09:06.458 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 02:59:08.850 general: error: socket.c:5407: unexpected error:
12-Oct-2015 02:59:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 04:55:34.944 general: error: socket.c:5407: unexpected error:
12-Oct-2015 04:55:34.944 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 06:15:35.638 general: error: socket.c:5407: unexpected error:
12-Oct-2015 06:15:35.638 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 07:55:37.894 general: error: socket.c:5407: unexpected error:
12-Oct-2015 07:55:37.894 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:29:12.235 security: error: client 12.168.40.21#32469: view
host_resolver_trusted: request has invalid signature: TSIG
alexlembke.members.mac.com : tsig verify
failure (BADKEY)
12-Oct-2015 08:35:39.175 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:35:39.176 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:49:17.268 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:49:17.268 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 08:50:37.524 general: error: socket.c:5407: unexpected error:
12-Oct-2015 08:50:37.524 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 09:39:10.215 general: error: socket.c:5407: unexpected error:
12-Oct-2015 09:39:10.215 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:15:40.924 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:15:40.924 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 10:29:08.849 general: error: socket.c:5407: unexpected error:
12-Oct-2015 10:29:08.850 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 11:15:41.259 general: error: socket.c:5407: unexpected error:
12-Oct-2015 11:15:41.260 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 12:49:38.443 general: error: socket.c:5407: unexpected error:
12-Oct-2015 12:49:38.443 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 19:39:08.302 general: error: socket.c:5407: unexpected error:
12-Oct-2015 19:39:08.302 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:15:49.022 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:15:49.023 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 20:35:49.056 general: error: socket.c:5407: unexpected error:
12-Oct-2015 20:35:49.056 general: error: connect(0.0.0.1#53) 22/Invalid
argument
12-Oct-2015 21:01:47.916 general: critical: resolver.c:1784:
INSIST(fctx->references > 1) failed
12-Oct-2015 21:01:47.916 general: critical: exiting (due to assertion
failure)
Neil
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org
] On Behalf Of Mukund Sivaraman
Sent: Monday, 12 October 2015 7:59 PM
To: Wolfgang Riedel [CISCO] mailto:wolfg...@cisco.com> >
Cc: bind-users@lists.isc.org
Subject: Re: RPZ - override TXT records {REP=5.6}
Hi Wolfgang
On Thu, Oct 08, 2015 at 11:25:14PM +0200, Wolfgang Riedel [CISCO] wrote:
> Hi Folks,
>
> I am currently struggling with using RPZ for inserting or overriding
> TXT resource records.
>
> This is my goal:
>
>; do not rewrite www.cisco.com (so, PASSTHRU) and
> add or override
>missing metadata
>www.cisco.com CNAME rpz-passthru.
>www.cisco.com TXT
> "CISCO-CLS=app-name:HTTP|app-class:TD"
>
> What work's is that I can do one or the other but not both at the same
> time if I need to use a CNAME.
>
> This works:
>
>wolfgang.dns-as.org A 193.34.28.108
>wolfgang.dns-as.org TXT
> "CISCO-CLS=app-name:RPZ|app-class:TD"
>
> but in reality this will not work for CDN
