Systemd script

[Josep Manel Andrés]

Hi,
I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init 
script we where using on SLES11SP3, but it doesn't seem to work, since 
the new version of bind needs to get some libraries copied into the 
chroot environment, that's why I am trying to adapt the systemd script 
that comes with the version from repos on SLES 12 but so far I didn't 
get it working.


Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?

What would be the correct procedure to run named as daemon?

Thanks a lot!



WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.

http://www.bsc.es/disclaimer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd script

[Reindl Harald]

Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés:

I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init
script we where using on SLES11SP3, but it doesn't seem to work, since
the new version of bind needs to get some libraries copied into the
chroot environment, that's why I am trying to adapt the systemd script
that comes with the version from repos on SLES 12 but so far I didn't
get it working.

Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?

What would be the correct procedure to run named as daemon?


Fedora contains systemd-units for a long time now
___

[root@srv-rhsoft:~]$ cat /etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network.service systemd-networkd.service network-online.target 
network-wan-bridge.service network-wlan-bridge.service openvpn.service


[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z 
/etc/named.conf

ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=yes
PrivateDevices=yes
TimeoutSec=25
Restart=always
RestartSec=1
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN 
CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT

ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
InaccessibleDirectories=-/root
InaccessibleDirectories=-/media
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target
___

[root@srv-rhsoft:~]$ cat /usr/libexec/setup-named-chroot.sh
#!/bin/bash

ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys 
/etc/named.root.key /etc/named.conf

/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
/etc/crypto-policies/back-ends/bind.config'

usage()
{
  echo
  echo 'This script setups chroot environment for BIND'
  echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
}

if ! [ "$#" -eq 2 ]; then
  echo 'Wrong number of arguments'
  usage
  exit 1
fi

ROOTDIR="$1"

# Exit if ROOTDIR doesn't exist
if ! [ -d "$ROOTDIR" ]; then
  echo "Root directory $ROOTDIR doesn't exist"
  usage
  exit 1
fi

mount_chroot_conf()
{
  if [ -n "$ROOTDIR" ]; then
for all in $ROOTDIR_MOUNT; do
  # Skip nonexistant files
  [ -e "$all" ] || continue

  # If mount source is a file
  if ! [ -d "$all" ]; then
# mount it only if it is not present in chroot or it is empty
if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` 
-eq 0 ]; then

  touch "$ROOTDIR$all"
  mount --bind "$all" "$ROOTDIR$all"
fi
  else
# Mount source is a directory. Mount it only if directory in 
chroot is

# empty.
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
  mount --bind --make-private "$all" "$ROOTDIR$all"
fi
  fi
done
  fi
}

umount_chroot_conf()
{
  if [ -n "$ROOTDIR" ]; then
for all in $ROOTDIR_MOUNT; do
  # Check if file is mount target. Do not use /proc/mounts because 
detecting

  # of modified mounted files can fail.
  if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
umount "$ROOTDIR$all"
# Remove temporary created files
[ -f "$all" ] && rm -f "$ROOTDIR$all"
  fi
done
  fi
}

case "$2" in
  on)
mount_chroot_conf
;;
  off)
umount_chroot_conf
;;
  *)
echo 'Second argument has to be "on" or "off"'
usage
exit 1
esac

exit 0



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd script

[Josep Manel Andrés]

Hi Harald,
Thanks, but I suspect those are the files that come with the default 
system installation, but not usable (without modifications) if I have 
compiled it from source. Am I right?


Cheers.

On 19/02/16 12:02, Reindl Harald wrote:



Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés:

I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init
script we where using on SLES11SP3, but it doesn't seem to work, since
the new version of bind needs to get some libraries copied into the
chroot environment, that's why I am trying to adapt the systemd script
that comes with the version from repos on SLES 12 but so far I didn't
get it working.

Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?

What would be the correct procedure to run named as daemon?


Fedora contains systemd-units for a long time now
___

[root@srv-rhsoft:~]$ cat /etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network.service systemd-networkd.service network-online.target
network-wan-bridge.service network-wlan-bridge.service openvpn.service

[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=yes
PrivateDevices=yes
TimeoutSec=25
Restart=always
RestartSec=1
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN
CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
InaccessibleDirectories=-/root
InaccessibleDirectories=-/media
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target
___

[root@srv-rhsoft:~]$ cat /usr/libexec/setup-named-chroot.sh
#!/bin/bash

ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys
/etc/named.root.key /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf
/etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
/etc/crypto-policies/back-ends/bind.config'

usage()
{
   echo
   echo 'This script setups chroot environment for BIND'
   echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
}

if ! [ "$#" -eq 2 ]; then
   echo 'Wrong number of arguments'
   usage
   exit 1
fi

ROOTDIR="$1"

# Exit if ROOTDIR doesn't exist
if ! [ -d "$ROOTDIR" ]; then
   echo "Root directory $ROOTDIR doesn't exist"
   usage
   exit 1
fi

mount_chroot_conf()
{
   if [ -n "$ROOTDIR" ]; then
 for all in $ROOTDIR_MOUNT; do
   # Skip nonexistant files
   [ -e "$all" ] || continue

   # If mount source is a file
   if ! [ -d "$all" ]; then
 # mount it only if it is not present in chroot or it is empty
 if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"`
-eq 0 ]; then
   touch "$ROOTDIR$all"
   mount --bind "$all" "$ROOTDIR$all"
 fi
   else
 # Mount source is a directory. Mount it only if directory in
chroot is
 # empty.
 if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
   mount --bind --make-private "$all" "$ROOTDIR$all"
 fi
   fi
 done
   fi
}

umount_chroot_conf()
{
   if [ -n "$ROOTDIR" ]; then
 for all in $ROOTDIR_MOUNT; do
   # Check if file is mount target. Do not use /proc/mounts because
detecting
   # of modified mounted files can fail.
   if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
 umount "$ROOTDIR$all"
 # Remove temporary created files
 [ -f "$all" ] && rm -f "$ROOTDIR$all"
   fi
 done
   fi
}

case "$2" in
   on)
 mount_chroot_conf
 ;;
   off)
 umount_chroot_conf
 ;;
   *)
 echo 'Second argument has to be "on" or "off"'
 usage
 exit 1
esac

exit 0



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--

Re: Systemd script

[Reindl Harald]

Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:

Hi Harald,
Thanks, but I suspect those are the files that come with the default
system installation, but not usable (without modifications) if I have
compiled it from source. Am I right?


well, it should not be that hard to adopt them for your needs or even 
build a proper package containing all that stuff - only over my dead 
body i would do a "make install" on any machine oustide rpmbuild



On 19/02/16 12:02, Reindl Harald wrote:



Am 19.02.2016 um 11:45 schrieb Josep Manel Andrés:

I have just compiled bind-9.9.8-P3 on SLES12 and tried to adapt the init
script we where using on SLES11SP3, but it doesn't seem to work, since
the new version of bind needs to get some libraries copied into the
chroot environment, that's why I am trying to adapt the systemd script
that comes with the version from repos on SLES 12 but so far I didn't
get it working.

Does anyone has a systemd or init script that works for bind-9.9.8-P3 ?

What would be the correct procedure to run named as daemon?


Fedora contains systemd-units for a long time now
___

[root@srv-rhsoft:~]$ cat /etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network.service systemd-networkd.service network-online.target
network-wan-bridge.service network-wlan-bridge.service openvpn.service

[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
PrivateTmp=yes
PrivateDevices=yes
TimeoutSec=25
Restart=always
RestartSec=1
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN
CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadOnlyDirectories=/var/lib
InaccessibleDirectories=-/root
InaccessibleDirectories=-/media
InaccessibleDirectories=-/boot
InaccessibleDirectories=-/home
InaccessibleDirectories=-/run/console
InaccessibleDirectories=-/run/dbus
InaccessibleDirectories=-/run/lock
InaccessibleDirectories=-/run/mount
InaccessibleDirectories=-/run/systemd/generator
InaccessibleDirectories=-/run/systemd/system
InaccessibleDirectories=-/run/systemd/users
InaccessibleDirectories=-/run/udev
InaccessibleDirectories=-/run/user
InaccessibleDirectories=-/var/lib/dbus
InaccessibleDirectories=-/var/lib/rpm
InaccessibleDirectories=-/var/lib/systemd
InaccessibleDirectories=-/var/lib/yum
InaccessibleDirectories=-/var/spool

[Install]
WantedBy=multi-user.target
___

[root@srv-rhsoft:~]$ cat /usr/libexec/setup-named-chroot.sh
#!/bin/bash

ROOTDIR_MOUNT='/etc/localtime /etc/named /etc/pki/dnssec-keys
/etc/named.root.key /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf
/etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key /run/named /var/named
/etc/crypto-policies/back-ends/bind.config'

usage()
{
   echo
   echo 'This script setups chroot environment for BIND'
   echo 'Usage: setup-named-chroot.sh ROOTDIR [on|off]'
}

if ! [ "$#" -eq 2 ]; then
   echo 'Wrong number of arguments'
   usage
   exit 1
fi

ROOTDIR="$1"

# Exit if ROOTDIR doesn't exist
if ! [ -d "$ROOTDIR" ]; then
   echo "Root directory $ROOTDIR doesn't exist"
   usage
   exit 1
fi

mount_chroot_conf()
{
   if [ -n "$ROOTDIR" ]; then
 for all in $ROOTDIR_MOUNT; do
   # Skip nonexistant files
   [ -e "$all" ] || continue

   # If mount source is a file
   if ! [ -d "$all" ]; then
 # mount it only if it is not present in chroot or it is empty
 if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"`
-eq 0 ]; then
   touch "$ROOTDIR$all"
   mount --bind "$all" "$ROOTDIR$all"
 fi
   else
 # Mount source is a directory. Mount it only if directory in
chroot is
 # empty.
 if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ];
then
   mount --bind --make-private "$all" "$ROOTDIR$all"
 fi
   fi
 done
   fi
}

umount_chroot_conf()
{
   if [ -n "$ROOTDIR" ]; then
 for all in $ROOTDIR_MOUNT; do
   # Check if file is mount target. Do not use /proc/mounts because
detecting
   # of modified mounted files can fail.
   if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
 umount "$ROOTDIR$all"
 # Remove temporary created files
 [ -f "$all" ] && rm -f "$ROOTDIR$all"
   fi
 done
   fi
}

case "$2" in
   on)
 mount_chroot_conf
 ;;
   off)
 umount_chroot_conf
 ;;
   *)
 echo 'Second argument has to be "on" or "off"'
 usage
 exit 1
esac

exit 0

Re: Systemd script

[Reindl Harald]

Am 19.02.2016 um 12:25 schrieb Reindl Harald:

Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:

Hi Harald,
Thanks, but I suspect those are the files that come with the default
system installation, but not usable (without modifications) if I have
compiled it from source. Am I right?


well, it should not be that hard to adopt them for your needs or even
build a proper package containing all that stuff - only over my dead
body i would do a "make install" on any machine oustide rpmbuild


BTW - why don't you just take the SuSE src.rpm, modify the SPEC file for 
the location where you want to have your own build installed and fire 
some sed-commands in the buildprocess to scripts and config files?


that way you only need to swap the tarball, change the version number in 
the SPEC and have proper updates in the future




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd script

[Josep Manel Andrés]

Hi,
I am not too confident to build RPM packages, that is why I wanted to go 
for a normal installation from source.


Cheers!

On 19/02/16 12:28, Reindl Harald wrote:



Am 19.02.2016 um 12:25 schrieb Reindl Harald:

Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:

Hi Harald,
Thanks, but I suspect those are the files that come with the default
system installation, but not usable (without modifications) if I have
compiled it from source. Am I right?


well, it should not be that hard to adopt them for your needs or even
build a proper package containing all that stuff - only over my dead
body i would do a "make install" on any machine oustide rpmbuild


BTW - why don't you just take the SuSE src.rpm, modify the SPEC file for
the location where you want to have your own build installed and fire
some sed-commands in the buildprocess to scripts and config files?

that way you only need to swap the tarball, change the version number in
the SPEC and have proper updates in the future



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Josep Manel Andrés (josep.and...@bsc.es)
Operations - Barcelona Supercomputing Center
C/ Jordi Girona, 31  http://www.bsc.es
08034 Barcelona, Spain Tel: +34-93-405 42 14
e-mail: syst...@bsc.es Fax: +34-93-413 77 21
---

WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.

http://www.bsc.es/disclaimer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd script

[Reindl Harald]

Am 19.02.2016 um 12:46 schrieb Josep Manel Andrés:

I am not too confident to build RPM packages, that is why I wanted to go
for a normal installation from source.


well, learn it, it's really not hard to do

i learnt it the hard way that "make install" over years leaves more and 
more mess while a rpm package automatically removes obsolete files and 
the build process finally makes sure that it aborts if anything in the 
%files section did not exist after compile or a new file is not listed 
in %files due a upgrade


you will notice that when you did a major upgrade which don't work and 
have no simple downgrade way

_

additionally normally on a production server you should not install 
compilers and devel-packages and on the other hand on the build machine 
install the service with a test config - so you can make sure it will 
work on the procution machine or find out what needs to be chnaged 
*before* your service fails


you know if your systemd-unit works as expected before it touchs your 
server by proper testing and the resulting package pulls all 
dependencies on the target machine (at least on Fedora they are 
automatically added)

_

security: if something goes wrong in the build or with "make install" on 
the production machine you have no way to roll back, "make install" with 
rpmbuild runs as tesricted user and can't overwrite any files by accident


in short: "make && make install" on production servers is a nogo


On 19/02/16 12:28, Reindl Harald wrote:



Am 19.02.2016 um 12:25 schrieb Reindl Harald:

Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:

Hi Harald,
Thanks, but I suspect those are the files that come with the default
system installation, but not usable (without modifications) if I have
compiled it from source. Am I right?


well, it should not be that hard to adopt them for your needs or even
build a proper package containing all that stuff - only over my dead
body i would do a "make install" on any machine oustide rpmbuild


BTW - why don't you just take the SuSE src.rpm, modify the SPEC file for
the location where you want to have your own build installed and fire
some sed-commands in the buildprocess to scripts and config files?

that way you only need to swap the tarball, change the version number in
the SPEC and have proper updates in the future




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

no-case-compress lifespan

[Phil Mayers]

We've run into our first minor weirdness with an application that gets 
tripped over by a mixed-case response.


Just so I can communicate accurately to the relevant parties in our 
discussions - what is the anticipated lifetime of the "no-case-compress" 
config option? Does ISC think it might get removed in the foreseeable 
future?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd script

[Josep Manel Andrés]

You are right, I think I will give it a try. So I guess that I will have 
to prepare two packages (at least) if I wanna run it on a chroot env.


bind and bind-chrootenv packages.

And I think I should get the specs files from the 9.9.6P1 available on 
the SLES12 Repos.


Thanks a lot!

On 19/02/16 12:56, Reindl Harald wrote:



Am 19.02.2016 um 12:46 schrieb Josep Manel Andrés:

I am not too confident to build RPM packages, that is why I wanted to go
for a normal installation from source.


well, learn it, it's really not hard to do

i learnt it the hard way that "make install" over years leaves more and
more mess while a rpm package automatically removes obsolete files and
the build process finally makes sure that it aborts if anything in the
%files section did not exist after compile or a new file is not listed
in %files due a upgrade

you will notice that when you did a major upgrade which don't work and
have no simple downgrade way
_

additionally normally on a production server you should not install
compilers and devel-packages and on the other hand on the build machine
install the service with a test config - so you can make sure it will
work on the procution machine or find out what needs to be chnaged
*before* your service fails

you know if your systemd-unit works as expected before it touchs your
server by proper testing and the resulting package pulls all
dependencies on the target machine (at least on Fedora they are
automatically added)
_

security: if something goes wrong in the build or with "make install" on
the production machine you have no way to roll back, "make install" with
rpmbuild runs as tesricted user and can't overwrite any files by accident

in short: "make && make install" on production servers is a nogo


On 19/02/16 12:28, Reindl Harald wrote:



Am 19.02.2016 um 12:25 schrieb Reindl Harald:

Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:

Hi Harald,
Thanks, but I suspect those are the files that come with the default
system installation, but not usable (without modifications) if I have
compiled it from source. Am I right?


well, it should not be that hard to adopt them for your needs or even
build a proper package containing all that stuff - only over my dead
body i would do a "make install" on any machine oustide rpmbuild


BTW - why don't you just take the SuSE src.rpm, modify the SPEC file for
the location where you want to have your own build installed and fire
some sed-commands in the buildprocess to scripts and config files?

that way you only need to swap the tarball, change the version number in
the SPEC and have proper updates in the future




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Josep Manel Andrés (josep.and...@bsc.es)
Operations - Barcelona Supercomputing Center
C/ Jordi Girona, 31  http://www.bsc.es
08034 Barcelona, Spain Tel: +34-93-405 42 14
e-mail: syst...@bsc.es Fax: +34-93-413 77 21
---

WARNING / LEGAL TEXT: This message is intended only for the use of the
individual or entity to which it is addressed and may contain
information which is privileged, confidential, proprietary, or exempt
from disclosure under applicable law. If you are not the intended
recipient or the person responsible for delivering the message to the
intended recipient, you are strictly prohibited from disclosing,
distributing, copying, or in any way using this message. If you have
received this communication in error, please notify the sender and
destroy and delete any copies you may have received.

http://www.bsc.es/disclaimer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd script

[Reindl Harald]

Am 19.02.2016 um 14:15 schrieb Josep Manel Andrés:

You are right, I think I will give it a try. So I guess that I will have
to prepare two packages (at least) if I wanna run it on a chroot env.

bind and bind-chrootenv packages.

And I think I should get the specs files from the 9.9.6P1 available on
the SLES12 Repos.


one package should be enough, for your own usage you may decide if you 
want chroot or not and use named on all machines the same way, since you 
install that one parallel a bind-libs package of the distribution you 
can even "rm" some binaries like dig and so on in the buildprocess as 
well as the docs and readmes


one big benefit of a own RPM - my mariadb SPEC has more rm-lines than 
anything else :-)



On 19/02/16 12:56, Reindl Harald wrote:



Am 19.02.2016 um 12:46 schrieb Josep Manel Andrés:

I am not too confident to build RPM packages, that is why I wanted to go
for a normal installation from source.


well, learn it, it's really not hard to do

i learnt it the hard way that "make install" over years leaves more and
more mess while a rpm package automatically removes obsolete files and
the build process finally makes sure that it aborts if anything in the
%files section did not exist after compile or a new file is not listed
in %files due a upgrade

you will notice that when you did a major upgrade which don't work and
have no simple downgrade way
_

additionally normally on a production server you should not install
compilers and devel-packages and on the other hand on the build machine
install the service with a test config - so you can make sure it will
work on the procution machine or find out what needs to be chnaged
*before* your service fails

you know if your systemd-unit works as expected before it touchs your
server by proper testing and the resulting package pulls all
dependencies on the target machine (at least on Fedora they are
automatically added)
_

security: if something goes wrong in the build or with "make install" on
the production machine you have no way to roll back, "make install" with
rpmbuild runs as tesricted user and can't overwrite any files by accident

in short: "make && make install" on production servers is a nogo


On 19/02/16 12:28, Reindl Harald wrote:



Am 19.02.2016 um 12:25 schrieb Reindl Harald:

Am 19.02.2016 um 12:13 schrieb Josep Manel Andrés:

Hi Harald,
Thanks, but I suspect those are the files that come with the default
system installation, but not usable (without modifications) if I have
compiled it from source. Am I right?


well, it should not be that hard to adopt them for your needs or even
build a proper package containing all that stuff - only over my dead
body i would do a "make install" on any machine oustide rpmbuild


BTW - why don't you just take the SuSE src.rpm, modify the SPEC file
for
the location where you want to have your own build installed and fire
some sed-commands in the buildprocess to scripts and config files?

that way you only need to swap the tarball, change the version
number in
the SPEC and have proper updates in the future




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: no-case-compress lifespan

[Evan Hunt]

> Just so I can communicate accurately to the relevant parties in our 
> discussions - what is the anticipated lifetime of the "no-case-compress" 
> config option? Does ISC think it might get removed in the foreseeable 
> future?

We have no plans to deprecate or remove it; certainly not as long as
there's a continued need for it.

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A Zone Transfer Question

[David Li]

 This is my first time to try master slave configuration. Here is a
brief description:

I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
master for zone1 and slave for zone2. VM2 is master for zone2 and
slave for zone1. Both zones uses DNS Dynamic Update from DHCP
servers on the same VM
to update the A records in their zone files. No DNSSEC configured.


To start, everything seems to be working fine. I have one host in each
zone and they can resolve each other fine.

Now I add a new host to zone1 and its sequence number has been bumped
up. I read that when the zone1 file changes, it will automatically
notify its slave zone (ie. zone2) to start a zone transfer after 15
min. This never happened. Then I restarted named on VM2 and hoped it
would pull the new zone1 file. This didn't happened either.
Eventually I have to either restart the VM2 or use dig to start the
zone transfer.

Can anyone spot anything obviously wrong here? Do I need to post my
zone file and named.conf?


Thanks.

David
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[John Miller]

On Fri, Feb 19, 2016 at 11:45 AM, David Li  wrote:
>  This is my first time to try master slave configuration. Here is a
> brief description:
>
> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
> master for zone1 and slave for zone2. VM2 is master for zone2 and
> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
> servers on the same VM
> to update the A records in their zone files. No DNSSEC configured.
>
>
> To start, everything seems to be working fine. I have one host in each
> zone and they can resolve each other fine.
>
> Now I add a new host to zone1 and its sequence number has been bumped
> up. I read that when the zone1 file changes, it will automatically
> notify its slave zone (ie. zone2) to start a zone transfer after 15
> min. This never happened. Then I restarted named on VM2 and hoped it
> would pull the new zone1 file. This didn't happened either.
> Eventually I have to either restart the VM2 or use dig to start the
> zone transfer.
>
> Can anyone spot anything obviously wrong here? Do I need to post my
> zone file and named.conf?
>

Hi David -

Yes, it'd certainly help if you posted your named.conf.  I don't know
that we need the whole zone file: the SOA and NS records would
probably suffice in this case, especially if the zone has tons of
records.

I'll say: it sounds a little odd that you'd expect zone2 to be updated
when zone1 changes.  The master NS for zone1 will send out NOTIFY
messages to the servers listed in the NS records for zone1; it'll also
send NOTIFYs to anything you've put in an also-notify block.

The 15-minute wait also sounds strange: NOTIFY happens as soon as the
serial number of the master zone is incremented and the zone is
reloaded.  Also, a slave NS will automatically check its master for
updates after the refresh interval (1st number after the serial)
specified in the SOA record.  If you have that set to 15 minutes (900
seconds), then yes--the slave would check its master for updates, but
it's the _slave_ reaching out to the _master_ in that case.  Likewise,
slaves will reach out to their master NS when their zones are
reloaded.

I'm not going to worry about the DHCP dynamic updates piece yet - make
sure your master and slave are set up properly before introducing
dynamic updates to the mix.

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[John W. Blue]

Hello David,

You can get started by checking your log files to see if named is complaining 
about anything it might not like that is preventing the transfer.

John

Sent from Nine

From: David Li 
Sent: Feb 19, 2016 10:46 AM
To: BIND Users
Subject: A Zone Transfer Question

This is my first time to try master slave configuration. Here is a
brief description:

I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
master for zone1 and slave for zone2. VM2 is master for zone2 and
slave for zone1. Both zones uses DNS Dynamic Update from DHCP
servers on the same VM
to update the A records in their zone files. No DNSSEC configured.


To start, everything seems to be working fine. I have one host in each
zone and they can resolve each other fine.

Now I add a new host to zone1 and its sequence number has been bumped
up. I read that when the zone1 file changes, it will automatically
notify its slave zone (ie. zone2) to start a zone transfer after 15
min. This never happened. Then I restarted named on VM2 and hoped it
would pull the new zone1 file. This didn't happened either.
Eventually I have to either restart the VM2 or use dig to start the
zone transfer.

Can anyone spot anything obviously wrong here? Do I need to post my
zone file and named.conf?


Thanks.

David
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[David Li]

Hi John,

Here are the files. They are all internal zones without any references
to external name servers.

VM1:


named.conf:
-

#
# master (on VM1)
#
zone "rack1.com" {
type master;
file "/var/named/db.rack1.com";
allow-update { key rndc-key-rack1; }; # For DHCP dynamic update
};

#
# slave (on VM2)
#
zone "rack3.com" {
type slave;
file "/var/named/bak.rack3.com";
masters { 10.4.3.101; }; #VM3 named IP
};


zone file:
/var/named/db.rack1.com
-

$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours
rack1.com   IN SOA  dnsserver1.rack1.com. admin.rack1.com. (
8  ; serial
60 ; refresh (1 minute)
60 ; retry (1 minute)
604800 ; expire (1 week)
3600   ; minimum (1 hour)
)
NS  dnsserver1.rack1.com.
$ORIGIN rack1.com.
dnsserver1  A   10.4.1.101

$TTL 3600   ; 1 hour
node1   A   10.4.1.11
TXT "007ddd47ea6ddcd890312de89e37bde496"
node2   A   10.4.1.12
TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
node3   A   10.4.1.13
TXT "009da8179478f9169cb47965e53d19f134"

On VM2
===



named.conf file
---




#
# Master
#
zone "rack3.com" {
type master;
file "/var/named/db.rack3.com";
allow-update { key rndc-key-rack3; }; # For DHCP update
};


#
# Slave
#
zone "rack1.com" {
type slave;
file "/var/named/bak.rack1.com";
masters { 10.4.1.101; }; # VM1 named IP address
};




zone file:
--

$ORIGIN .
$TTL 907200 ; 1 week 3 days 12 hours
rack3.com   IN SOA  dnsserver3.rack3.com. admin.rack3.com. (
2  ; serial
60  ; refresh ()
60   ; retry ()
604800 ; expire (1 week)
3600   ; minimum (1 hour)
)
NS  dnsserver3.rack3.com.
$ORIGIN rack3.com.
dnsserver3  A   10.4.3.101
$TTL 3600   ; 1 hour
node1   A   10.4.3.11
TXT "001395d7d2a164c7efde811584bbc470b9"


On Fri, Feb 19, 2016 at 8:59 AM, John Miller  wrote:
> On Fri, Feb 19, 2016 at 11:45 AM, David Li  wrote:
>>  This is my first time to try master slave configuration. Here is a
>> brief description:
>>
>> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
>> master for zone1 and slave for zone2. VM2 is master for zone2 and
>> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
>> servers on the same VM
>> to update the A records in their zone files. No DNSSEC configured.
>>
>>
>> To start, everything seems to be working fine. I have one host in each
>> zone and they can resolve each other fine.
>>
>> Now I add a new host to zone1 and its sequence number has been bumped
>> up. I read that when the zone1 file changes, it will automatically
>> notify its slave zone (ie. zone2) to start a zone transfer after 15
>> min. This never happened. Then I restarted named on VM2 and hoped it
>> would pull the new zone1 file. This didn't happened either.
>> Eventually I have to either restart the VM2 or use dig to start the
>> zone transfer.
>>
>> Can anyone spot anything obviously wrong here? Do I need to post my
>> zone file and named.conf?
>>
>
> Hi David -
>
> Yes, it'd certainly help if you posted your named.conf.  I don't know
> that we need the whole zone file: the SOA and NS records would
> probably suffice in this case, especially if the zone has tons of
> records.
>
> I'll say: it sounds a little odd that you'd expect zone2 to be updated
> when zone1 changes.  The master NS for zone1 will send out NOTIFY
> messages to the servers listed in the NS records for zone1; it'll also
> send NOTIFYs to anything you've put in an also-notify block.
>
> The 15-minute wait also sounds strange: NOTIFY happens as soon as the
> serial number of the master zone is incremented and the zone is
> reloaded.  Also, a slave NS will automatically check its master for
> updates after the refresh interval (1st number after the serial)
> specified in the SOA record.  If you have that set to 15 minutes (900
> seconds), then yes--the slave would check its master for updates, but
> it's the _slave_ reaching out to the _master_ in that case.  Likewise,
> slaves will reach out to their master NS when their zones are
> reloaded.
>
> I'm not going to worry about the DHCP dynamic updates piece yet - make
> sure your master and slave are set up properly before introducing
> dynamic updates to

Re: A Zone Transfer Question

[David Li]

Hi John,

Nothing in the /var/log/messages indicates transfer problems. In fact
I don't think the transfer ever started by itself for some reason
until I manually used "dig" to initiate.

David

On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue  wrote:
> Hello David,
>
> You can get started by checking your log files to see if named is
> complaining about anything it might not like that is preventing the
> transfer.
>
> John
>
> Sent from Nine
>
> From: David Li 
> Sent: Feb 19, 2016 10:46 AM
> To: BIND Users
> Subject: A Zone Transfer Question
>
> This is my first time to try master slave configuration. Here is a
> brief description:
>
> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
> master for zone1 and slave for zone2. VM2 is master for zone2 and
> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
> servers on the same VM
> to update the A records in their zone files. No DNSSEC configured.
>
>
> To start, everything seems to be working fine. I have one host in each
> zone and they can resolve each other fine.
>
> Now I add a new host to zone1 and its sequence number has been bumped
> up. I read that when the zone1 file changes, it will automatically
> notify its slave zone (ie. zone2) to start a zone transfer after 15
> min. This never happened. Then I restarted named on VM2 and hoped it
> would pull the new zone1 file. This didn't happened either.
> Eventually I have to either restart the VM2 or use dig to start the
> zone transfer.
>
> Can anyone spot anything obviously wrong here? Do I need to post my
> zone file and named.conf?
>
>
> Thanks.
>
> David
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[John W. Blue]

Nothing in the logs, eg?  Well so much for getting an easy resolution.  :D

If you trust your conf files and logs are clean, I personally next to turn to 
tcpdump.  You really need to know what (if anything) is being placed on the 
wire.  Something like this should get you started:

tcpdump -i eth0 -n port domain

Kick off a transfer and see what happens.

John

Sent from Nine

From: David Li 
Sent: Feb 19, 2016 1:04 PM
To: John W. Blue
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Hi John,

Nothing in the /var/log/messages indicates transfer problems. In fact
I don't think the transfer ever started by itself for some reason
until I manually used "dig" to initiate.

David

On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue  wrote:
> Hello David,
>
> You can get started by checking your log files to see if named is
> complaining about anything it might not like that is preventing the
> transfer.
>
> John
>
> Sent from Nine
>
> From: David Li 
> Sent: Feb 19, 2016 10:46 AM
> To: BIND Users
> Subject: A Zone Transfer Question
>
> This is my first time to try master slave configuration. Here is a
> brief description:
>
> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
> master for zone1 and slave for zone2. VM2 is master for zone2 and
> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
> servers on the same VM
> to update the A records in their zone files. No DNSSEC configured.
>
>
> To start, everything seems to be working fine. I have one host in each
> zone and they can resolve each other fine.
>
> Now I add a new host to zone1 and its sequence number has been bumped
> up. I read that when the zone1 file changes, it will automatically
> notify its slave zone (ie. zone2) to start a zone transfer after 15
> min. This never happened. Then I restarted named on VM2 and hoped it
> would pull the new zone1 file. This didn't happened either.
> Eventually I have to either restart the VM2 or use dig to start the
> zone transfer.
>
> Can anyone spot anything obviously wrong here? Do I need to post my
> zone file and named.conf?
>
>
> Thanks.
>
> David
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[John W. Blue]

"kick off" as in update the zone and not by using dig.

John

Sent from Nine

From: "John W. Blue" 
Sent: Feb 19, 2016 1:17 PM
To: David Li
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Nothing in the logs, eg?  Well so much for getting an easy resolution.  :D

If you trust your conf files and logs are clean, I personally next to turn to 
tcpdump.  You really need to know what (if anything) is being placed on the 
wire.  Something like this should get you started:

tcpdump -i eth0 -n port domain

Kick off a transfer and see what happens.

John

Sent from Nine

From: David Li 
Sent: Feb 19, 2016 1:04 PM
To: John W. Blue
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Hi John,

Nothing in the /var/log/messages indicates transfer problems. In fact
I don't think the transfer ever started by itself for some reason
until I manually used "dig" to initiate.

David

On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue  wrote:
> Hello David,
>
> You can get started by checking your log files to see if named is
> complaining about anything it might not like that is preventing the
> transfer.
>
> John
>
> Sent from Nine
>
> From: David Li 
> Sent: Feb 19, 2016 10:46 AM
> To: BIND Users
> Subject: A Zone Transfer Question
>
> This is my first time to try master slave configuration. Here is a
> brief description:
>
> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
> master for zone1 and slave for zone2. VM2 is master for zone2 and
> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
> servers on the same VM
> to update the A records in their zone files. No DNSSEC configured.
>
>
> To start, everything seems to be working fine. I have one host in each
> zone and they can resolve each other fine.
>
> Now I add a new host to zone1 and its sequence number has been bumped
> up. I read that when the zone1 file changes, it will automatically
> notify its slave zone (ie. zone2) to start a zone transfer after 15
> min. This never happened. Then I restarted named on VM2 and hoped it
> would pull the new zone1 file. This didn't happened either.
> Eventually I have to either restart the VM2 or use dig to start the
> zone transfer.
>
> Can anyone spot anything obviously wrong here? Do I need to post my
> zone file and named.conf?
>
>
> Thanks.
>
> David
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[Barry Margolin]

In article ,
 David Li  wrote:

> Hi John,
> 
> Here are the files. They are all internal zones without any references
> to external name servers.

The zones should have NS records that list the slave servers, or you 
should have an "also-notify" statement in the master's named.conf. 
Although with 1-minute refresh times, DNS Notify is hardly necessary. A 
more normal configuration is for Refresh to be something like an hour, 
and use Notify to expedite zone transfers after a change.

> 
> VM1:
> 
> 
> named.conf:
> -
> 
> #
> # master (on VM1)
> #
> zone "rack1.com" {
> type master;
> file "/var/named/db.rack1.com";
> allow-update { key rndc-key-rack1; }; # For DHCP dynamic update
> };
> 
> #
> # slave (on VM2)
> #
> zone "rack3.com" {
> type slave;
> file "/var/named/bak.rack3.com";
> masters { 10.4.3.101; }; #VM3 named IP
> };
> 
> 
> zone file:
> /var/named/db.rack1.com
> -
> 
> $ORIGIN .
> $TTL 907200 ; 1 week 3 days 12 hours
> rack1.com   IN SOA  dnsserver1.rack1.com. admin.rack1.com. (
> 8  ; serial
> 60 ; refresh (1 minute)
> 60 ; retry (1 minute)
> 604800 ; expire (1 week)
> 3600   ; minimum (1 hour)
> )
> NS  dnsserver1.rack1.com.
> $ORIGIN rack1.com.
> dnsserver1  A   10.4.1.101
> 
> $TTL 3600   ; 1 hour
> node1   A   10.4.1.11
> TXT "007ddd47ea6ddcd890312de89e37bde496"
> node2   A   10.4.1.12
> TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
> node3   A   10.4.1.13
> TXT "009da8179478f9169cb47965e53d19f134"
> 
> On VM2
> ===
> 
> 
> 
> named.conf file
> ---
> 
> 
> 
> 
> #
> # Master
> #
> zone "rack3.com" {
> type master;
> file "/var/named/db.rack3.com";
> allow-update { key rndc-key-rack3; }; # For DHCP update
> };
> 
> 
> #
> # Slave
> #
> zone "rack1.com" {
> type slave;
> file "/var/named/bak.rack1.com";
> masters { 10.4.1.101; }; # VM1 named IP address
> };
> 
> 
> 
> 
> zone file:
> --
> 
> $ORIGIN .
> $TTL 907200 ; 1 week 3 days 12 hours
> rack3.com   IN SOA  dnsserver3.rack3.com. admin.rack3.com. (
> 2  ; serial
> 60  ; refresh ()
> 60   ; retry ()
> 604800 ; expire (1 week)
> 3600   ; minimum (1 hour)
> )
> NS  dnsserver3.rack3.com.
> $ORIGIN rack3.com.
> dnsserver3  A   10.4.3.101
> $TTL 3600   ; 1 hour
> node1   A   10.4.3.11
> TXT "001395d7d2a164c7efde811584bbc470b9"
> 
> 
> On Fri, Feb 19, 2016 at 8:59 AM, John Miller  wrote:
> > On Fri, Feb 19, 2016 at 11:45 AM, David Li  wrote:
> >>  This is my first time to try master slave configuration. Here is a
> >> brief description:
> >>
> >> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
> >> master for zone1 and slave for zone2. VM2 is master for zone2 and
> >> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
> >> servers on the same VM
> >> to update the A records in their zone files. No DNSSEC configured.
> >>
> >>
> >> To start, everything seems to be working fine. I have one host in each
> >> zone and they can resolve each other fine.
> >>
> >> Now I add a new host to zone1 and its sequence number has been bumped
> >> up. I read that when the zone1 file changes, it will automatically
> >> notify its slave zone (ie. zone2) to start a zone transfer after 15
> >> min. This never happened. Then I restarted named on VM2 and hoped it
> >> would pull the new zone1 file. This didn't happened either.
> >> Eventually I have to either restart the VM2 or use dig to start the
> >> zone transfer.
> >>
> >> Can anyone spot anything obviously wrong here? Do I need to post my
> >> zone file and named.conf?
> >>
> >
> > Hi David -
> >
> > Yes, it'd certainly help if you posted your named.conf.  I don't know
> > that we need the whole zone file: the SOA and NS records would
> > probably suffice in this case, especially if the zone has tons of
> > records.
> >
> > I'll say: it sounds a little odd that you'd expect zone2 to be updated
> > when zone1 changes.  The master NS for zone1 will send out NOTIFY
> > messages to the servers listed in the NS records for zone1; it'll also
> > send NOTIFYs to anything you've put in an also-notify block.
> >
> > The 15-minute wait also sounds strange: NOTIFY happens as 

RE: A Zone Transfer Question

[Darcy Kevin (FCA)]

Guys,
REFRESH is set to 1 minute. That's not a long time to wait. Just do 
a packet capture and see if the slave is issuing zone-refresh queries regularly 
in the 30-second-to-1-minute range (it's randomized, of course, between 
REFRESH/2 and full REFRESH).

If the slave isn't issuing refreshes, then check whether the zone got loaded 
properly as a slave zone in the first place, and that the masters clause is set 
properly.

If the slave *is* issuing refreshes, is it getting a response? Are the refresh 
queries even showing up on the master side?

If the refresh queries are getting a response, but there's no AXFR/IXFR 
following subsequently, look in the log files for some sort of resource issue, 
e.g. concurrent zone transfers or something of that nature.


- Kevin

From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John W. Blue
Sent: Friday, February 19, 2016 2:19 PM
To: David Li
Cc: BIND Users
Subject: Re: A Zone Transfer Question

"kick off" as in update the zone and not by using dig.

John

Sent from Nine

From: "John W. Blue" mailto:john.b...@rrcic.com>>
Sent: Feb 19, 2016 1:17 PM
To: David Li
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Nothing in the logs, eg?  Well so much for getting an easy resolution.  :D

If you trust your conf files and logs are clean, I personally next to turn to 
tcpdump.  You really need to know what (if anything) is being placed on the 
wire.  Something like this should get you started:

tcpdump -i eth0 -n port domain

Kick off a transfer and see what happens.

John

Sent from Nine

From: David Li mailto:dlipub...@gmail.com>>
Sent: Feb 19, 2016 1:04 PM
To: John W. Blue
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Hi John,

Nothing in the /var/log/messages indicates transfer problems. In fact
I don't think the transfer ever started by itself for some reason
until I manually used "dig" to initiate.

David

On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue 
mailto:john.b...@rrcic.com>> wrote:
> Hello David,
>
> You can get started by checking your log files to see if named is
> complaining about anything it might not like that is preventing the
> transfer.
>
> John
>
> Sent from Nine
>
> From: David Li mailto:dlipub...@gmail.com>>
> Sent: Feb 19, 2016 10:46 AM
> To: BIND Users
> Subject: A Zone Transfer Question
>
> This is my first time to try master slave configuration. Here is a
> brief description:
>
> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
> master for zone1 and slave for zone2. VM2 is master for zone2 and
> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
> servers on the same VM
> to update the A records in their zone files. No DNSSEC configured.
>
>
> To start, everything seems to be working fine. I have one host in each
> zone and they can resolve each other fine.
>
> Now I add a new host to zone1 and its sequence number has been bumped
> up. I read that when the zone1 file changes, it will automatically
> notify its slave zone (ie. zone2) to start a zone transfer after 15
> min. This never happened. Then I restarted named on VM2 and hoped it
> would pull the new zone1 file. This didn't happened either.
> Eventually I have to either restart the VM2 or use dig to start the
> zone transfer.
>
> Can anyone spot anything obviously wrong here? Do I need to post my
> zone file and named.conf?
>
>
> Thanks.
>
> David
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[John Miller]

Hi David,

Something I'm not seeing in your config is an options {} block that
lays out your defaults for allow-transfer, allow-notify, also-notify,
etc.  Those are important things to know when it comes to
troubleshooting zone transfer issues.  Unless you've got a specific
reason for not doing so, please include your entire named.conf file -
it'll make life much easier.

And if you've solved things already - ignore!

John

On Fri, Feb 19, 2016 at 2:01 PM, David Li  wrote:
> Hi John,
>
> Here are the files. They are all internal zones without any references
> to external name servers.
>
> VM1:
> 
>
> named.conf:
> -
>
> #
> # master (on VM1)
> #
> zone "rack1.com" {
> type master;
> file "/var/named/db.rack1.com";
> allow-update { key rndc-key-rack1; }; # For DHCP dynamic update
> };
>
> #
> # slave (on VM2)
> #
> zone "rack3.com" {
> type slave;
> file "/var/named/bak.rack3.com";
> masters { 10.4.3.101; }; #VM3 named IP
> };
>
>
> zone file:
> /var/named/db.rack1.com
> -
>
> $ORIGIN .
> $TTL 907200 ; 1 week 3 days 12 hours
> rack1.com   IN SOA  dnsserver1.rack1.com. admin.rack1.com. (
> 8  ; serial
> 60 ; refresh (1 minute)
> 60 ; retry (1 minute)
> 604800 ; expire (1 week)
> 3600   ; minimum (1 hour)
> )
> NS  dnsserver1.rack1.com.
> $ORIGIN rack1.com.
> dnsserver1  A   10.4.1.101
>
> $TTL 3600   ; 1 hour
> node1   A   10.4.1.11
> TXT "007ddd47ea6ddcd890312de89e37bde496"
> node2   A   10.4.1.12
> TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
> node3   A   10.4.1.13
> TXT "009da8179478f9169cb47965e53d19f134"
>
> On VM2
> ===
>
>
>
> named.conf file
> ---
>
>
>
>
> #
> # Master
> #
> zone "rack3.com" {
> type master;
> file "/var/named/db.rack3.com";
> allow-update { key rndc-key-rack3; }; # For DHCP update
> };
>
>
> #
> # Slave
> #
> zone "rack1.com" {
> type slave;
> file "/var/named/bak.rack1.com";
> masters { 10.4.1.101; }; # VM1 named IP address
> };
>
>
>
>
> zone file:
> --
>
> $ORIGIN .
> $TTL 907200 ; 1 week 3 days 12 hours
> rack3.com   IN SOA  dnsserver3.rack3.com. admin.rack3.com. (
> 2  ; serial
> 60  ; refresh ()
> 60   ; retry ()
> 604800 ; expire (1 week)
> 3600   ; minimum (1 hour)
> )
> NS  dnsserver3.rack3.com.
> $ORIGIN rack3.com.
> dnsserver3  A   10.4.3.101
> $TTL 3600   ; 1 hour
> node1   A   10.4.3.11
> TXT "001395d7d2a164c7efde811584bbc470b9"
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[David Li]

Hi John,

Sorry I missed the options. I attached them below.

I didn't have allow-transfer, allow-notify and also-notify. I only
have allow-query. I read somewhere that NOTIFY is automatic for all
slave zones. Is this the problem?



For VM1 named.conf

options {

directory "/var/named";
allow-query {
   10.4.1/24;
   127.0.0.1;
};

};

For VM2 named.conf

options {

directory "/var/named";
allow-query {
   10.4.3/24;
   127.0.0.1;
};

};

On Fri, Feb 19, 2016 at 12:33 PM, John Miller  wrote:
> Hi David,
>
> Something I'm not seeing in your config is an options {} block that
> lays out your defaults for allow-transfer, allow-notify, also-notify,
> etc.  Those are important things to know when it comes to
> troubleshooting zone transfer issues.  Unless you've got a specific
> reason for not doing so, please include your entire named.conf file -
> it'll make life much easier.
>
> And if you've solved things already - ignore!
>
> John
>
> On Fri, Feb 19, 2016 at 2:01 PM, David Li  wrote:
>> Hi John,
>>
>> Here are the files. They are all internal zones without any references
>> to external name servers.
>>
>> VM1:
>> 
>>
>> named.conf:
>> -
>>
>> #
>> # master (on VM1)
>> #
>> zone "rack1.com" {
>> type master;
>> file "/var/named/db.rack1.com";
>> allow-update { key rndc-key-rack1; }; # For DHCP dynamic update
>> };
>>
>> #
>> # slave (on VM2)
>> #
>> zone "rack3.com" {
>> type slave;
>> file "/var/named/bak.rack3.com";
>> masters { 10.4.3.101; }; #VM3 named IP
>> };
>>
>>
>> zone file:
>> /var/named/db.rack1.com
>> -
>>
>> $ORIGIN .
>> $TTL 907200 ; 1 week 3 days 12 hours
>> rack1.com   IN SOA  dnsserver1.rack1.com. admin.rack1.com. (
>> 8  ; serial
>> 60 ; refresh (1 minute)
>> 60 ; retry (1 minute)
>> 604800 ; expire (1 week)
>> 3600   ; minimum (1 hour)
>> )
>> NS  dnsserver1.rack1.com.
>> $ORIGIN rack1.com.
>> dnsserver1  A   10.4.1.101
>>
>> $TTL 3600   ; 1 hour
>> node1   A   10.4.1.11
>> TXT "007ddd47ea6ddcd890312de89e37bde496"
>> node2   A   10.4.1.12
>> TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
>> node3   A   10.4.1.13
>> TXT "009da8179478f9169cb47965e53d19f134"
>>
>> On VM2
>> ===
>>
>>
>>
>> named.conf file
>> ---
>>
>>
>>
>>
>> #
>> # Master
>> #
>> zone "rack3.com" {
>> type master;
>> file "/var/named/db.rack3.com";
>> allow-update { key rndc-key-rack3; }; # For DHCP update
>> };
>>
>>
>> #
>> # Slave
>> #
>> zone "rack1.com" {
>> type slave;
>> file "/var/named/bak.rack1.com";
>> masters { 10.4.1.101; }; # VM1 named IP address
>> };
>>
>>
>>
>>
>> zone file:
>> --
>>
>> $ORIGIN .
>> $TTL 907200 ; 1 week 3 days 12 hours
>> rack3.com   IN SOA  dnsserver3.rack3.com. admin.rack3.com. (
>> 2  ; serial
>> 60  ; refresh ()
>> 60   ; retry ()
>> 604800 ; expire (1 week)
>> 3600   ; minimum (1 hour)
>> )
>> NS  dnsserver3.rack3.com.
>> $ORIGIN rack3.com.
>> dnsserver3  A   10.4.3.101
>> $TTL 3600   ; 1 hour
>> node1   A   10.4.3.11
>> TXT "001395d7d2a164c7efde811584bbc470b9"
>>
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: A Zone Transfer Question

[Darcy Kevin (FCA)]

How do you suppose named knows where to send the NOTIFY messages? It's only 
"automatic" to the nameservers listed in the NS records of the zone. But you 
didn't list your slave, did you? I seem to recall there was only 1 NS record, 
and that's presumably the master...


- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of David Li
Sent: Friday, February 19, 2016 3:56 PM
To: John Miller
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Hi John,

Sorry I missed the options. I attached them below.

I didn't have allow-transfer, allow-notify and also-notify. I only have 
allow-query. I read somewhere that NOTIFY is automatic for all slave zones. Is 
this the problem?



For VM1 named.conf

options {

directory "/var/named";
allow-query {
   10.4.1/24;
   127.0.0.1;
};

};

For VM2 named.conf

options {

directory "/var/named";
allow-query {
   10.4.3/24;
   127.0.0.1;
};

};

On Fri, Feb 19, 2016 at 12:33 PM, John Miller  wrote:
> Hi David,
>
> Something I'm not seeing in your config is an options {} block that 
> lays out your defaults for allow-transfer, allow-notify, also-notify, 
> etc.  Those are important things to know when it comes to 
> troubleshooting zone transfer issues.  Unless you've got a specific 
> reason for not doing so, please include your entire named.conf file - 
> it'll make life much easier.
>
> And if you've solved things already - ignore!
>
> John
>
> On Fri, Feb 19, 2016 at 2:01 PM, David Li  wrote:
>> Hi John,
>>
>> Here are the files. They are all internal zones without any 
>> references to external name servers.
>>
>> VM1:
>> 
>>
>> named.conf:
>> -
>>
>> #
>> # master (on VM1)
>> #
>> zone "rack1.com" {
>> type master;
>> file "/var/named/db.rack1.com";
>> allow-update { key rndc-key-rack1; }; # For DHCP dynamic update 
>> };
>>
>> #
>> # slave (on VM2)
>> #
>> zone "rack3.com" {
>> type slave;
>> file "/var/named/bak.rack3.com";
>> masters { 10.4.3.101; }; #VM3 named IP };
>>
>>
>> zone file:
>> /var/named/db.rack1.com
>> -
>>
>> $ORIGIN .
>> $TTL 907200 ; 1 week 3 days 12 hours
>> rack1.com   IN SOA  dnsserver1.rack1.com. admin.rack1.com. (
>> 8  ; serial
>> 60 ; refresh (1 minute)
>> 60 ; retry (1 minute)
>> 604800 ; expire (1 week)
>> 3600   ; minimum (1 hour)
>> )
>> NS  dnsserver1.rack1.com.
>> $ORIGIN rack1.com.
>> dnsserver1  A   10.4.1.101
>>
>> $TTL 3600   ; 1 hour
>> node1   A   10.4.1.11
>> TXT "007ddd47ea6ddcd890312de89e37bde496"
>> node2   A   10.4.1.12
>> TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
>> node3   A   10.4.1.13
>> TXT "009da8179478f9169cb47965e53d19f134"
>>
>> On VM2
>> ===
>>
>>
>>
>> named.conf file
>> ---
>>
>>
>>
>>
>> #
>> # Master
>> #
>> zone "rack3.com" {
>> type master;
>> file "/var/named/db.rack3.com";
>> allow-update { key rndc-key-rack3; }; # For DHCP update
>> };
>>
>>
>> #
>> # Slave
>> #
>> zone "rack1.com" {
>> type slave;
>> file "/var/named/bak.rack1.com";
>> masters { 10.4.1.101; }; # VM1 named IP address
>> };
>>
>>
>>
>>
>> zone file:
>> --
>>
>> $ORIGIN .
>> $TTL 907200 ; 1 week 3 days 12 hours
>> rack3.com   IN SOA  dnsserver3.rack3.com. admin.rack3.com. (
>> 2  ; serial
>> 60  ; refresh ()
>> 60   ; retry ()
>> 604800 ; expire (1 week)
>> 3600   ; minimum (1 hour)
>> )
>> NS  dnsserver3.rack3.com.
>> $ORIGIN rack3.com.
>> dnsserver3  A   10.4.3.101
>> $TTL 3600   ; 1 hour
>> node1   A   10.4.3.11
>> TXT "001395d7d2a164c7efde811584bbc470b9"
>>
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: A Zone Transfer Question

[Darcy Kevin (FCA)]

As pointed out previously, however, with a 1-minute REFRESH, NOTIFY is pretty 
much a non-issue.

- Kevin

-Original Message-
From: Darcy Kevin (FCA) 
Sent: Friday, February 19, 2016 4:25 PM
To: BIND Users
Subject: RE: A Zone Transfer Question

How do you suppose named knows where to send the NOTIFY messages? It's only 
"automatic" to the nameservers listed in the NS records of the zone. But you 
didn't list your slave, did you? I seem to recall there was only 1 NS record, 
and that's presumably the master...


- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of David Li
Sent: Friday, February 19, 2016 3:56 PM
To: John Miller
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Hi John,

Sorry I missed the options. I attached them below.

I didn't have allow-transfer, allow-notify and also-notify. I only have 
allow-query. I read somewhere that NOTIFY is automatic for all slave zones. Is 
this the problem?



For VM1 named.conf

options {

directory "/var/named";
allow-query {
   10.4.1/24;
   127.0.0.1;
};

};

For VM2 named.conf

options {

directory "/var/named";
allow-query {
   10.4.3/24;
   127.0.0.1;
};

};

On Fri, Feb 19, 2016 at 12:33 PM, John Miller  wrote:
> Hi David,
>
> Something I'm not seeing in your config is an options {} block that 
> lays out your defaults for allow-transfer, allow-notify, also-notify, 
> etc.  Those are important things to know when it comes to 
> troubleshooting zone transfer issues.  Unless you've got a specific 
> reason for not doing so, please include your entire named.conf file - 
> it'll make life much easier.
>
> And if you've solved things already - ignore!
>
> John
>
> On Fri, Feb 19, 2016 at 2:01 PM, David Li  wrote:
>> Hi John,
>>
>> Here are the files. They are all internal zones without any 
>> references to external name servers.
>>
>> VM1:
>> 
>>
>> named.conf:
>> -
>>
>> #
>> # master (on VM1)
>> #
>> zone "rack1.com" {
>> type master;
>> file "/var/named/db.rack1.com";
>> allow-update { key rndc-key-rack1; }; # For DHCP dynamic update 
>> };
>>
>> #
>> # slave (on VM2)
>> #
>> zone "rack3.com" {
>> type slave;
>> file "/var/named/bak.rack3.com";
>> masters { 10.4.3.101; }; #VM3 named IP };
>>
>>
>> zone file:
>> /var/named/db.rack1.com
>> -
>>
>> $ORIGIN .
>> $TTL 907200 ; 1 week 3 days 12 hours
>> rack1.com   IN SOA  dnsserver1.rack1.com. admin.rack1.com. (
>> 8  ; serial
>> 60 ; refresh (1 minute)
>> 60 ; retry (1 minute)
>> 604800 ; expire (1 week)
>> 3600   ; minimum (1 hour)
>> )
>> NS  dnsserver1.rack1.com.
>> $ORIGIN rack1.com.
>> dnsserver1  A   10.4.1.101
>>
>> $TTL 3600   ; 1 hour
>> node1   A   10.4.1.11
>> TXT "007ddd47ea6ddcd890312de89e37bde496"
>> node2   A   10.4.1.12
>> TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
>> node3   A   10.4.1.13
>> TXT "009da8179478f9169cb47965e53d19f134"
>>
>> On VM2
>> ===
>>
>>
>>
>> named.conf file
>> ---
>>
>>
>>
>>
>> #
>> # Master
>> #
>> zone "rack3.com" {
>> type master;
>> file "/var/named/db.rack3.com";
>> allow-update { key rndc-key-rack3; }; # For DHCP update };
>>
>>
>> #
>> # Slave
>> #
>> zone "rack1.com" {
>> type slave;
>> file "/var/named/bak.rack1.com";
>> masters { 10.4.1.101; }; # VM1 named IP address
>> };
>>
>>
>>
>>
>> zone file:
>> --
>>
>> $ORIGIN .
>> $TTL 907200 ; 1 week 3 days 12 hours
>> rack3.com   IN SOA  dnsserver3.rack3.com. admin.rack3.com. (
>> 2  ; serial
>> 60  ; refresh ()
>> 60   ; retry ()
>> 604800 ; expire (1 week)
>> 3600   ; minimum (1 hour)
>> )
>> NS  dnsserver3.rack3.com.
>> $ORIGIN rack3.com.
>> dnsserver3  A   10.4.3.101
>> $TTL 3600   ; 1 hour
>> node1   A   10.4.3.11
>> TXT "001395d7d2a164c7efde811584bbc470b9"
>>
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_

ISC Responds to Customer Questions About CVE-2015-5745 (glibc buffer overflow vulnerability.)

[Michael McNally]

This week a major vulnerability in glibc was announced.  In response to
questions from our customers and users, ISC has provided a response for
operators who are wondering what CVE-2015-5745 means for BIND, ISC DHCP,
and Kea server operators.


https://www.isc.org/blogs/a-few-words-about-the-glibc-vulnerability-cve-2015-7547/

-- 
Michael McNally
ISC Support
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Responds to Customer Questions About CVE-2015-7547 (glibc buffer overflow vulnerability.)

[Michael McNally]

Please excuse the typo'ed CVE number in the command line --
the glibc vulnerability is CVE-2015-7547.  The link below is correct.

On 2/19/16 5:03 PM, Michael McNally wrote:
> This week a major vulnerability in glibc was announced.  In response to
> questions from our customers and users, ISC has provided a response for
> operators who are wondering what CVE-2015-5745 means for BIND, ISC DHCP,
> and Kea server operators.
> 
> 
> https://www.isc.org/blogs/a-few-words-about-the-glibc-vulnerability-cve-2015-7547/
> 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Tuning for lots of SERVFAIL responses

[Dave Warren]

On 2016-02-18 18:19, John Miller wrote:

Something I just thought of: how did you manage your NS records in
this situation?  To get NOTIFY/IXFR to work properly, either you have
to list every one of your recursive servers in your local NS records
or you have to do an also-notify block on the master.  Or you just
skip the NOTIFY/IXFR altogether and set very low refresh values on
your zones!  How did you handle standing up/taking down servers
quickly?


At one site we had a script that builds the list of IPs for the 
also-notify block and allow-transfer block dynamically, and for 
deploying a new recursive server we run a script that downloads an 
appropriate named.conf and registers with the aforementioned script to 
subscribe to notifications.


It also re-downloads the named.conf (and re-registers for notifies) via 
cron, so the master script refreshes the list of slaves. At least at the 
start, we didn't actually track timestamps or anything fancy, we should, 
but it never got implemented, instead we just dumped the whole list once 
in a while and recursive/slave servers got to wait an hour until their 
cron ran before they got notifies, in the mean time, the short refresh 
value took care of it.


It's not perfect, it could be better, but it worked with a minimum of 
hassle.


--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Responds to Customer Questions About CVE-2015-5745 (glibc buffer overflow vulnerability.)

[Robert Edmonds]

Michael McNally wrote:
> This week a major vulnerability in glibc was announced.  In response to
> questions from our customers and users, ISC has provided a response for
> operators who are wondering what CVE-2015-5745 means for BIND, ISC DHCP,
> and Kea server operators.
> 
> https://www.isc.org/blogs/a-few-words-about-the-glibc-vulnerability-cve-2015-7547/

Hi, Michael:

I'm not sure how realistic this statement is:

 If you have built statically linked versions of ISC programs you
 must fix your system library first and then rebuild and relink the
 ISC products to ensure that you are now using the corrected
 library.

You might want to do that out of an abundance of caution, but it's my
understanding that the vulnerable code is either impossible or very
difficult to statically link into a binary. The CVE title carries the
name of the public API function getaddrinfo() that the vulnerable code
can be reached through, and getaddrinfo() does reside in libc.so/libc.a,
but the vulnerable code is actually in an internal function
_nss_dns_gethostbyname4_r(), which is located in glibc's nss_dns module
and there is TTBOMK no way to statically link NSS modules into glibc.

Red Hat published an interesting blog article earlier this week that
touches on glibc and static linking:


http://developerblog.redhat.com/2016/02/17/upgrading-the-gnu-c-library-within-red-hat-enterprise-linux/

[...]

glibc provides only limited support for static linking. Most
programs are dynamically linked, so a glibc update directly affects
them. This is true both for operating system components and software
not provided by Red Hat.

Even statically linked binaries can break during glibc upgrades if
they use the Name Service Switch (NSS). Static linking of glibc is
not supported on Red Hat Enterprise Linux, but the potential
breakage is nevertheless a reason to minimize changes in this area.

[...]

-- 
Robert Edmonds
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[John Miller]

Regardless of how NOTIFY's behaving (it's a nice-to-have, not a must),
you need to make sure zone transfers from master to slave are working.
If you can run

dig @10.4.1.101 rack1.com AXFR

from your slave, then zone transfers of rack1.com are working from
master to slave, and your issue lies somewhere in your config - a
serial number didn't get updated on the master?  Zone changes didn't
get saved?  Didn't actually reload the zone after editing the zone
file?

If your dig command doesn't work, then it might be either a config
issue or a networking issue - you'll have to figure out which.

And if you actually want people to use your zone or you want NOTIFY
working, two NS records (and possibly glue) are really a must.

Don't worry about dynamic updates at this point: make sure that when
you edit a zone file manually, increment the serial number, and reload
the zone on the master, that the slave fetches the zone within the
refresh interval.  Gotta walk before you run ;-)

John

On Fri, Feb 19, 2016 at 3:56 PM, David Li  wrote:
> Hi John,
>
> Sorry I missed the options. I attached them below.
>
> I didn't have allow-transfer, allow-notify and also-notify. I only
> have allow-query. I read somewhere that NOTIFY is automatic for all
> slave zones. Is this the problem?
>
>
>
> For VM1 named.conf
>
> options {
>
> directory "/var/named";
> allow-query {
>10.4.1/24;
>127.0.0.1;
> };
>
> };
>
> For VM2 named.conf
>
> options {
>
> directory "/var/named";
> allow-query {
>10.4.3/24;
>127.0.0.1;
> };
>
> };
>
> On Fri, Feb 19, 2016 at 12:33 PM, John Miller  wrote:
>> Hi David,
>>
>> Something I'm not seeing in your config is an options {} block that
>> lays out your defaults for allow-transfer, allow-notify, also-notify,
>> etc.  Those are important things to know when it comes to
>> troubleshooting zone transfer issues.  Unless you've got a specific
>> reason for not doing so, please include your entire named.conf file -
>> it'll make life much easier.
>>
>> And if you've solved things already - ignore!
>>
>> John
>>
>> On Fri, Feb 19, 2016 at 2:01 PM, David Li  wrote:
>>> Hi John,
>>>
>>> Here are the files. They are all internal zones without any references
>>> to external name servers.
>>>
>>> VM1:
>>> 
>>>
>>> named.conf:
>>> -
>>>
>>> #
>>> # master (on VM1)
>>> #
>>> zone "rack1.com" {
>>> type master;
>>> file "/var/named/db.rack1.com";
>>> allow-update { key rndc-key-rack1; }; # For DHCP dynamic update
>>> };
>>>
>>> #
>>> # slave (on VM2)
>>> #
>>> zone "rack3.com" {
>>> type slave;
>>> file "/var/named/bak.rack3.com";
>>> masters { 10.4.3.101; }; #VM3 named IP
>>> };
>>>
>>>
>>> zone file:
>>> /var/named/db.rack1.com
>>> -
>>>
>>> $ORIGIN .
>>> $TTL 907200 ; 1 week 3 days 12 hours
>>> rack1.com   IN SOA  dnsserver1.rack1.com. admin.rack1.com. (
>>> 8  ; serial
>>> 60 ; refresh (1 minute)
>>> 60 ; retry (1 minute)
>>> 604800 ; expire (1 week)
>>> 3600   ; minimum (1 hour)
>>> )
>>> NS  dnsserver1.rack1.com.
>>> $ORIGIN rack1.com.
>>> dnsserver1  A   10.4.1.101
>>>
>>> $TTL 3600   ; 1 hour
>>> node1   A   10.4.1.11
>>> TXT "007ddd47ea6ddcd890312de89e37bde496"
>>> node2   A   10.4.1.12
>>> TXT "316a8d5e65fbd9f853df6d90ad1f24ecac"
>>> node3   A   10.4.1.13
>>> TXT "009da8179478f9169cb47965e53d19f134"
>>>
>>> On VM2
>>> ===
>>>
>>>
>>>
>>> named.conf file
>>> ---
>>>
>>>
>>>
>>>
>>> #
>>> # Master
>>> #
>>> zone "rack3.com" {
>>> type master;
>>> file "/var/named/db.rack3.com";
>>> allow-update { key rndc-key-rack3; }; # For DHCP update
>>> };
>>>
>>>
>>> #
>>> # Slave
>>> #
>>> zone "rack1.com" {
>>> type slave;
>>> file "/var/named/bak.rack1.com";
>>> masters { 10.4.1.101; }; # VM1 named IP address
>>> };
>>>
>>>
>>>
>>>
>>> zone file:
>>> --
>>>
>>> $ORIGIN .
>>> $TTL 907200 ; 1 week 3 days 12 hours
>>> rack3.com   IN SOA  dnsserver3.rack3.com. admin.rack3.com. (
>>> 2  ; serial
>>> 60  ; refresh ()
>>> 60   ; retry ()
>>> 604800 ; expire (1 week)
>>> 3600   ; minimum (1 hour)
>>> )
>>> NS  dnsserver3.rack3.com.
>>> $ORIGIN rack3.com.
>>> dnsserver3  A   10.4.3.101
>>> $TTL 3600   ; 1 hour
>>> node1   A   10.4.3.11
>>>  

Re: A Zone Transfer Question

[David Li]

Hi John,

Well, I was wrong about the log. I did find some info about why zone
transfer failed. On one server running zone rack1.com, I see:

Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
(rack1.com): query 'rack1.com/SOA/IN' denied
Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
(rack1.com): transfer of 'rack1.com/IN': IXFR ended

Any idea why it's denied?

David

On Fri, Feb 19, 2016 at 11:19 AM, John W. Blue  wrote:
> "kick off" as in update the zone and not by using dig.
>
> John
>
> Sent from Nine
>
> From: "John W. Blue" 
> Sent: Feb 19, 2016 1:17 PM
> To: David Li
>
> Cc: BIND Users
> Subject: Re: A Zone Transfer Question
>
> Nothing in the logs, eg?  Well so much for getting an easy resolution.  :D
>
> If you trust your conf files and logs are clean, I personally next to turn
> to tcpdump.  You really need to know what (if anything) is being placed on
> the wire.  Something like this should get you started:
>
> tcpdump -i eth0 -n port domain
>
> Kick off a transfer and see what happens.
>
> John
>
> Sent from Nine
>
> From: David Li 
> Sent: Feb 19, 2016 1:04 PM
> To: John W. Blue
> Cc: BIND Users
> Subject: Re: A Zone Transfer Question
>
> Hi John,
>
> Nothing in the /var/log/messages indicates transfer problems. In fact
> I don't think the transfer ever started by itself for some reason
> until I manually used "dig" to initiate.
>
> David
>
> On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue  wrote:
>> Hello David,
>>
>> You can get started by checking your log files to see if named is
>> complaining about anything it might not like that is preventing the
>> transfer.
>>
>> John
>>
>> Sent from Nine
>>
>> From: David Li 
>> Sent: Feb 19, 2016 10:46 AM
>> To: BIND Users
>> Subject: A Zone Transfer Question
>>
>> This is my first time to try master slave configuration. Here is a
>> brief description:
>>
>> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
>> master for zone1 and slave for zone2. VM2 is master for zone2 and
>> slave for zone1. Both zones uses DNS Dynamic Update from DHCP
>> servers on the same VM
>> to update the A records in their zone files. No DNSSEC configured.
>>
>>
>> To start, everything seems to be working fine. I have one host in each
>> zone and they can resolve each other fine.
>>
>> Now I add a new host to zone1 and its sequence number has been bumped
>> up. I read that when the zone1 file changes, it will automatically
>> notify its slave zone (ie. zone2) to start a zone transfer after 15
>> min. This never happened. Then I restarted named on VM2 and hoped it
>> would pull the new zone1 file. This didn't happened either.
>> Eventually I have to either restart the VM2 or use dig to start the
>> zone transfer.
>>
>> Can anyone spot anything obviously wrong here? Do I need to post my
>> zone file and named.conf?
>>
>>
>> Thanks.
>>
>> David
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: A Zone Transfer Question

[Darcy Kevin (FCA)]

Look at your "allow-query". It appears your master isn't letting your slave 
query it. Query access is a prerequisite for zone-refresh transactions.

- Kevin

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of David Li
Sent: Friday, February 19, 2016 7:09 PM
To: John W. Blue
Cc: BIND Users
Subject: Re: A Zone Transfer Question

Hi John,

Well, I was wrong about the log. I did find some info about why zone transfer 
failed. On one server running zone rack1.com, I see:

Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
(rack1.com): query 'rack1.com/SOA/IN' denied Feb 19 16:04:27 dli-centos7 
named[13882]: client 10.4.3.101#52612
(rack1.com): transfer of 'rack1.com/IN': IXFR ended

Any idea why it's denied?

David

On Fri, Feb 19, 2016 at 11:19 AM, John W. Blue  wrote:
> "kick off" as in update the zone and not by using dig.
>
> John
>
> Sent from Nine
>
> From: "John W. Blue" 
> Sent: Feb 19, 2016 1:17 PM
> To: David Li
>
> Cc: BIND Users
> Subject: Re: A Zone Transfer Question
>
> Nothing in the logs, eg?  Well so much for getting an easy resolution.  
> :D
>
> If you trust your conf files and logs are clean, I personally next to 
> turn to tcpdump.  You really need to know what (if anything) is being 
> placed on the wire.  Something like this should get you started:
>
> tcpdump -i eth0 -n port domain
>
> Kick off a transfer and see what happens.
>
> John
>
> Sent from Nine
>
> From: David Li 
> Sent: Feb 19, 2016 1:04 PM
> To: John W. Blue
> Cc: BIND Users
> Subject: Re: A Zone Transfer Question
>
> Hi John,
>
> Nothing in the /var/log/messages indicates transfer problems. In fact 
> I don't think the transfer ever started by itself for some reason 
> until I manually used "dig" to initiate.
>
> David
>
> On Fri, Feb 19, 2016 at 9:00 AM, John W. Blue  wrote:
>> Hello David,
>>
>> You can get started by checking your log files to see if named is 
>> complaining about anything it might not like that is preventing the 
>> transfer.
>>
>> John
>>
>> Sent from Nine
>>
>> From: David Li 
>> Sent: Feb 19, 2016 10:46 AM
>> To: BIND Users
>> Subject: A Zone Transfer Question
>>
>> This is my first time to try master slave configuration. Here is a
>> brief description:
>>
>> I have two Centos 7.1 VMs - each is configured for a zone. VM1 is the
>> master for zone1 and slave for zone2. VM2 is master for zone2 and
>> slave for zone1. Both zones uses DNS Dynamic Update from DHCP 
>> servers on the same VM
>> to update the A records in their zone files. No DNSSEC configured.
>>
>>
>> To start, everything seems to be working fine. I have one host in each
>> zone and they can resolve each other fine.
>>
>> Now I add a new host to zone1 and its sequence number has been bumped
>> up. I read that when the zone1 file changes, it will automatically
>> notify its slave zone (ie. zone2) to start a zone transfer after 15
>> min. This never happened. Then I restarted named on VM2 and hoped it
>> would pull the new zone1 file. This didn't happened either.
>> Eventually I have to either restart the VM2 or use dig to start the
>> zone transfer.
>>
>> Can anyone spot anything obviously wrong here? Do I need to post my
>> zone file and named.conf?
>>
>>
>> Thanks.
>>
>> David
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Intermittent NXDOMAIN for a name we are forwarding

[blrmaani]

We have a DNS setup where we forward a name in one domain to 5 external 
nameservers. We see NXDOMAIN error intermittently (once in couple of weeks). 
How do I debug this issue?

I took a cache dump on our DNS and 2 out of 5 nameserver IPs appear in 
"Unassociated entries" when the problem happens.

Any advice to troubleshoot this issue is greatly appreciated.

Thanks
Blr
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[Barry Margolin]

In article ,
 David Li  wrote:

> Hi John,
> 
> Well, I was wrong about the log. I did find some info about why zone
> transfer failed. On one server running zone rack1.com, I see:
> 
> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#20745
> (rack1.com): query 'rack1.com/SOA/IN' denied
> Feb 19 16:04:27 dli-centos7 named[13882]: client 10.4.3.101#52612
> (rack1.com): transfer of 'rack1.com/IN': IXFR ended
> 
> Any idea why it's denied?

VM1 has the option:

allow-query {
   10.4.1/24;
   127.0.0.1;
};

10.4.3.101 isn't in 10.4.1/24. The slave has to be allowed to query the 
master.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[Barry Margolin]

In article ,
 John Miller  wrote:

> And if you actually want people to use your zone or you want NOTIFY
> working, two NS records (and possibly glue) are really a must.

He mentioned that these are internal nameservers, they're not reached 
via public delegation. So NS records are probably irrelevant to how 
they're used by clients.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[John Miller]

On Fri, Feb 19, 2016 at 9:26 PM, Barry Margolin  wrote:
> In article ,
>  John Miller  wrote:
>
>> And if you actually want people to use your zone or you want NOTIFY
>> working, two NS records (and possibly glue) are really a must.
>
> He mentioned that these are internal nameservers, they're not reached
> via public delegation. So NS records are probably irrelevant to how
> they're used by clients.

Fair enough.  There's certainly no need for two NS records if nobody's
following delegation here.  In the case of dynamic updates, one NS
record might actually be better: there's no worrying about update
forwarding between slave and master.

Will a zone even load with zero NS records?  It's not something I've
ever tried, though probably should for grins.

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A Zone Transfer Question

[Reindl Harald]

Am 20.02.2016 um 04:04 schrieb John Miller:

Will a zone even load with zero NS records?  It's not something I've
ever tried, though probably should for grins


no, bind won't start at all



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users