date:20170103

writeable secondary zone?

2017-01-03 Thread Nex6

I have a very specific issue, where a partner org, wants me to add an
SRV record for there org. (i dont want to)

- NOTE: and its for a major cloud app (to remain nameless) that points
back to there active directoy.


but this is a requirement for a cloud application. the only solution I
can think of so far, is build out a new DNS box for just the users
that need to use this application.

and add the SRV record there. but, not sure how you could setup a
secondary zone, thats writeable?

any thoughts on this?

-Nex6
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind DLZ on a 64 bit environment

2017-01-03 Thread Job

Dear guys,

I would like to ask you an help on this.
We are using since some years, with success, Bind DLZ (the first implementation 
of 2004 i think).
We use Postgresql 9.6.1 as backend server and still a 32bit system with CentOS 
5.
Bind is compiled with enable threads; we put 64 as drivers number after 
postgres declaration.
Everything is perfect on a 32bit system.
Now we are migrating and testing the machine in a 64 bit environment, compiled 
with multithreads.
Same configuration but, under quite-heavy DNS traffic volumes, machine use all 
resource and DNS resolution become very slow, quite unusable.
In the same configuration, a 32bit version work fine.
The problem is when using Bind with 64 bit support.
It seems, under quite heavy load conditions, that Bind fill the "communication 
channel with Postgresql" and everything goes wrong.
With the 32 bit system, the same test benchmark is perfect, it use a bit of cpu 
and rams and resolutions are really fast.
Where am i wrong?

Thank you, very good wishes of a fantastic new year 2017!

/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: writeable secondary zone?

2017-01-03 Thread Nex6

On Wed, Jan 04, 2017 at 01:46:07AM +0100, Reindl Harald wrote:
> 
> 
> Am 04.01.2017 um 01:35 schrieb Nex6:
> >I have a very specific issue, where a partner org, wants me to add an
> >SRV record for there org. (i dont want to)
> >
> >- NOTE: and its for a major cloud app (to remain nameless) that points
> >back to there active directoy.
> >
> >but this is a requirement for a cloud application. the only solution I
> >can think of so far, is build out a new DNS box for just the users
> >that need to use this application.
> >
> >and add the SRV record there. but, not sure how you could setup a
> >secondary zone, thats writeable?
> 
> you can't write in a slave zone
> 
> https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html


yes, I know thats why I asked if there was a way to do this. I suspect
i am stuck. 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: writeable secondary zone?

2017-01-03 Thread Carl Byington

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Tue, 2017-01-03 at 16:35 -0800, Nex6 wrote:
I have a very specific issue, where a partner org, wants me to add an
> SRV record for there org. (i dont want to)

If I understand the question, we have

nex6.example.com -- under your dns control

partner.example.com -- dns under the control of your partner, and they
want *you* to see something like:

_http._tcp.partner.example.com.  SRV  0 5 80  www.example.com.

but they don't want to add that record in their own partner.example.com
zone where it would be visible to the world.

You could use RPZ on your recursive resolvers for that, to add that SRV
record into their zone (assuming that they are not DNSSEC signing their
zones). Of course, that record would then be visible to all of your
users, not just the ones using that application. But does the existance
of that extra SRV record hurt any of those users?


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlhsTkIACgkQL6j7milTFsGwfACeNi6U4lBSKetOjHZ6yk1fnZF3
4+gAn2JwvxmNv8fksTd20Y8mW+o7QOdZ
=Snhu
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: writeable secondary zone?

2017-01-03 Thread Mark Andrews

In message <20170104010026.GA3160@ubuntu>, Nex6 writes:
> On Wed, Jan 04, 2017 at 01:46:07AM +0100, Reindl Harald wrote:
> > 
> > 
> > Am 04.01.2017 um 01:35 schrieb Nex6:
> > >I have a very specific issue, where a partner org, wants me to add an
> > >SRV record for there org. (i dont want to)
> > >
> > >- NOTE: and its for a major cloud app (to remain nameless) that points
> > >back to there active directoy.
> > >
> > >but this is a requirement for a cloud application. the only solution I
> > >can think of so far, is build out a new DNS box for just the users
> > >that need to use this application.
> > >
> > >and add the SRV record there. but, not sure how you could setup a
> > >secondary zone, thats writeable?
> > 
> > you can't write in a slave zone
> > 
> > https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-exam
> ple.html
> 
> 
> yes, I know thats why I asked if there was a way to do this. I suspect
> i am stuck. 

You don't need to modify a zone to graft on a SRV record as it will be
prefixed with one or more labels.  You add a zone for that name.

_example._tcp.example.com

Now if _tcp.example.com already exists you add _example._tcp.example.com with
zone content similar to this:

@ SOA ...
@ NS ...
@ SRV 

If _tcp.example.com does not already exist you add _tcp.example.com with zone
content similar to this:

@ SOA ...
@ NS ...
_example SRV 

This prevents your clients seeing NXDOMAIN for _tcp.example.com.

The better way to do all this however would be for the partner to
create the relevant zones with the SRV records (giving them change
control of the contents) and have you slave them on your recursive
servers possibly using TSIG to get the correct instance from them.
They can supply you with example.com with the SRV records present
or one of the above zones.  You clients see will see
_example._tcp.example.com either way and it deals with their paranoia
over publishing a SRV record to the world.

There is no need for you to muck with views for this.

Mark

> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How can limit recursive query on ipv6 network?

2017-01-03 Thread LEE SUKMOON

Hello. 

Our DNS Server has services on IPv6 network.
Clients queries on ipv6 network. But recursive client query is only to use on 
ipv4 network.
(DNS Server has not ipv6 network for foreign network.)

So DNS server performs unnecessary a recursive client query for ipv6.
How can limit recursive query on ipv6 network?


I modified some source code as shown below to confirm the ipv6 limit query for 
recursive client.
This code seems to work well. Is there any problem using this?

Thanks.




[root@smlee:/root/isc] $ diff -Nur bind-9.9.9-P4/ bind-9.9.9-P4-ipv6/
diff -Nur bind-9.9.9-P4/lib/dns/resolver.c bind-9.9.9-P4-ipv6/lib/dns/resolver.c
--- bind-9.9.9-P4/lib/dns/resolver.c2016-10-21 14:12:02.0 +0900
+++ bind-9.9.9-P4-ipv6/lib/dns/resolver.c   2017-01-03 19:11:57.246779004 
+0900
@@ -3419,6 +3419,7 @@
return;
}

+retry_addrinfo:
 #ifdef ENABLE_FETCHLIMIT
while ((addrinfo = fctx_nextaddress(fctx)) != NULL) {
if (! dns_adbentry_overquota(addrinfo->entry))
@@ -3428,6 +3429,16 @@
addrinfo = fctx_nextaddress(fctx);
 #endif /* !ENABLE_FETCHLIMIT */

+   if (addrinfo != NULL &&
+   addrinfo->sockaddr.type.sa.sa_family == 
AF_INET6) {
+   /*
+   isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+ "skip %p (%s) %p", fctx, fctx->info, 
addrinfo);
+   */
+   goto retry_addrinfo;
+   }
+
/*
 * While we may have addresses from the ADB, they
 * might be bad ones.  In this case, return SERVFAIL.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How can limit recursive query on ipv6 network?

2017-01-03 Thread Mark Andrews


server ::/0 { bogus yes; };

Adjust for actual reachable topology.

Note the real fix for this is to get IPv6 connectivity to the
world.  Trying to run with disconnected IPv6 island is only
asking for pain.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

writeable secondary zone?

Bind DLZ on a 64 bit environment

Re: writeable secondary zone?

Re: writeable secondary zone?

Re: writeable secondary zone?

How can limit recursive query on ipv6 network?

Re: How can limit recursive query on ipv6 network?

7 matches

Site Navigation

Mail list logo

Footer information