Bind DLZ and 64 bit environment
Dear guys, I would like to ask you an help on this. We are using since some years, with success, Bind DLZ (the first implementation of 2004 i think). We use Postgresql 9.6.1 as backend server and still a 32bit system with CentOS 5. Bind is compiled with enable threads; we put 64 as drivers number after postgres declaration. Everything is perfect on a 32bit system. Now we are migrating and testing the machine in a 64 bit environment, compiled with multithreads. Same configuration but, under quite-heavy DNS traffic volumes, machine use all resource and DNS resolution become very slow, quite unusable. In the same configuration, a 32bit version work fine. The problem is when using Bind with 64 bit support. It seems, under quite heavy load conditions, that Bind fill the “communication channel with Postgresql” and everything goes wrong. With the 32 bit system, the same test benchmark is perfect, it use a bit of cpu and rams and resolutions are really fast. Where am i wrong? Thank you, very good wishes of a fantastic new year 2017! /F ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: writeable secondary zone?
On Tue, Jan 03, 2017 at 05:22:56PM -0800, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Tue, 2017-01-03 at 16:35 -0800, Nex6 wrote: > I have a very specific issue, where a partner org, wants me to add an > > SRV record for there org. (i dont want to) > > If I understand the question, we have > > nex6.example.com -- under your dns control > > partner.example.com -- dns under the control of your partner, and they > want *you* to see something like: > > _http._tcp.partner.example.com. SRV 0 5 80 www.example.com. > > but they don't want to add that record in their own partner.example.com > zone where it would be visible to the world. > > You could use RPZ on your recursive resolvers for that, to add that SRV > record into their zone (assuming that they are not DNSSEC signing their > zones). Of course, that record would then be visible to all of your > users, not just the ones using that application. But does the existance > of that extra SRV record hurt any of those users? both orgs, have Internal private DNS, which include "active Directory" zones. the partner org, has a cloud based app that they are integrated with. that now some of our users need access to. and they need to use the partner org domain cred. so they wanted me to add more or less SRV _appname ->ad.partnerdomain.org becuase said, app might exist on on network and or we might have to add that record in the future i dont want to add the record. since you can only have one SRV record. and having another orgs SRV pointing back to there Active Directory just seems like an all bad idea. the problem is, when our users on our network connect to this app. for it to authenicate it needs the SRV record telling the app where AD is. since our network/NS does not have the record ... fail we tryed host files but that does not seem to work with SRV records. and not sure if I create a forward zone and point directly to there NS if that would work. -Nex6 > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlhsTkIACgkQL6j7milTFsGwfACeNi6U4lBSKetOjHZ6yk1fnZF3 > 4+gAn2JwvxmNv8fksTd20Y8mW+o7QOdZ > =Snhu > -END PGP SIGNATURE- > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: writeable secondary zone?
On Wed, Jan 04, 2017 at 12:23:44PM +1100, Mark Andrews wrote: > > In message <20170104010026.GA3160@ubuntu>, Nex6 writes: > > On Wed, Jan 04, 2017 at 01:46:07AM +0100, Reindl Harald wrote: > > > > > > > > > Am 04.01.2017 um 01:35 schrieb Nex6: > > > >I have a very specific issue, where a partner org, wants me to add an > > > >SRV record for there org. (i dont want to) > > > > > > > >- NOTE: and its for a major cloud app (to remain nameless) that points > > > >back to there active directoy. > > > > > > > >but this is a requirement for a cloud application. the only solution I > > > >can think of so far, is build out a new DNS box for just the users > > > >that need to use this application. > > > > > > > >and add the SRV record there. but, not sure how you could setup a > > > >secondary zone, thats writeable? > > > > > > you can't write in a slave zone > > > > > > https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-exam > > ple.html > > > > > > yes, I know thats why I asked if there was a way to do this. I suspect > > i am stuck. > > You don't need to modify a zone to graft on a SRV record as it will be > prefixed with one or more labels. You add a zone for that name. > > _example._tcp.example.com > > Now if _tcp.example.com already exists you add _example._tcp.example.com with > zone content similar to this: > > @ SOA ... > @ NS ... > @ SRV > > If _tcp.example.com does not already exist you add _tcp.example.com with zone > content similar to this: > > @ SOA ... > @ NS ... > _example SRV > > This prevents your clients seeing NXDOMAIN for _tcp.example.com. > > The better way to do all this however would be for the partner to > create the relevant zones with the SRV records (giving them change > control of the contents) and have you slave them on your recursive > servers possibly using TSIG to get the correct instance from them. > They can supply you with example.com with the SRV records present > or one of the above zones. You clients see will see > _example._tcp.example.com either way and it deals with their paranoia > over publishing a SRV record to the world. > > There is no need for you to muck with views for this. > > Mark hmmm, I wonder if a forward zone would work? or maybe us slaving there zone might be better. > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > > from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Few questions on Bind
Hi, I am kind of new to bind. I have a few queries about it. 1. Is there a way to load custom DNS record from zone file? I have some schematized data that I can store say in json or xml format. I want bind to load that custom record. 2. Once bind loads that data, for certain zones, for A//CNAME request types I want bind to call my custom code which knows how to process that custom record and return a valid A//CNAME record. DynDB extension is the best way to add a plugin to bind or there is some other alternative? Thanks, Deb ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Few questions on Bind
On Jan 4, 2017, at 4:11 PM, Debarghya Mandal wrote: > Hi, > I am kind of new to bind. I have a few queries about it. > > 1. Is there a way to load custom DNS record from zone file? Yes; that's exactly what zone files are for. > I have some schematized data that I can store say in json or xml format. I > want bind to load that custom record. If you have the data in a structured format, simply process that into the zone file format used by BIND. Or, you might consider alternatives like PowerDNS which provides more explicit support for backends like databases, LDAP, json, and so forth. > 2. Once bind loads that data, for certain zones, for A//CNAME request > types I want bind to call my custom code which knows how to process that > custom record and return a valid A//CNAME record. > DynDB extension is the best way to add a plugin to bind or there is some > other alternative? Start with dynamic zones and update the specific records via nsupdate. Use views to provide different answers to different classes of requestors if absolutely needed. You should remember that DNS requests tend to be extensively cacheable, so trying to provide different answers to the same query isn't going to work unless you use very short TTLs, and even then clients may still enforce a minimum TTL of 5 minutes or so. (Even BIND itself had a min_cache_ttl set to a default of 300 seconds, way back when.) Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
