Re: Can't use Bind DLZ through LDAPS SSL
Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way? Ted On 2/11/2021 10:39 PM, Dario García Díaz-Miguel wrote: Hi there, I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here. I've deployed an OpenLDAP using the security options recommended by my cybersecurity team: - olcSecurity: ssf=256 - olcLocalSSF: 256 - olcRequires: authc - olcDisallow: bind_anon - olcTLSVerifyClient: try So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior. All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL. The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository. Could anybody help me? Thank you so much. Regards. Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com P Please consider the environment before printing this e-mail. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Can't use Bind DLZ through LDAPS SSL
Hi Ted, Thank you for your answer. Both servers (OpenLDAP and BIND DLZ) are on the same machine. LDAPI:/// socket has been configured to not require SSL with olcLocalSSF If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI? I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work. I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work. About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it. Thank you so much. Regards. Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com -Mensaje original- Date: Fri, 12 Feb 2021 01:29:17 -0800 From: Ted Mittelstaedt To: bind-users@lists.isc.org Subject: Re: Can't use Bind DLZ through LDAPS SSL Message-ID: <60264a6d.1090...@ipinc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way? Ted On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote: > Hi there, > > I really don't know If this is the correct place to ask about Bind DLZ, but > I'm afraid that I could not have any responses from the BIND DLZ mail list > and, since this seems to be an "official" plugin and it's compiled on the > bind9 package from the SuSE15 SP2 repository I will try to ask it over here. > I've deployed an OpenLDAP using the security options recommended by my > cybersecurity team: > > - olcSecurity: ssf=256 > - olcLocalSSF: 256 > - olcRequires: authc > - olcDisallow: bind_anon > - olcTLSVerifyClient: try > > So essentially right now is required to use certificates and LDAPS in order > to bind to the OpenLDAP server. Otherwise a Confidential error will appear > since TLS SSL Handshake is not possible. Well, this is the expected behavior. > All the software of the environment works flawlessly using the SSL > Certificates through LDAPS SSL except Bind DLZ. I could not find the way to > configure it to use SSL. > > The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) > from the SUSE 15 SP2 repository. > > Could anybody help me? > > Thank you so much. > Regards. > > > > Dario Garcia > D?az-Miguel > GGCS-SES Unit > GGCS SKMF Infrastructure Division > GMV > C\ de Isaac Newton, 11 > 28760, Tres Cantos, Madrid > Espa?a > +34 918 07 21 00 > +34 918 07 21 99 > http://www.gmv.com P Please consider the environment before printing this e-mail. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't use Bind DLZ through LDAPS SSL
If the programs are both on the same machine and you are using ldapi with oldlocalSSF then you are NOT using SSL. For starters on this machine if you simply run a LDAP query with the command line tools against the OpenLDAP server does it work? Like ldapsearch -LLL -H ldapi://blardy blardy blar What is in your slapd.lidf? Usually there should be a olcSecurity: ssf=something and this should match the value you are using in the olclocalSSF The command line ldap program should pump out an error message if this mechanism is broken. If you are not familiar with stunnel you should have looked up what it was before responding. It's not going to be applicable here and I would not have suggested it if I had known both programs were on the same machine. Ted On 2/12/2021 3:15 AM, Dario García Díaz-Miguel wrote: Hi Ted, Thank you for your answer. Both servers (OpenLDAP and BIND DLZ) are on the same machine. LDAPI:/// socket has been configured to not require SSL with olcLocalSSF If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI? I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work. I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work. About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it. Thank you so much. Regards. Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com -Mensaje original- Date: Fri, 12 Feb 2021 01:29:17 -0800 From: Ted Mittelstaedt To: bind-users@lists.isc.org Subject: Re: Can't use Bind DLZ through LDAPS SSL Message-ID:<60264a6d.1090...@ipinc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way? Ted On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote: Hi there, I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here. I've deployed an OpenLDAP using the security options recommended by my cybersecurity team: - olcSecurity: ssf=256 - olcLocalSSF: 256 - olcRequires: authc - olcDisallow: bind_anon - olcTLSVerifyClient: try So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior. All the software of the environment works flawlessly using the SSL Certificates through LDAPS SSL except Bind DLZ. I could not find the way to configure it to use SSL. The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) from the SUSE 15 SP2 repository. Could anybody help me? Thank you so much. Regards. Dario Garcia D?az-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid Espa?a +34 918 07 21 00 +34 918 07 21 99 http://www.gmv.com P Please consider the environment before printing this e-mail. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Can't use Bind DLZ through LDAPS SSL
Hi Ted, The values related with the issue configured on the slapd configuration are on my original message: > > - olcSecurity: ssf=256 > - olcLocalSSF: 256 > - olcRequires: authc > - olcDisallow: bind_anon > - olcTLSVerifyClient: try > Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and that's required due to some implementations. The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how to configure it. Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> does not work Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -Z --> works This is the expected behavior and not related at all with my original question. I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI instead of LDAP(389), since DLZ queries does not support port specifications. Thank you so much. Kind Regards. -Mensaje original- If the programs are both on the same machine and you are using ldapi with oldlocalSSF then you are NOT using SSL. For starters on this machine if you simply run a LDAP query with the command line tools against the OpenLDAP server does it work? Like ldapsearch -LLL -H ldapi://blardy blardy blar What is in your slapd.lidf? Usually there should be a olcSecurity: ssf=something and this should match the value you are using in the olclocalSSF The command line ldap program should pump out an error message if this mechanism is broken. If you are not familiar with stunnel you should have looked up what it was before responding. It's not going to be applicable here and I would not have suggested it if I had known both programs were on the same machine. Ted Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com De: Dario García Díaz-Miguel Enviado el: viernes, 12 de febrero de 2021 12:15 Para: bind-users@lists.isc.org CC: skmf_support Asunto: RE: Can't use Bind DLZ through LDAPS SSL Hi Ted, Thank you for your answer. Both servers (OpenLDAP and BIND DLZ) are on the same machine. LDAPI:/// socket has been configured to not require SSL with olcLocalSSF If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI? I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work. I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work. About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it. Thank you so much. Regards. Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com -Mensaje original- Date: Fri, 12 Feb 2021 01:29:17 -0800 From: Ted Mittelstaedt To: bind-users@lists.isc.org Subject: Re: Can't use Bind DLZ through LDAPS SSL Message-ID: <60264a6d.1090...@ipinc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way? Ted On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote: > Hi there, > > I really don't know If this is the correct place to ask about Bind DLZ, but > I'm afraid that I could not have any responses from the BIND DLZ mail list > and, since this seems to be an "official" plugin and it's compiled on the > bind9 package from the SuSE15 SP2 repository I will try to ask it over here. > I've deployed an OpenLDAP using the security options recommended by my > cybersecurity team: > > - olcSecurity: ssf=256 > - olcLocalSSF: 256 > - olcRequires: authc > - olcDisallow: bind_anon > - olcTLSVerifyClient: try > > So essentially right now is required to use certificates and LDAPS in order > to bind to the OpenLDAP server. Otherwise a Confidential error will appear > since TLS SSL Handshake is not possible. Well, this is the expected behavior. > All the software of the environment works flawlessly using the SSL > Certificates through LDAPS SSL except Bind DLZ. I could not find the way to > configure it to use SSL. > > The Bind DLZ used is the one compiled with the BIND 9.16.6 (Stable Release) > from the SUSE 15 SP2 repository. > > Could anybody help me? > > Thank you so much. > Regards. > > > > Dario Garcia > D?az-Miguel > GGCS-SES Unit > GGCS SKMF Infrastructure Division > GMV > C\ de Isaac Newton, 11 > 28760, Tres Cantos, Madrid > Espa?a > +34 918 07 21 00 > +34 918 07 21 99 > http://www.gmv.com P Please consider the environ
Re: Can't use Bind DLZ through LDAPS SSL
That should be impossible. Bind DLZ is compiled to use the same openldap libraries that your openldap server is using. If you configure the query URL as ldapi then the same thing is being sent to the libraries that ldapsearch is sending. That is why you do not have to do anything special other than change the query string to ldap: or ldapi: or ldaps: in the dlz config. Are you using the examples on http://bind-dlz.dourceforge.net/ldap-_driver.html? is dlz possibly dynamically linked and can't find the openldap libraries? Ted On 2/12/2021 4:09 AM, Dario García Díaz-Miguel wrote: Hi Ted, The values related with the issue configured on the slapd configuration are on my original message: - olcSecurity: ssf=256 - olcLocalSSF: 256 - olcRequires: authc - olcDisallow: bind_anon - olcTLSVerifyClient: try Exactly, using LDAPI with my olcLocalSSF configuration is not using SSL and that's required due to some implementations. The problem is that BIND DLZ is NOT using LDAPI nor LDAPS and I don't know how to configure it. Ldapsearch -H ldapi:/// -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldaps://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> works Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W --> does not work Ldapsearch -H ldap://machine1.example.com -D "cn=Administrator,dc=example,dc=com" -W -Z --> works This is the expected behavior and not related at all with my original question. I just asked how should we configure BIND DLZ to use LDAPS (636) or LDAPI instead of LDAP(389), since DLZ queries does not support port specifications. Thank you so much. Kind Regards. -Mensaje original- If the programs are both on the same machine and you are using ldapi with oldlocalSSF then you are NOT using SSL. For starters on this machine if you simply run a LDAP query with the command line tools against the OpenLDAP server does it work? Like ldapsearch -LLL -H ldapi://blardy blardy blar What is in your slapd.lidf? Usually there should be a olcSecurity: ssf=something and this should match the value you are using in the olclocalSSF The command line ldap program should pump out an error message if this mechanism is broken. If you are not familiar with stunnel you should have looked up what it was before responding. It's not going to be applicable here and I would not have suggested it if I had known both programs were on the same machine. Ted Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com De: Dario García Díaz-Miguel Enviado el: viernes, 12 de febrero de 2021 12:15 Para: bind-users@lists.isc.org CC: skmf_support Asunto: RE: Can't use Bind DLZ through LDAPS SSL Hi Ted, Thank you for your answer. Both servers (OpenLDAP and BIND DLZ) are on the same machine. LDAPI:/// socket has been configured to not require SSL with olcLocalSSF If BIND DLZ is not supporting LDAPS, does it support any way to bind against LDAP using LDAPI? I've tried to use the ldapi:/// as well as the ldaps:// on the queries and it does not work. I also has tried adding the port to the hostnames on the connection parameters from named.conf and it also does not work. About stunnel, I'm not sure since I'm not familiar with it and including a new software would suppose an approval request explaining good enough reasons to use it. Thank you so much. Regards. Dario Garcia Díaz-Miguel GGCS-SES Unit GGCS SKMF Infrastructure Division GMV C\ de Isaac Newton, 11 28760, Tres Cantos, Madrid España +34 918 07 21 00 +34 918 07 21 99 www.gmv.com -Mensaje original- Date: Fri, 12 Feb 2021 01:29:17 -0800 From: Ted Mittelstaedt To: bind-users@lists.isc.org Subject: Re: Can't use Bind DLZ through LDAPS SSL Message-ID:<60264a6d.1090...@ipinc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Instead of beating your head against DLZ can't you simply put the DLZ query into stunnel and connect to the openldap server that way? Ted On 2/11/2021 10:39 PM, Dario Garc?a D?az-Miguel wrote: Hi there, I really don't know If this is the correct place to ask about Bind DLZ, but I'm afraid that I could not have any responses from the BIND DLZ mail list and, since this seems to be an "official" plugin and it's compiled on the bind9 package from the SuSE15 SP2 repository I will try to ask it over here. I've deployed an OpenLDAP using the security options recommended by my cybersecurity team: - olcSecurity: ssf=256 - olcLocalSSF: 256 - olcRequires: authc - olcDisallow: bind_anon - olcTLSVerifyClient: try So essentially right now is required to use certificates and LDAPS in order to bind to the OpenLDAP server. Otherwise a Confidential error will appear since TLS SSL Handshake is not possible. Well, this is the expected behavior. All the software of the environment wo
Checking if my DNS server are active
Hello,
On of my machines in Running Centos 7 / CPanel.
It says my primary and secondary DNS are not active
Here is my configuration file
//Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-sha512;
secret
"aSDvgpfRXnUAG8rbbJnVoGtOJIfOFWK+fj6G16IziNf7QWWz0C1dxp4aa2M7z4+JxP3zxC3dJ3wRTBgV4cOjtA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// generated by named-bootconf.pl
options {
directory "/usr/local/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/usr/local/etc/namedb/named.core";
max-ncache-ttl 86400;
recursive-clients 100;
//recursive no;
reserved-sockets 32;
tcp-clients 40;
tcp-listen-queue 14;
zone-statistics yes;
blackhole {
65.94.172.87;
67.68.204.41;
74.15.184.13;
65.94.173.208;
};
allow-transfer {
192.168.81.14;
192.168.81.3;
};
allow-notify {
192.168.81.14;
192.168.81.3;
};
also-notify {
192.168.81.14 port 53;
192.168.81.3 port 53;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address 192.168.81.1 port 53;
version "no";
listen-on {192.168.81.1; 127.0.0.1; };
disable-algorithms . {
DSA;
};
};
acl localnetworks {
127.0.0.1;
::1;
10.8.0.0/24;
192.168.81.0/24;
};
logging {
channel default_log {
file "/var/log/named/default" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel auth_servers_log {
file "/var/log/named/auth_servers" versions 100 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnssec_log {
file "/var/log/named/dnssec" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel zone_transfers_log {
file "/var/log/named/zone_transfers" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel ddns_log {
file "/var/log/named/ddns" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel client_security_log {
file "/var/log/named/client_security" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rate_limiting_log {
file "/var/log/named/rate_limiting" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rpz_log {
file "/var/log/named/rpz" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnstap_log {
file "/var/log/named/dnstap" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
//
// If you have the category ???queries??? defined, and you don???t want query
logging
// by default, make sure you add option ???querylog no;??? - then you can toggle
// query logging on (and off again) using command ???rndc querylog???
//
channel queries_log {
file "/var/log/named/queries" versions 600 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
//
// This channel is dynamic so that when the debug level is increased using
// rndc while the server is running, extra information will be logged about
// failing queries. Other debug information for other categories will be
// sent to the channel default_debug (which is also dynamic), but without
// affecting the regular logging.
//
channel query-errors_log {
file "/var/log/named/query-errors" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
//
// This is the default syslog channel, defined here for clarity.
Re: Checking if my DNS server are active
Am 12.02.21 um 15:21 schrieb The Doctor via bind-users:
Hello,
On of my machines in Running Centos 7 / CPanel.
It says my primary and secondary DNS are not active
intern or public nameservers?
query-source address 192.168.81.1 port 53;
don't do that!
listen-on {192.168.81.1; 127.0.0.1; };
looks like internal nameservers which have nothing to do with the
nameservers responsible for your zones from the view of the world
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.11 serving up false answers for a single domain.
I don't think tcpdump was installed by default with various versions of Debian that I set up in the last few years for networking. I didn't bother to install it, as it's output is different enough (old fashioned?) from the sharks to be annoying. It *was* installed with OpenSuSE 15.2 though. (OpenSuSE 15.2 -- the "stable" release that wants you to update something every day.) On Fri, 12 Feb 2021 00:35:53 + "John W. Blue via bind-users" wrote: > Most people like yourself that do not care about OS purity often are not > obligated (granted super broad generalization) to explain their changes to an > Enterprise Change Management Board (ECMB or similar) for deviations from a > "standard image". > > That is also 100% okay too. Those types of shops/sysadmins also typically > don't have a buckets of cash sitting around either so you work with makes > sense and use the resources available to get it done. > > The over-arching point is that the lowest common denominator for proper > troubleshooting is that tcpdump is useful and it does not need to be sourced > or installed. It is ready to go out of the box for nearly all situations > that could potentially be encountered. > > Usually. > > Murphy's law of unintended consequences should always be account for. > > John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problems with interfaces going down
Greetings, I’ve been fighting a two-fold problem with named (bind 9.16.11) running on macOS. 1: If an ethernet interface being listened to drops link, named immediately stops listening to it: 12-Feb-2021 17:33:19.326 no longer listening on 192.168.88.220#53 and 2: when link returns I get 2 tries to reestablish listening: 12-Feb-2021 17:33:39.458 listening on IPv4 interface en1, 192.168.88.220#53 12-Feb-2021 17:33:39.463 creating IPv4 interface en1 failed; interface ignored 12-Feb-2021 17:33:41.946 listening on IPv4 interface en1, 192.168.88.220#53 12-Feb-2021 17:33:41.951 creating IPv4 interface en1 failed; interface ignored which both fail because named is no longer running as root. -- Where I’m confused is that this ISC KB article: https://kb.isc.org/docs/aa-00420 seems to imply that the "no longer listening" event is due to a periodic interface scan finding the interface "unavailable". That doesn’t fit my observations since it happens as soon as link is lost. If some minutes-long periodic scan were needed to detect the interface being down it would take, on average, half of that period to happen. It does not. Further, I tried what the KB article advised by adding the option: interface-interval 0; That does seem to stop the periodic scan (since my log is no longer filled with errors) but the “no longer listening” event still occurs right when the interface drops. -- Is it not possible to have named drop to a non-root user (via -u) but still recover from (or ride through) a momentary ethernet link loss? Having the server stop working due to a switch I have no control over burping is very suboptimal. Thanks for any ideas. -Mike ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
