Bind query logging
Hi Everybody !
I have bind9 server with query logging setup.
It work well, but all of query registration logged is /var/log/syslog file.
Can I avoid that duplicated logging ? I would like see only separated log file.
Related configuration ( debian11 )
---
channel query_log {
file "/var/log/bind/queries/query.log" versions 10 size 50m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category config { query_log; };
category queries { query_log; };
-
Thank You
regards
zoltan
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Controlling which interface named uses
Hi, I have two WANs. As a leftover from the times when I had no IPv6 address, I was running named with -4 option. I just removed it a couple of minutes ago. However, I still have IPv4 precedence in gai.conf: precedence ::1/128 50 0 precedence ::/0 40 1 precedence 2002::/16 30 2 precedence ::/96 20 3 precedence :::0:0/96100 4 Before removing -4, I had the problem that when the interface to the default route was down, named couldn't resolve any query. The problem disappeared because the routable IPv6 addresses are on the other WAN. But what is going to happen when it goes down? It seems named only uses IPv6 to resolve queries, gai.conf notwithstanding. Having two WANs, it would be reasonable, in case one doesn't work, to try the other one. However, it's always useless to try the LAN. Is there any way to configure which interface is used for outgoing queries? Best Ale -- -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Controlling which interface named uses
On 09/06/2023 17:26, Alessandro Vesely wrote: Hi Alessandro, Hi, I have two WANs. As a leftover from the times when I had no IPv6 address, I was running named with -4 option. I just removed it a couple of minutes ago. However, I still have IPv4 precedence in gai.conf: precedence ::1/128 50 0 precedence ::/0 40 1 precedence 2002::/16 30 2 precedence ::/96 20 3 precedence :::0:0/96 100 4 If you want your applications to prefer IPv6, then just remove this file. The default is to prefer IPv6. [snip] Having two WANs, it would be reasonable, in case one doesn't work, to try the other one. However, it's always useless to try the LAN. Is there any way to configure which interface is used for outgoing queries? You can configure "query-source" and "query-source-v6" in named.conf, to tell BIND which interface to use for outgoing queries. Regards, Anand -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind query logging
Hi Zoltan,
Can you share your entire logging {} block? Maybe there will be some
clue there.
Thank you,
Darren Ankney
On Fri, Jun 9, 2023 at 8:14 AM Kereszt Vezeték wrote:
>
> Hi Everybody !
>
> I have bind9 server with query logging setup.
> It work well, but all of query registration logged is /var/log/syslog file.
> Can I avoid that duplicated logging ? I would like see only separated log
> file.
> Related configuration ( debian11 )
>
> ---
> channel query_log {
> file "/var/log/bind/queries/query.log" versions 10 size 50m;
> severity info;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> category config { query_log; };
> category queries { query_log; };
> -
>
> Thank You
> regards
> zoltan
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Workaround needed for TSIG Zone Transfer
I’ve got a case where using BIND (v9.16.41) as a secondary to a third party
(commercial) primary nameserver. Using TSIG for the zone transfers. Have
verified zone transfers and TSIG key using dig between hosts. BIND is
configured to use TSIG for the primary server using server x.x.x.x { keys
“somekey”; } directive.
Problem is that the primary server does not sign the response with TSIG for the
SOA query sent by BIND to determine if update is needed. Since response to
SOA query is not signed, BIND considers response invalid:
Sample log message when SOA not signed:
zone some-domain.com/IN: refresh: failure trying master x.x.x.x#53 (source
0.0.0.0#0): expected a TSIG or SIG(0)
I know that BIND is not at fault and the primary server is breaking RFC8945 as
any query with TSIG is required to return a TSIG RR in the response. Working
w/ vendor of the primary nameserver to resolve. The vendor is a pretty widely
used provider so I’m a bit surprised issue has not occurred before now.
Mainly wondering if there is any workaround available to allow BIND to either
not send TSIG in SOA query to the primary server (but still use TSIG for zone
transfer) or accept the SOA response w/o TSIG RR. I was unable to find any
means to configure this behavior in reading through BIND documentation.
* Rick
This email message and any attachments are for the sole use of the intended
recipient(s). Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message and any attachments.
Sensitivity: Internal
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Workaround needed for TSIG Zone Transfer
There is no workaround that I can think of.
As an aside I’d be specifying the key in the primaries clause rather than
server clause.
--
Mark Andrews
> On 10 Jun 2023, at 07:52, Frey, Rick E via bind-users
> wrote:
>
>
> I’ve got a case where using BIND (v9.16.41) as a secondary to a third party
> (commercial) primary nameserver. Using TSIG for the zone transfers. Have
> verified zone transfers and TSIG key using dig between hosts. BIND is
> configured to use TSIG for the primary server using server x.x.x.x { keys
> “somekey”; } directive.
>
> Problem is that the primary server does not sign the response with TSIG for
> the SOA query sent by BIND to determine if update is needed. Since response
> to SOA query is not signed, BIND considers response invalid:
>
> Sample log message when SOA not signed:
> zone some-domain.com/IN: refresh: failure trying master x.x.x.x#53 (source
> 0.0.0.0#0): expected a TSIG or SIG(0)
>
> I know that BIND is not at fault and the primary server is breaking RFC8945
> as any query with TSIG is required to return a TSIG RR in the response.
> Working w/ vendor of the primary nameserver to resolve. The vendor is a
> pretty widely used provider so I’m a bit surprised issue has not occurred
> before now.
>
> Mainly wondering if there is any workaround available to allow BIND to either
> not send TSIG in SOA query to the primary server (but still use TSIG for zone
> transfer) or accept the SOA response w/o TSIG RR. I was unable to find any
> means to configure this behavior in reading through BIND documentation.
>
> Rick
>
> This email message and any attachments are for the sole use of the intended
> recipient(s). Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the sender
> by reply email and destroy all copies of the original message and any
> attachments.
> Sensitivity: Internal
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Workaround needed for TSIG Zone Transfer
Hi Rick,
even while I should be destroying message (Sensitivity: Internal.) message, I
am rather going to respond…
Our colleague Tony Finch written nsnotifyd: https://dotat.at/prog/nsnotifyd/
Run this somewhere close to the proprietary server and configure it to send
valid notifies to named. Then configure the non conformant proprietary server
to send notifies to nsnotifyd.
My recommendation would be still to save money by replacing the broken
proprietary stuff with the open source.
Alternatively, perhaps the server can send notifies from a different IP address
than the address of the primary NS? You might be able to configure different
ACLs for the allow-notify block and don’t couple the notify-IP with any TSIG
key.
Ondřej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 9. 6. 2023, at 23:52, Frey, Rick E via bind-users
> wrote:
>
>
> I’ve got a case where using BIND (v9.16.41) as a secondary to a third party
> (commercial) primary nameserver. Using TSIG for the zone transfers. Have
> verified zone transfers and TSIG key using dig between hosts. BIND is
> configured to use TSIG for the primary server using server x.x.x.x { keys
> “somekey”; } directive.
>
> Problem is that the primary server does not sign the response with TSIG for
> the SOA query sent by BIND to determine if update is needed. Since response
> to SOA query is not signed, BIND considers response invalid:
>
> Sample log message when SOA not signed:
> zone some-domain.com/IN: refresh: failure trying master x.x.x.x#53 (source
> 0.0.0.0#0): expected a TSIG or SIG(0)
>
> I know that BIND is not at fault and the primary server is breaking RFC8945
> as any query with TSIG is required to return a TSIG RR in the response.
> Working w/ vendor of the primary nameserver to resolve. The vendor is a
> pretty widely used provider so I’m a bit surprised issue has not occurred
> before now.
>
> Mainly wondering if there is any workaround available to allow BIND to either
> not send TSIG in SOA query to the primary server (but still use TSIG for zone
> transfer) or accept the SOA response w/o TSIG RR. I was unable to find any
> means to configure this behavior in reading through BIND documentation.
>
> Rick
>
> This email message and any attachments are for the sole use of the intended
> recipient(s). Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please contact the sender
> by reply email and destroy all copies of the original message and any
> attachments.
> Sensitivity: Internal
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
