Re: Logging issue with bind
On Fri, 17 Feb 2012, Mark Andrews wrote: > > Do: > > > > rndc querylog > > or "querylog yes;" But the previous email showed rndc status had: query logging is ON ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging issue with bind
On Fri, 17 Feb 2012, Andrea Gozzi wrote: > All further tests haven't produced any results. Any related log messages in your other named logging about it. (Maybe some isc_stdio_open error for example?) Why were the permissions of your log file rwxrwxrwx? (Why executable? Why writable by other?) (Your other email showed it changed to rw-r--r-- so maybe this is unrelated.) Just to be clear, did named create the zero byte file, or did you manually create it? Is it possible there weren't any queries? (Maybe testing wrong system?) Maybe your rndc is configured to control a different server so the querylog was enabled at wrong place? (But maybe not since your named.stats file is growing.) > Should I escalate this with the bind9-bug or to the debian package > maintainer? Anyone else reproduce problem? (I tested and it still works for me, but not same version.) What is the name and version of the Debian BIND package(s) you are using? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: www.glb.hud.gov
On Thu, 19 Apr 2012, Richard Laager wrote: > Are others timing out trying to resolve www.glb.hud.gov? This seems > (though I haven't done extensive testing) to only happen to me with > BIND. The nameservers 170.97.67.51 and 170.97.67.139 timeout when asking for glb.hud.gov DNSKEY. > http://dnsviz.net/d/www.glb.hud.gov/dnssec/ shows a couple of DNSKEY > warnings, so maybe that's it. I always suspect DNSSEC when I have > problems with .gov domains, but I commented out "dnssec-enable yes" in > my named.conf and it didn't help. Commenting it out just means to use the default which is still enabled. To test use "dig +cd". Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Convice Bind to listen on IP alias with a range of IPs.
On Mon, 30 Apr 2012, Augie Schwer wrote:
> I must be doing something wrong, because what I want to do doesn't
> seem that difficult.
>
> I have a range of IPs bound to a local interface:
>
> lo:1 Link encap:Local Loopback
> inet addr:10.0.0.1 Mask:255.255.255.224
>
> And I want to convince Bind to listen on sub-set of the given range (
> 10.0.0.2 for example ), yet when I configure that IP:
>
> listen-on { 10.0.0.2; };
>
> Bind won't listen on that interface:
>
> "named[15035]: not listening on any interfaces"
>
> Bind has no problem listening on 10.0.0.1 however, so there must be
> some configuration option I am missing.
>
> Any help is appreciated.
>
> augie@augnix:~$ named -v
> BIND 9.7.0-P1
Your interface output above doesn't show the other IP.
Maybe you need to run something like:
ifconfig lo:1 10.0.0.2 up
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Host command timing out sporadically
On Wed, 2 May 2012, Paul Marais wrote: > I'm having an issue where my postfix server is having trouble with some > lookups. > When I type 'host ', 80% of the time I get decent reply speed, but > for 20% I get a 5 second delay, or even a timeout. > > My nameserver is configured to only allow recursion for hosts on my local > network, and I have my ISP dns in my forwarders. > My resolv.conf has 127.0.0.1, my internal ip, and the ip for my isp DNS > > Any help will be greatly appreciated. You may want to give us some specific examples. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Operation cancelled Error
On Thu, 24 May 2012, Ben wrote: > > version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 > > CPUs found: 8 > > worker threads: 8 > > number of zones: 19 > > debug level: 0 > > xfers running: 0 > > xfers deferred: 0 > > soa queries in progress: 0 > > query logging is ON > > recursive clients: 6400/29900/3 > > tcp clients: 0/100 > > server is up and running > > > > > > i constanly watch rndc status command , and at recuresive-clients tab , > > first values increases maximum up to 6000-6500, why it is not going to > > maximum which i define 3..? I don't know why it never reached the maximum. resperf should try to scale up to attempting 100,000 questions in its last second. (At 60th second I think; the final 40 seconds is waiting for responses.) It only tries 74038 during its total time, but I am not sure what is limiting it. Maybe your datafile is not unique enough? Maybe your source port range is not large enough? So then BIND 9 is matching existing requests and dropping. It depends a lot on the dataset. (I think I have seen around 17,000 queries with resperf and as low as 236 qps -- in this case it was depending on number of ACLs.) I don't know why you have the burst of "operation canceled". (The ISC_R_CANCELED can happen from different problems.) > > rndc status shows 8 worker process, when i checked by pgrep named , it > > shows only single instance.so does it need to show 8 instance or ? 8 worker threads is different than 8 processes. > > Currently we use bind as caching name server , so why rndc status shows > > number of zones 19..? The 19 zones are built-in zones. (See the ARM for the list.) By the way, to set some comparison maximum baseline you can try having resperf query the built-in zones. (It won't be real recursive work, but should show you some potential maximum qps.) Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.x operation with dnssec
On Fri, 1 Jun 2012, Alan Batie wrote: > When it comes to the DS records registered at the registrar, I'm not > sure where that comes from: the only way I can see to get it is to do a > DS query from the nameserver (and at least one document basically said > that). First, I'd like to know where it comes from, and second, it > seems much too small, given ksks are supposed to be bigger as a result > of being longer lived: > > raindrop.us. 1903IN DS 41190 5 2 > C2927E697D868DB1AEF54642E9B59079CF5412AAA36846290AB20215 9CBAFBEA > > vs > > raindrop.us. 3600IN DNSKEY 256 3 5 > AwEAAb3vNnkqkoG7brIDkPDSbnFDeFV2FmD+RktZFL3DDIIkM9Xkpker > sFTscUWFeta/DEBg8Jvgznyw6iiBCPob5Q9Vluv4mT+HNAm5F2W5wLww > FkJ8ia1xuZoAAl3jCHW3Cj5Dkkr0yVSSZrbORJ1/PnnKhb09o2LPjMr6 /hUjzlzV You can use the dnssec-dsfromkey tool to generate the DS records (using the 257/KSK). The DS is smaller because it is a digest (hash) of the public key. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling and testing on Fedora
I don't immediately recognize the issue. But hopefully the detailed named debugging output is saved. Look for the "*.run" (maybe named.run) files. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig 9.9.1 AD-bit
On Thu, 2 Aug 2012, Marco Davids (SIDN) wrote: > Dig 9.9.1 is setting the AD-bit in queries by default. > > Does anyone know why? 3205. [func] Upgrade dig's defaults to better reflect modern nameserver behaviour. Enable "dig +adflag" and "dig +edns=0" by default. Enable "+dnssec" when running "dig +trace". [RT #23497] > Took me a while to figure out, among other things because Wireshark has > a little bug that prevents the AD-bit being shown in queries. > > (reported as bug 2472 and 7555 on https://bugs.wireshark.org/bugzilla/) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Version statement...
How are you testing it? Where do you see the wrong version? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone Transfer issue on BIND9
On Fri, 24 Aug 2012, sn...@email.it wrote:
> ***MASTER server (FreeBSD 9.0-RELEASE-p3 (i386)|| BIND 9.8.3-P2)***
> view "internal" {
> match-clients { !key TSIG-KEY; internal; datacentre; };
...
> view "dmz" {
> match-clients { !key TSIG-KEY; internal; datacentre; };
A client request will be resolved in the context of the first view that
it matches. The above match-clients are identical for different views so
the dmz view is not used.
> ***SLAVE server (FreeBSD 9.0-RELEASE-p3 (amd64)|| BIND 9.8.1-P1)***
> view "internal" {
> match-clients { !key TSIG-KEY; internal; datacentre; };
> view "dmz" {
> match-clients { !key TSIG-KEY; internal; datacentre; };
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone Transfer issue on BIND9
On Fri, 24 Aug 2012, sn...@email.it wrote:
> view "internal" {
...
> zone "1.16.172.in-addr.arpa" IN {
> type master;
> file "/etc/namedb/master/1.16.172.in-addr.arpa.ext.zone";
Previous zone file names in this same view were called "int". Why the
filename change? (ext means "external" even though in the internal
view?)
> ***SLAVE server (FreeBSD 9.0-RELEASE-p3 (amd64)|| BIND 9.8.1-P1)***
> key TSIG-KEY. {
...
> allow-notify { 171.XX.YY.27; 10.0.0.15; };
> listen-on { 171.XX.YY.27; 127.0.0.1; };
Is the allow-notify 171.XX.YY.27 address same as the listen-on
171.XX.YY.27 address? This is confusing as the allow-notify is a
different server and listen-on is this server.
> view "internal" {
> match-clients { !key TSIG-KEY; internal; datacentre; };
What defines that TSIG-KEY? Notice it doesn't have the trailing period
"TSIG-KEY." as defined earlier.
>From your later email:
> Files are identical within the DOMAIN, not the VIEW.
> For example, on the slave server:
> DOMAIN01.eu.int.zone
> DOMAIN01.eu.ext.zone
>
> are exactly the same (also same checksum)
Are they a copy of the internal or external view's zone on the master?
It is a little difficult to follow the configuration when using maybe
fake IP addresses, fake zone names, and fake filenames. You may want to
simplify your named.conf to bare minimum (two views and one zone each)
for initial testing.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On Thu, 30 Aug 2012, GS Bryan wrote:
> also-notify { "alladdr"; };
This uses an ip_addr instead of an address_match_list. Some versions of
named-checkconf will tell you "expected IP address".
> /etc/named.conf:111: masters "alladdr" not found
I can't reproduce your problem. What version of BIND are you running?
(I am surprised it didn't log the version.) Also please consider using
named-checkconf in your testing.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Issue with Minumum Value for named9
On Fri, 21 Sep 2012, Robert JR wrote: > i have the minimum value in my dns server as 60 mins, and my TTL is 60 > Seconds , but still when users hit a non exist record , the other dns hold > the negative cache for 60 secs instead of 60 mins .. ? why ? > > $TTL 60 > @ IN SOA NS1.TEST.BIZ. Abuse.TEST.BIZ. ( > 201208281 ; serial, todays date + todays serial # > 8H ; refresh, seconds > 2H ; retry, seconds > 4W ; expire, seconds > 1H ) ; minimum, seconds > ; > > Although my configuration above, all DNS servers that query my server, cache > the non exist record for 60 seconds only and not 60 mins > As mentioned in my configuration ? any ideas why ? See RFC 2308 in regards to Caching Negative Answers about how the auth server returns an SOA for a NXDOMAIN: ``When the authoritative server creates this record its TTL is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.'' It used the the smaller TTL. I often see the reverse -- for example, the SOA's TTL is 7200 and the MINIMUM is 3600, so the returned record (in the auth section) has the TTL as 3600.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to prevent BIND from resolving addresses in logs
On Thu, 27 Sep 2012, Spumonti Spumonti wrote: > I just installed BIND 9.9.1-P3 from source and while looking through > the query log files I noticed that IP addresses were being resolved: > > > 27-Sep-2012 12:01:56.512 client 192.168.5.10#44863 (host.foo.com): > query: www.ibm.com ... That is: 2570. [func] Log the destination address the query was sent to. [RT #19209] > In my other servers which are running the redhat packaged version of > BIND (9.8.2), my query logs look like: > > 27-Sep-2012 14:04:03.523 client 192.168.5.30#64638: query: www.amazon.com ... > I'm sure there's something completely obvious that I've missed. How > do I stop BIND from resolving these addresses and just including the > IP address in the log file? That feature isn't offered. Is it inconvenient to know where the query was sent to? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable log message
On Thu, 18 Oct 2012, Jack Tavares wrote: > I am running bind9.8.x built from source and I see this message in the logs > built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' > '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' > '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' > '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool' etc > etc etc > > I would prefer to not have that show up in the log. > > Short of modifying the source, is there an easy way to disable that? No way to disable just it. It is in the "general" catch-all category. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: squash 'client query (cache) denied' syslog entries
On Thu, 18 Oct 2012, David Dowdle wrote:
> Some of my external facing nameservers are under attack, and the biggiest
> fallout, is the machines goign into iowait from logging all the client query
> denied syslog messages.
>
> note: yes, recursion is turned off on these machines.
>
> The current logging is a very vanilla
>
> logging {
> category default { default_syslog; default_debug; };
> category lame-servers { null; };
> // below 2 lines are for logging EVERY query. this can fill a drive
> //channel "querylog" { file "/var/log/named/query.log"; print-time
> yes; };
> //category queries { querylog; };
> };
>
>
> I'd like to keep logging going, for obvious reasns, but need to kill the
> 'client query (cache) denied' messages
>
> sofar all the google-found 'solutions' are: turn off all logging
Maybe discard all security logging with:
category security { null; };
Or setup a new channel for handling security with a "severity" of
"notice" or higher --and then set the category for security to use that
custom channel. (This cache denied logging is at the "info" level so
shouldn't be logged at notice or higher.)
A custom my_security_channel example is in the ARM documentation
which may provide some hints.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.1-P4 is now available
> Let me define what "hung" means in our experience: We find that named is > running but will not respond to queries, "rndc status" will respond with > output but that output shows that named is not processing any queries (see > below), other rndc commands appear to work as well (e.g., "rndc dumpdb"). Does it work if you restart named? If not, can you confirm it is listening on your intended interfaces (including 127.0.0.1) even if not working? > $ time host www.google.com 127.0.0.1 > ;; connection timed out; no servers could be reached Can you confirm that you can query for that without? (Such as dig @216.239.34.10 www.google.com or dig @8.8.8.8 www.google.com) > $ time host localhost 127.0.0.1 > ;; connection timed out; no servers could be reached Do you have a localhost zone defined? (Sometimes the messages from host like the one above are misleading and even the named may be working correctly but it is slow.) Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need to improve named performance
On Mon, 12 Nov 2012, Ed LaFrance wrote: > Currently I'm not using query logging, it's not in my options at all. I think "rndc querylog" was used to enable it (even if no corresponding logging configuration). You can use it again to toggle it off. "rndc status" will show if query logging is on or off. I think in an earlier message you said rndc didn't work for you, but your named.conf does have some configuration for it, so maybe you need to use a different rndc (maybe installed multiple times?) or point to the correct configuration. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: another performance tuning question
On Fri, 30 Nov 2012, Adamiec, Lawrence wrote: > I got similar results when running against the master server. Then why so many lost? > Queries sent: 11000 queries > Queries completed: 8968 queries > Queries lost: 2032 queries ... > Percentage completed: 81.53% > Percentage lost: 18.47% Look at your queryperf data file and figure out what is not hosted by you. Some of my systems get around 60,000 QPS with none lost. If really do host these on same system, and are really lost, then will need other research. Even if you are doing recursive work, your results are quite slow. you may want to look in your queryperf input to see what is causing problems. (It may not be a realistic, real world input set.)___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Strange Issue
On Wed, 12 Dec 2012, Paula Bailey wrote: > I have a zone file in a view and there seems to be a single entry in the > file that shows and nxdomain when queried. > > I have confirmed the view is correct and other entries are resolvable. I > have also run named-checkconf which shows no errors. There are also no > errors in the logs. > > Any ideas? You may want to verify you are querying the correct name server? (and enable extra logging for that) Also it may be easier for others to point out problems if you show the actual configurations, data, reproducable steps, etc. Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 10 - 1.0.0 Beta Release
k' failure when running perfdhcp unit tests. The unit tests used to read files from the folder specified with the path relative to current folder, thus when the test was run from a different folder the files could not be found. (Trac #2479, git 4e8325e1b309f1d388a3055ec1e1df98c377f383) 515.[bug] jinmei The in-memory data source now accepts an RRSIG provided without a covered RRset in loading. A subsequent query for its owner name of the covered type would generally result in NXRRSET; if the covered RRset is of type NSEC3, the corresponding NSEC3 processing would result in SERVFAIL. (Trac #2420, git 6744c100953f6def5500bcb4bfc330b9ffba0f5f) 514.[bug] jelte b10-msgq now handles socket errors more gracefully when sending data to clients. It no longer exits with 'broken pipe' errors, and is also better at resending data on temporary error codes from send(). (Trac #2398, git 9f6b45ee210a253dca608848a58c824ff5e0d234) 513.[func] marcin Implemented the OptionCustom class for DHCPv4 and DHCPv6. This class represents an option which has a defined structure: a set of data fields of specific types and order. It is used to represent those options that can't be represented by any other specialized class. (Trac #2312, git 28d885b457dda970d9aecc5de018ec1120143a10) 512.[func] jelte Added a new tool b10-certgen, to check and update the self-signed SSL certificate used by b10-cmdctl. The original certificate provided has been removed, and a fresh one is generated upon first build. See the b10-certgen manpage for information on how to update existing installed certificates. (Trac #1044, git 510773dd9057ccf6caa8241e74a7a0b34ca971ab) 511.[bug] stephen Fixed a race condition in the DHCP tests whereby the test program spawned a subprocess and attempted to read (without waiting) from the interconnecting pipe before the subprocess had written anything. The lack of output was being interpreted as a test failure. (Trac #2410, git f53e65cdceeb8e6da4723730e4ed0a17e4646579) 510.[func] marcin DHCP option instances can be created using a collection of strings. Each string represents a value of a particular data field within an option. The data field values, given as strings, are validated against the actual types of option fields specified in the options definitions. (Trac #2490, git 56cfd6612fcaeae9acec4a94e1e5f1a88142c44d) 509.[func] muks Log messages now include the pid of the process that logged the message. (Trac #1745, git fc8bbf3d438e8154e7c2bdd322145a7f7854dc6a) 508.[bug] stephen Split the DHCP library into two directories, each with its own Makefile. This properly solves the problem whereby a "make" operation with multiple threads could fail because of the dependencies between two libraries in the same directory. (Trac #2475, git 834fa9e8f5097c6fd06845620f68547a97da8ff8) Thanks again to those who contributed bug reports, code, and reviews. Jeremy C. Reed ISC Release Engineer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (NetBSD) iEYEARECAAYFAlDTEgsACgkQs9Bv5D4YwC2tfwCgrNj7PDAlfeTQd3qGZddFmavl HWIAnjqQqt/QKmPM9nxXT5fN94ivPn/q =UK2x -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
what do you use for logging?
BIND 9 by default has logging using syslog, using its daemon facility, and logging of info or higher. Is using syslog a sane default for new installations or when using official vendor packages with their startup scripts? Do any packagers provide a configuration with different-than-default logging setup? (What and why?) (I am researching this to help decide on a good default for BIND10. I currently logs to the console by default, but does have syslog and log to file support available. By the way, all of the BIND10 logging messages are unique and we provide a paragraph or more documentation for each of its 933 possible log identifiers!) Thanks! Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance impact of a large ACL list.
On Mon, 4 Feb 2013, Augie Schwer wrote: > Does anyone have any experience using a large ( 1k ) entry ACL list? > Was there any performance degradation? > > I haven't implemented my ACL yet, but it has quickly ballooned up, and I am > hoping to get some advice from others in a similar situation. It has been a few years since I researched this. (I should re-add this to my existing performance and resource usage tests.) BIND 9.5 had various ACL improvements including support for O(1) ACL processing, based on radix tree code. As one example, with 20,000 to 100,000 ACLs some of my tests for 9.4 only has around 80 to 400 qps, while the new version has around 21,000 qps. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 10 - 1.0.0 Release Candidate
reports, code, and reviews. Bugs may be reported as tickets via the developers website (after logging into Trac) at: http://bind10.isc.org/ Please feel free to participate and share your feedback on the BIND 10 mailing lists: https://lists.isc.org/mailman/listinfo/bind10-users https://lists.isc.org/mailman/listinfo/bind10-dev Jeremy C. Reed ISC Release Engineering -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (NetBSD) iEYEARECAAYFAlEdqlYACgkQs9Bv5D4YwC3t9QCdFmHE9bVZq0WRa4E1pq5t1JtK CMgAoNTXHYMMlvMU6bzARXBOsgYq2ZW5 =JulM -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "make test" fails on Fedora 10
On Wed, 27 Mar 2013, Luther, Dan wrote: > For the tests, BIND starts up with an empty group descriptor: > > > > I:issuing command '/home/luther/bind-9.9.2-P2/bin/named/named -m > record,size,mctx -T clienttest -c named.conf -d 99 -g >named.run 2>&1 &echo > $!' I guess you are talking about -g. It is not a switch for group.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "make test" fails on Fedora 10
On Wed, 27 Mar 2013, Luther, Dan wrote: > Working with the BIND 9.9.2-P2 compile, I just spent several minutes > tracking the source of this down with some judicious use of ?print? in the > ?bin/tests/system/start.pl? script and viewing the ?*.run? output. It really > comes down to file permissions -- a particular line from > ?bin/tests/system/inline/ns1/named.run? pointed me in that direction: > > > > 27-Mar-2013 14:24:53.970 could not open file 'named.pid': Permission denied > > > > Apparently, the file ownerships for this entire test suite are for a user > and group I do not have: > > > > -rw-rw-r-- 1 10292 9901 2806 Mar 6 11:56 run.sh I assume you extracted the tarball as root. If you are using GNU tar, have a look at the --same-owner documentation in the manual page about this. Maybe your problem will go away if you extract as yourself.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: This list's prefix
On Wed, 5 Jun 2013, Narcis Garcia wrote: > It's not the only mailing list where I'm subscribed. > Could please the administrator setup a prefix for messages' subject? > > For example: > [bind-u] Please just have your MUA or your mail filtering client look at the following header (and add the subject line prefix as you like): List-Id: BIND Users Mailing List ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Notice: BIND Security Jul2013 CVE2013-4854
On Sat, 27 Jul 2013, Emil Natan wrote: > How the downloads can be verified? Are there any checksums/signatures > available? Thanks. The signatures I created are available via the download server: http://ftp.isc.org/isc/bind9/9.8.5-P2/ http://ftp.isc.org/isc/bind9/9.9.3-P2/ (also available via FTP) Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto-dnssec maintain and no key: no error message?
On Tue, 30 Jul 2013, Stephane Bortzmeyer wrote: > Of course, there is no signature: > > % dig +multi @localhost SOA auto.rd.nic.fr Add +dnssec ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: the location of dig and named
On Wed, 28 Aug 2013, Nidal Shater wrote: > when I typed dig or named ,,, what is the location of the executable > program dig and named is ? Maybe one of these will help: command -v dig type dig which dig whereis dig command -v named type named which named whereis named There are many other ways to find out. If you built from source, the default is /usr/local/bin/dig and /usr/local/sbin/named. Unless you used --prefix (or --sbindir or --bindir).___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upgrade Bind documentation
On Thu, 24 Oct 2013, Davis, Donald W wrote: > Does anyone have any advice or perhaps documentation for upgrading Bind? I > currently have two AIX servers running as Master/Slave. I need to upgrade > from v9.8.1-P1 to v9.8.6. I will need to document an implementation plan > for change control and was hoping someone else may have something they can > share. > > I?ve browsed the ISC web site looking for release notes, install/compile > instructions, migration plans, etc without much success. Here are some links for you: http://ftp.isc.org/isc/bind9/9.8.6/RELEASE-NOTES-BIND-9.8.6.txt https://kb.isc.org/article/AA-01054/81/BIND-9.8.6-Release-Notes.html The brief installation directions are in the tarballs' README file. Our operating specific hints are at https://kb.isc.org/category/48/0/10/Software-Products/BIND9/FAQs/Operating-System-Specific/ but none for AIX. We don't have a migration guide specific for 9.8 series (we do have a migration details from 8 to 9). I'd expect that all the configurations from 9.8.1 through 9.8.6 are compatible. The 9.8.6 reference is at http://ftp.isc.org/isc/bind9/9.8.6/doc/arm/Bv9ARM.html (and in the tarball). I am working on a chart listing the major features introduces and any incompatible changes to be aware of for all of our releases. But it is not ready yet. Jeremy C. Reed ISC___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9-ARM (HTML) feature request: better hyperlinking in/of chapter 6
On Wed, 20 Nov 2013, /dev/rob0 wrote: > Chapter 6 is the comprehensive configuration reference. What I'd like > to see is more (and plain-language, consistent) hyperlinking. The > basic idea is that any named.conf setting could be found at an > anchor: > > Bv9ARM.ch06.html#that-setting Yes that would be great. We do something similar with the unique log messages for BIND10 and Kea; for example: http://bind10.isc.org/docs/bind10-messages.html#AUTH_XFRIN_CHANNEL_CREATED http://bind10.isc.org/docs/bind10-messages.html#XFROUT_IXFR_NO_ZONE The corresponding docbook code was like: ... > This sounds grand and relatively simple, but in practice it will > require some thought and work. For example, we have "Grammar" and > "Definition and Usage" subsections for each "Statement" section. > Which one would we link to? Ideally, both, but we'd have to think > about a good anchor naming scheme. I'd say that the name in each > "Grammar" should hyperlink to each "Definition and Usage" name and > vice versa. I had thought about this several times. I published a print book based on the ARM and considered having the grammar for a specific item statement included next to the corresponding documentation -- so you don't have to look in multiple places. > Also, what do we do in the case where the same setting is usable in > more than one context? Looking at "Zone Options", with numerous "See > the description of ...", this would actually help, because it would > take you directly to the setting rather than to the subsection > heading. Yes. I did a lot of work on this also, but never made it into the released ARM. By the way, I have found that the maintained dblatex (http://dblatex.sourceforge.net/) framework is easier and more reliable to use than the existing db2latex stylesheets. Hopefully someday I can finish the conversion of our Makefiles to use it instead (or as an alternative). Thank you much for your suggestions and potential work. If you have any questions or need assistance with the PDF/HTML builds, please let me know. (I can also share with you my detailed plans also.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9-ARM (HTML) feature request: better hyperlinking in/of chapter 6
On Thu, 21 Nov 2013, /dev/rob0 wrote: > The daunting part is that I'm not sure what this will do: > > some-named.conf-setting > > ... > See > > ... because at this point, it looks like the only anchors are in > section headers. Perhaps more code will have to be added to properly > deal with these links? Or is there some other xref modifier which > would do it? > > (I suppose I can try it and see what happens.) Yes, please try it. You can set the id in other elements too. It would be nice to fix all these because often when we regenerate the HTML, the machine-generated IDs change so it cause a huge diff for even minor changes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: caps compiling error
Please see https://kb.isc.org/article/AA-01060/0/Building-BIND-9.9.4-9.8.6-and-9.6-ESV-R10-on-RHEL-and-CentOS-with-libcap-dev-installed.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND10 : how do I import zone files stored in mysql to BIND10 ?
On Mon, 16 Dec 2013, blrmaani wrote: > Is there a easy way to import zone files stored in Mysql DB to Bind10? > I checked for all the commands available here: > > http://bind10.isc.org/docs/bind10-guide.html > > and didn't find anything. BIND10 currently doesn't support MySQL. (There was some experimental research but not completed.) BIND10 does support SQLite3 and static text master files. You may need to convert your data to other format first. Sorry we don't yet have docs on the database schema. Here is the code: http://bind10.isc.org/docs/developers/cpp/dc/d2c/sqlite3__accessor_8cc_source.html Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND10 : how do I import zone files stored in mysql to BIND10 ?
On Mon, 16 Dec 2013, blrmaani wrote:
> ok, so, If I have mysql DNS tables converted to sqlite3 format (binary
> files) and then upload to BIND10, how do I do it?
Enable the auth server using the bindctl interface:
config add Init/components b10-auth
config set Init/components/b10-auth/special auth
config set Init/components/b10-auth/kind needed
config commit
The datasources should have a default configuration, like:
data_sources/classes/IN[0]/type "sqlite3"
data_sources/classes/IN[0]/params {"database_file":
"/home/reed/opt/bind10/var/bind10/zone.sqlite3"}
Try:
config show data_sources/classes/IN[0]/params
to see where you should put your database file.
> I will also try digging code meanwhile ..
Have fun
Jeremy C. Reed
ISC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: R: DNS with several ip adessess
On Thu, 2 Jan 2014, wbr...@e1b.org wrote: > When were views added to BIND? We started using using multiple > servers in BIND 4, and I don't recall views being available back then, > but I didn't configure the servers, just maintained the zones. Views were introduced in BIND 9.0.0 (September 2000). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GeoIP in 9.10 RC2
> So the the IPv4 Country DB is recognized and loaded, but digs from US to > that server still result in queries from the ALL view, which is the last > view in the config file and the test View above is the first View in teh > config file. You may want to try the geoiplookup (provided by GeoIP software) to confirm that the IPs are really matching the database. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: GeoIP in 9.10 RC2
On Wed, 30 Apr 2014, Ali Jawad wrote:
> view "US" {
>
> match-clients { US; };
For now please change to:
match-clients { geoip country US; };___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl
On Fri, 2 May 2014, Gaurav Kansal wrote: > checking for OpenSSL library... using OpenSSL from /usr/lib and /usr/include > > checking whether linking with OpenSSL works... no > > configure: error: Could not run test program using OpenSSL from > > /usr/lib and /usr/include. > > Please check the argument to --with-openssl and your > > shared library configuration (e.g., LD_LIBRARY_PATH). > > > > I have OpenSSL and openssl-devel package installed in my machine. The config.log debugging file should contain further details that may be used to troubleshoot this. Please look in config.log for lines around "checking whether linking with OpenSSL works" (and above "## Cache variables ##" line).___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
On Thu, 1 May 2014, Lawrence K. Chen, P.Eng. wrote:
> Does compiling in RRL mean its active, even without a rate-limit {}
> control block?
Only for the built-in Chaos "_bind" view (for id.server, authors.bind,
hostname.bind, and version.bind).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Issues in configuring Bind 9.10 in CentOS 6.3 with --open-ssl
On Fri, 2 May 2014, Gaurav Kansal wrote: > Config.log doesn't showing any useful data to troubleshoot this. > configure:15338: checking for OpenSSL library > > configure:15436: error: "/usr/include/openssl//include/openssl/opensslv.h" > not found You looked at config.log after you did a different ./configure run with the wrong --with-openssl=/usr/include/openssl/. You want to run ./configure without the --with-openssl switch. Then please look in config.log for lines around "checking whether linking with OpenSSL works" (and above "## Cache variables ##" line). (You don't have the "checking whether linking with OpenSSL works" in this output.) > ## ## > > ## Cache variables. ## ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL active by default?
> On 05/02/14 09:23, Jeremy C. Reed wrote:
> > Only for the built-in Chaos "_bind" view (for id.server, authors.bind,
> > hostname.bind, and version.bind).
On Fri, 2 May 2014, Lawrence K. Chen, P.Eng. wrote:
> Awww...I found messages about version.bind.
My workaround I use is like:
# for builtin tests do not rate-limit
# redefine chaos builtin zones
# can't redefine builtin view '_bind'
view "_dnsbench_bind" chaos {
recursion no;
notify no;
allow-new-zones no;
rate-limit {
responses-per-second 0;
};
zone "version.bind" chaos {
type master;
database "_builtin version";
};
zone "hostname.bind" chaos {
type master;
database "_builtin hostname";
};
zone "authors.bind" chaos {
type master;
database "_builtin authors";
};
zone "id.server" chaos {
type master;
database "_builtin id";
};
};
Or edit bin/named/config.c (you will quickly find the configuration) and
make and install.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bin 9.10 verbose logging
On Sat, 3 May 2014, Noel Butler wrote: > U, since upgrade 9.9.5 to 9.10 every request to the name server is > spewing copious amounts of debug type data (thankfully I only upgraded the > one server) > > > > named[23250]: received packet from 207.66.8.132#53 (no opt): ;; > ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20501 ;; flags: qr aa; > QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: > ;dns2.osogrande.com.^I^IIN^I ;; AUTHORITY SECTION: > osogrande.com.^I^I86400^IIN^ISOA^Idns1.osogrande.com. > hostmaster.osogrande.com. 2002041909 14400 7200 604800 600 > > > Was debug left on in the final release source code? :) It is at the "notice" severity level. The code says: "We didn't get a OPT record in response to a EDNS query." and also says "We need to drop/remove the logging here when we have more experience." Are you getting this debugging for EDNS-related problems for "every request"? Maybe need to realize why. Maybe you can change the setting in from ISC_LOG_NOTICE to ISC_LOG_DEBUG(10) in your ./lib/dns/resolver.c. Or override the resolver category default in your named.conf.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AIX and 9.9.5 compiling
Currently, some of the systems that we automatically build and run various tests on include: FreeBSD 4.11 i386 FreeBSD 6.3 i386 FreeBSD 8.4 i386 FreeBSD 10.0-CURRENT i386 Fedora 18 Linux 3.8.1-201.fc18.x86_64 x86_64 Fedora 19 Linux 3.11.6-200.fc19.x86_64 x86_64 HPUX B11.11 HPPA2.0w (HP 9000/800) MacOSX 10.6.6 Darwin 10.8.0 x86_64 NetBSD 5.2 i386 NetBSD 6.0 i386 NetBSD 6.0.2 amd64 Solaris 10 SunOS 5.10 sun4u sparc SUNW,Sun-Fire-V240 Solaris 10 SunOS 5.10 sun4u sparc SUNW,UltraAX-i2 Solaris 11 SunOS 5.11 i86pc i386 Ubuntu 13.10 Linux 3.11.0-15-generic x86_64 The developers also use a variety of other systems like FreeBSD 9.1-RELEASE-p4 amd64, Mac OS 10.8.4 and 10.8.5, Ubuntu Linux 13.04, Fedora 19 Linux, NetBSD 6, and others, but they may have newer versions than these. There are also some Windows build systems with VS2005, VS2008, VS2010express, VS2010, and VS2012 (and maybe others). I was also doing automated builds on OpenBSD, Debian, and Ubuntu LTS, but need to replace the server. Also our AIX machine crashed. If you have a suggestion for an important or popular OS version I should add to our build farm, please let me know why. Thanks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
> geoip-directory "/usr/share/GeoIP/GeoIP.dat";
Should be a directory.
>
> in zones
>
>
> acl "US" {
>
> geoip country US;
>
> };
>
>
>
> view "US" {
>
> match-clients { US; }; //Once I add this it throws the error below
> ***
>
> include "/etc/named.rfc1912.zones";
>
> include "/etc/dk.sites.list";
>
>
> };
>
>
>
> Once I add the match-clients line it throws the error below on starting :
>
> /etc/named.conf:47: no GeoIP database installed which can answer queries of
> type 'country'
>
>
> geoiplookup ip.ip.ip.ip works, so I doubt that is the issue, I did try
> geoip-directory "/usr/share/GeoIP"; instead of full path but that did not
> make any difference.
>
>
> Any hints ?
Look at logs please. Do you have an "initializing GeoIP Country" line?
Like:
30-Apr-2014 22:11:17.908 initializing GeoIP Country (IPv4) (type 1) DB
Double-check that /usr/share/GeoIP/ is correct and that you have the
correct database(s) there.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Error when using GeoIP
On Tue, 1 Jul 2014, Ali Jawad wrote: > [root@uk etc]# ls -lart /usr/share/GeoIP/ > > -rw-r--r-- 1 root root 1206078 Jul 1 10:08 GeoIP.dat > > > > The output from the logs is > > Jul 1 14:38:56 uk named[1795]: using "/usr/share/GeoIP" as GeoIP directory > > Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv4) (type 1) DB not > available > > Jul 1 14:38:56 uk named[1795]: GeoIP Country (IPv6) (type 12) DB not > available You may want to try another database. I use GeoLiteCity.dat for testing. Make a symlink to it named /usr/share/GeoIP/GeoIP.dat Maybe your geoiplookup tools appears to work but is providing different results not identified as "country"? Does your geoiplookup output say "GeoIP Country Edition"? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get "allow-query-on" to work
> I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
> allow-query-on { 127.0.0.1; };
Please upgrade your BIND. There was a bug in allow-query-on that was
fixed since 9.8.6rc2.
Please note that currently allow-query-on is only used for "zone"
configurations. Use allow-cache-on if restricting accessing cache (or
allow-recursion-on like you also used).___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: test bind before moving to production
On Thu, 3 Jul 2014, brian wrote: > I'm new to bind. I want to be able to test the dns server on my local > machine before launching it by putting the domain names (ie example.com) in > my browser and browsing the site. > > > Both the dev and production machines are CentOS. I assume I'll need to edit > the host file to redirect to the local dns. But with this method I'm not > sure how it will resolve multiple domains (i.e. example.com and > example2.com). The host file (/etc/hosts I assume) won't help. You can use /etc/resolv.conf and have nameserver line point to your localhost for testing. Or use dig with the @ argument to set the address of the nameserver to use. For example, "dig @127.0.0.1 www.example.com". Then also try that from outside systems to using the @ with the network interface's address. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: both recursive-only BIND9 went deaf until rebooted
On Wed, 13 Aug 2014, lcon...@go2france.com wrote: > fbsd 8.2 VM with BIND 9.9.5 > > fbsd 10.0-RELEASE VM with BIND 9.10.0-P2 > > the older machine had uptime of 400+ days, the new machine only a couple weeks > > 24 hour query logging shows several million queries/day > > At about the same time last night, both stopped answering queries until > rebooted. > > before reboot, > > load of about 1 (we see elevated load alerts with ssh brute force attacks) > > memory not swapping, plenty of free MBs. > > nothing in syslog, > > no sign of ssh brute force, ssh worked > > rndc status showed ok > > sockstat -4 showed bind listening on :53 This part doesn't sound right. sockstat should show the local IP (or host) and the :53 port for the the local bound end of the socket for all the interfaces as allowed by listen-on. The sockstat output shouldn't be just :53 nor *:53 for example. So maybe it wasn't listening to the interfaces that you expected since below you suggest that the loopback one did work. Maybe something temporarily happened during the interface-interval scan and it detected that some interface went away? Do your logs have anything like "no longer listening on 192.168.99.99#53"? I wonder if "rndc scan" would have helped in that case to re-detect it before next interface-interval. > all DNS queries from outside the machines timed out > > ssh shell command: > > "dig @127.0.0.1 domain.tld any" answered normally > > What other forensics could have been checked? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Runtime disable RRL
On Tue, 19 Aug 2014, Olsen, Richard William (Rick) CTR DISA PEO-MA (US) wrote:
> Is there a runtime switch or config option to disable RRL. The bind
> 9.9.5-S1 by default included the RRL enable but we would like to run
> test with and without the RRL active.
There isn't a way to disable the code, but you can disable the
rate limiting with:
rate-limit {
responses-per-second 0;
};
If your tests involve builtin CHAOS, see
https://lists.isc.org/pipermail/bind-users/2014-May/093107.html
Jeremy C. Reed
ISC
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: no servers found
In the virtual server, use dig @a.b.c.d with the IP address of the DNS servers you want to use to see if that works. If you are running named in that same virtual server, try dig @127.0.0.1. If that works, then just change your resolv.conf to point to only that nameserver 127.0.0.1 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no servers found
On Thu, 21 Aug 2014, Adamiec, Lawrence wrote: > Using dig @My-NAME-SERVER works. I am not running named on the virtual > server using dig @ 127.0.0.1 does not work. Okay. Then change your /etc/resolv.conf to contain just the "nameserver " and IP of that name server (and a couple others if you want) that works. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: geoip asnum matching
On Thu, 21 Aug 2014, Dietrich Oberhausen wrote:
> I've got an issue with bind 9.10 and GeoIP asnum based matching.
> As far as I can tell I need to match not only the AS number but also
> the org name?
>
> This works:
> match-clients { geoip asnum "AS8767 M-net Telekommunikations GmbH,
> Germany"; };
>
> While these do not:
> match-clients { geoip asnum "AS8767"; };
> match-clients { geoip asnum "8767"; };
> match-clients { geoip asnum 8767; };
>
> This makes working with this feature unnecessarily complicated, especially
> when dealing with non-ASCII characters for example with
> "AS27699 TELEF?NICA BRASIL S.A" or "AS28573 Servi?os de Comunica??o S.A.".
>
> Is there a way to only match the as number without the org name?
>
> I'm using the free geolite maxmind asn database from
> http://dev.maxmind.com/geoip/legacy/geolite/
It is the strings as defined as a single entry in the original database.
I agree that the just matching the first part (up to first space) is
good enough (like "AS8767"). (I looked at the 209K entries in the
database and no AS number was ever reused with a different name as
expected but maybe there could have been a mistake.)
I will forward this on to bind9-bugs so this can be improved. (Also the
documentation didn't have any example about it, but the system tests
did.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
Yes, I think is a make problem. I reported same issue a couple weeks ago. (Internal BUg #36993). To workaround, use gmake. We can provide a patch very quick. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
On Fri, 12 Sep 2014, Mathieu Arnold wrote: > Yes, you can't use bmake if you try to build the python bits, I had to > force gmake in the port: It looks to be a bug in the NetBSD bmake used by FreeBSD. I cannot find a bug report for it in FreeBSD. I opened one for NetBSD: http://gnats.netbsd.org/49198x ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
On Fri, 12 Sep 2014, Jeremy C. Reed wrote: > It looks to be a bug in the NetBSD bmake used by FreeBSD. I cannot find > a bug report for it in FreeBSD. I opened one for NetBSD: > http://gnats.netbsd.org/49198x http://gnats.netbsd.org/49198 (My system types a random "x" on its own often. Imagine the frustration with using alpine mail client and vi.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.10.1rc2 won't build on FreeBSD 10-STABLE
On Fri, 12 Sep 2014, Mark Andrews wrote: > Try collapsing the multiple .SUFFIXES into a single entry. That doesn't work (for me). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
On Tue, 9 Sep 2014, Thomas Schulz wrote: > What version did you upgrade from? I am seeing bind 9.9.5 and 9.9.6 > grow without any evidence that it will ever stop. See my mail to this > list with the subject "Re: Process size versus cache size." Mine is > growing slower than yours, but it is now up to 548 MB. Can you copy and paste the "out of memory error" you are seeing? Is it still growing? Does it appear to work? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
> Can you copy and paste the "out of memory error" you are seeing? Is it > still growing? Does it appear to work? I see your other thread answers some. https://lists.isc.org/pipermail/bind-users/2014-July/093618.html ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-9.10.0-P2 memory leak?
On Mon, 13 Oct 2014, Thomas Schulz wrote: > I restarted bind 9.9.6 with a max-cache-size of 30M. We have 3 views. > The inital process size was 36 MB. The process grew to 184 MB. It grew > to 596 MB without the max-cache-size being set and was still growing > when I restarted it. BUT when I now do an rndc dumpdb -cache, the > named_dump.db file contains only the line > > ; Dump complete > > and nothing else. > > So, if you put any limit on the cache size, you will end up with an empty > cache. I do believe that there is a bug that needs to be fixed. I wasn't able to reproduce this with 9.9.6 (or a recent master). Can you please send your configuration (like named-checkconf -px) to bind9-bugs AT isc.org? Thank you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dumping the statistics channel
On Mon, 3 Nov 2014, Thomas Schulz wrote: > I have been asked to dump the statistics to help document a suspected > memory leak in named. When I look at the statistics with Firefox, I see > a nicely formatted set of statistics. If I then dump the statistics to > a file with wget and then use Firefox to view the file, I see data but > there is no formatting and the output seems to be unreadable. > > So, is this file what I should send to isc.org? Should I be using some > options to wget to get a file that displays nicely in Firefox? > I have also tried to use Firefox's 'Save Page As' option to dump the > statistics, but that resulted in the same saved file as I got with wget. I assume it is the correct file and the nice rendering is using the stylesheet also. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 Return different IP address based on subnet
On Sat, 27 Dec 2014, Christian Kette wrote: > I have some questions. Q1: Why do I get the IP address "192.168.2.100" for > "DEV.home.lan" from both the 192.168.2.0/24 and the 192.168.10.0/24 network? The view that matches first is used. > #include "/etc/bind/named.conf.default-zones"; ... > Q2: What exactly are these zones in the file for? Do I need them? You didn't include the file in the email. But I found a copy via google which may be the same. You probably don't need it. (For example, the priming hints are builtin to named.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND DNSSEC Guide draft
ISC is seeking feedback and review for our first public draft of the BIND DNSSEC Guide. It was written in collaboration with DeepDive Networking. The document provides introductory information on how DNSSEC works, how to configure BIND to support some common DNSSEC features, as well as some basic troubleshooting tips. It has lots of interesting content, including examples of using ISC's "delv" tool and using a common provider's web-based interface to manage DS records. This is a beta edition of the guide. We'd appreciate any feedback or suggestions, good or bad. You may email me directly, or to our bind9-bugs@ bug tracker email, or back to this list as appropriate (such as needing further community discussion). Or you may use the GitHub to provide feedback (or fixes). We plan to announce the first edition of this BIND DNSSEC Guide at the end of January. The guide also has a recipes chapter with step-by-step examples of some common configurations. If you have any requests or would like to contribute some content, please let us know. The beta of the guide is available in HTML and PDF formats at http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.pdf The docbook source for the guide is at GitHub: https://github.com/isc-projects/isc-dnssec-guide/ Happy New Year! Jeremy C. Reed ISC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
On Sat, 17 Jan 2015, John wrote: > is there a separate DNSSEC mailing list? You may use this bind-users list to discuss DNSSEC. There are other lists for DNSSEC managed outside of ISC and not specific to BIND, such as: Dnssec-deployment.org (but I cannot access their mailman webpage currently) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Finding authoritative server and last update
On Tue, 3 Feb 2015, Robert Moskowitz wrote: > I am trying to find out which comcast server is authoritative for > > 4.254.253.50.in-addr.arpa > > and when the zone file for the ptr rr was last updated. > > I was told a week ago that the ptr would be updated, but I am still > not seeing any change... > > I am not really good at keeping good notes on using dig. Have a look at output from: dig +trace 4.254.253.50.in-addr.arpa PTR dig 254.253.50.in-addr.arpa SOA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Finding authoritative server and last update
By the way, it looks like the SOA MNAME has a misspelling typo in it. I wonder if that is on purpose to foil automated/unintelligent spammers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: compile and install from source
On Sun, 29 Mar 2015, INVALID_ADDRESS wrote: > named_conf="/etc/namedb/named.conf" # Path to the configuration file ... > So I changed the path (in /etc/rc.conf) to /usr/local/sbin/named > > But now I get: > > $ /etc/rc.d/named start > Starting named. > /etc/rc.d/named: WARNING: failed to start named > > But nothing is logged in /var/log/messages Try running: /usr/local/sbin/named -g -c /etc/namedb/named.conf -u bind to see what the output tells you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: zone not updating
On Mon, 30 Mar 2015, Lucio Crusca wrote: > @ IN NS ns0.virtual-bit.com. > @ IN NS ns1.virtual-bit.com. ... > propagating, but still nothing changed. If you query the NS for the > www record, it replies with the new and correct IP address > (136.243.232.141), but if you query any other DNS around the globe, it > replies with the old one (158.58.168.152, same as current MX). Your basically answered your own question. See the NS records in the output for the following: dig hcvalchisone.net @f.gtld-servers.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Native pkcs#11 and auto-dnssec feature
> My question is about auto-dnssec feature that maintain zone by > internally signing RRs. How this feature will work without a PIN since > BIND needs access to private key when it needs to resign automatically > and i did't find a way to provide the PIN throught configuration files > ? Hi, Does the reference manual section about proving the PIN help? http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch04.html#id2639064 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "#service named restart" fails with a weird message
On Fri, 19 Jun 2015, Samad Agha wrote:
> Error in named configuration:
> /etc/named.conf:3: missing ';' before '}'
Look on line 3
> /etc/named.conf:11: missing ';' before '}'
Look on line 11
> options {
> directory "/var/named";
> allow-recursion {207.151.36.0/24; 206.117.117.0/24};
Add a semicolon before the } to end the list of networks.
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0"
Add missing semicolon at the end of that line.
> };___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: make test fails without Net::DNS::Nameserver
On Tue, 14 Jul 2015, Maria Iano wrote: > I don't see this mentioned anywhere else, although I'm suprised by that > so maybe I'm missing something. When I build bind-9.10.2-P2 I find > that "make test" fails for reclimit with "Couldn't start server ans2" if > I don't have Net::DNS::Nameserver installed. After I install it the > testing is successful. We recently added a bin/tests/system/reclimit/prereq.sh script to check for it. CHANGES entry: 4113. [test] Check for Net::DNS is some system test prerequisites. [RT #39369] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote: > '--enable-newstats' '--with-libxml2' '--enable-fullreport' 'CFLAGS=-O2 Unrelated to your problem, but the --enable-newstats configure switch is not used for BIND 9.10. > 1. Cannot seem to start named and it seems that it is looking for some > keys to validation locally. (I reordered your email some:) > Apr 7 15:15:32 cfdnsquar01 named[37952]: isc_stdio_open > '/usr/local/named-jail9.10.3P4/var/adm/named.log' failed: file not > found > Apr 7 15:15:32 cfdnsquar01 named[37952]: configuring logging: file not > found > Apr 7 15:15:32 cfdnsquar01 named[37952]: loading configuration: file > not found > Apr 7 15:15:32 cfdnsquar01 named[37952]: exiting (due to fatal error) Your named cannot start due to logging configuration. You didn't share your configuration elated to it, but does the directory /usr/local/named-jail9.10.3P4/var/adm/ exist? > I believe managed-key-zone validation is by default enabled in > Bind..is there an option that I can use in named.conf file to > disable that so that it does not look for the key..I guess this is > just a self-validation on the master itself and has nothing to do with > DNSSEC signing as it seems I am not even able to get the named up... Yes, it is unrelated. > I guess question is do I have an option that I can specify such that > it will not look for self-validation keys at all so that I do not have > to deal with rndc.key and rndc.conf or is this something I cannot get > by with when I use "views" ? Or am I not understanding this properly? The rndc keys (used for connecting to the control interface) are unrelated to the keys used with DNSSEC. But for operations it is a good idea. See the ARM and/or rndc-confgen manpage about generating the rndc configuration. Let's get your named startup working first before we work on your goal. (If I understand correctly, you want named to serve internally unsigned zones, an external appliance will sign the zones, and then named can then serve the signed zones publicly.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> I know it using rndc is a good practice but is there an option to
> specify in named.conf to disable it?
It is disabled by default because there is no complete command channel
configuration in the first place, but this will make it so it doesn't
even try to enable it:
controls { };
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about managed-keys-zone
On Fri, 8 Apr 2016, Bhangui, Sandeep - BLS CTR wrote:
> Thanks Jeremy
>
>
> Logging section from named.conf
>
> logging {
> channel "named-log" {
> file "/usr/local/named-jail9.10.3P4/var/adm/named.log"
> versions 3 size 30m;
...
> category "general" { "named-log"; };
...
> And yes the directory "/usr/local/named-jail9.10.3P4/var/adm/" exists
> and the files are thereowned by named:named.
The error:
isc_stdio_open '/usr/local/named-jail9.10.3P4/var/adm/named.log'
failed: file not found
happens when the directory doesn't exist as one example.
What switches are using to start named?
(The top of the logging output was excluded in previous email which
should show the "starting BIND 9.10.3-P4" and "built with" lines.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.11.0a1
On Thu, 21 Apr 2016, ap...@yandex.ru wrote: > Would be great to hear smth about question #2. I've tried to use rndc > trace with various levels of debugging and still edns subnet is not > shown anywhere. > > 2) I have looked through sources and bind 9.11 guide, but have not > > found the way to add client-subnet into queries logging. Would be > > really great to have it. So to see not just client IP-address, but > > also ECS subnet itself. Did I miss something? We will soon be adding some logging for geoip and ECS. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get BIND logs to write to the correct file.
On Mon, 2 May 2016, Sean Son wrote:
> I am trying to get BIND to write its logs to two files:
>
> /var/log/named/named.log
>
> and
>
> /var/log/named/dnsreqs.log
>
>
> No matter what I do , the logs are still being written to
> /var/named/data/named.run
>
> Here is the part of my named.conf which deals with logging:
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> channel default_info {
> file "/var/log/named/named.log";
> print-time yes;
> print-category yes;
> print-severity yes;
> };
> channel log_requests {
> file "/var/log/named/dnsreqs.log";
> print-time yes;
> print-category yes;
> print-severity yes;
> };
> category lame-servers { null; };
>
> };
>
>
> The default_info and log_requests sections were copied from an older BIND
> server that we are running. I am upgrading to a new version of Red Hat Linux
> as well as a new version of BIND on a different server.
>
> Any help is greatly appreciated! What am I doing wrong here?
Hi Sean,
Also use a "category" configuration. For example:
category default { default_info; };
category queries { log_requests; };
(If not, you may want to tell us what specifically you do and maybe
don't want logged.)
Jeremy C. Reed
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Nsupdate usage scenario
What about using a specific zone file just for the purpose of the single A record you want to maintain using dynamic updates? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Nsupdate usage scenario
Also for the generated master file, have a look at "masterfile-style full;" option. Have a look at the named-compilezone -j with -s full or -s relative so you can compare outputs. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RES: RHEL, Centos, Fedora rpm 9.10.4-P1
On Wed, 22 Jun 2016, Leonardo Oliveira Ortiz wrote: > Someone had success to build it? I got make test errors... What was the error? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions on how to setup Reverse DNS in bind 9
On Sun, 17 Jul 2016, Spork Schivago wrote: > So, in the /var/named directory, I create a file > called: 0.117.238.104.in-addr.arpa > > The contents of 0.117.238.104.in-addr.arpa are as follows: > $TTL 1D > @ IN SOA ns1.jetbbs.com. spork.jetbbs.com. ( > 2016071705 ; serial > 1D ; refresh > 1H ; retry > 1W ; expire > 3H ) ; minimum > > 0.117.238.104.in-addr.arpa. IN NS ns1.jetbbs.com. > 0.11.148.132.in-addr.arpa. IN NS ns2.jetbbs.com. > > 104 IN PTR franklin.jetbbs.com. > 44 IN PTR franklin.jetbbs.com. This won't work as you need NS records that match up to the zone name, In this case, the common zone name is only "in-addr.arpa." but no NS for that. Also if it was only "in-addr.arpa." the two PTR records would be useless. If your zone name does match so you have a NS record, as it is now, you'd have "out-of-zone data" which is ignored. Try using two different more specific zone files such as for 11.148.132.IN-ADDR.ARPA. and 117.238.104.IN-ADDR.ARPA. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging query results
On Mon, 1 Dec 2008, wes wrote: > The result I'm looking for is "10.1.1.44" and this string does not appear in > any of the logs at all. Search for 10.in-addr.arpa. instead. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Question about Subdomain Delegation
nameserver at 146.145.231.234 doesn't know "lab" is delegated. nameserver at 146.145.231.234 doesn't know "ns2" Your ns1 and ns2 have conflicting information. nameserver at 72.44.181.38 can't be reached. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
what versions of BIND and operating systems?
Hi, I am working on BIND documentation and want to make sure the lists of operating systems used successfully with BIND are accurate. If you are willing, please email me off-list by December 23, what BIND and operating system versions you are successfully building and running BIND on. If you are not using vanilla BIND, please also let me know. Thanks! Currently the README from 9.5.x and upcoming 9.6.0 has: We have recent reports from the user community that a supported version of BIND will build and run on the following systems: AIX 4.3, 5L CentOS 4, 4.5, 5 Darwin 9.0.0d1/ARM Debian 4 Fedora Core 5, 7 FreeBSD 6.1 HP-UX 11.23 PA MacOS X 10.4, 10.5 Red Hat Enterprise Linux 4, 5 SCO OpenServer 5.0.6 Slackware 9, 10 SuSE 9, 10 And the README from 9.3.x and 9.4.x has: Additionally, we have unverified reports of success building previous versions of BIND 9 from users of the following systems: AIX 5L SuSE Linux 7.0 Slackware Linux 7.x, 8.0 Red Hat Linux 7.1 Debian GNU/Linux 2.2 and 3.0 Mandrake 8.1 OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8 UnixWare 7.1.1 HP-UX 10.20 BSD/OS 4.2 Mac OS X 10.1, 10.3.8 Jeremy C. Reed ISC Sales & Support Engineer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: External Resolution
On Wed, 24 Dec 2008, Linux Addict wrote: > Folks, I have BIND 9 running. For some reason, the external resolution is > not working. I can telnet to root servers on port 53. Recursion is on. What > are the other requiremnts for the server to reesolve the external records. > Please help!! Tell us more. Show us more. Is your named bound to the IP (at port 53) as expected? Use netstat -an, sockstat, lsof, fstat to see. How are you testing? Show us your dig output from same system running named. Also from remote system if you are testing from a client. Make sure allow-query, allow-query-cache, allow-recursion are set as required. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using 2 CPUs with BIND
On Mon, 29 Dec 2008, Mike Diggins wrote: > > > When I start BIND on my Solaris 10 SPARC dual CPU (V210) system 9.4.2-P2, > > > I don't get the message "using 2 CPUs", but that's what I want. I > > > compiled it with './configure --prefix=/usr/local/bind --enable-threads' > > > and start it with '/usr/local/bind/sbin/named -n 2 -c /etc/named.conf'. > > > How do I know it's actually using the two SPARC CPUs? It is only logged if ISC_PLATFORM_USETHREADS. I see you configured with --enable-threads, but also verify that is defined in lib/isc/include/isc/platform.h. Also make sure that you are testing the same named that you built and installed from source. And make sure your logging for the "general" category and "info" level is really logged and look at the correct destination for it. By the way, 9.6.0 rndc status will report the details, for example: CPUs found: 2 worker threads: 2 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: includes in zone files
On Mon, 29 Dec 2008, Mike Zupan wrote: > Is there anyway in a zone file for a master to include another file for more > zone information? $INCLUDE filename See "Other Zone File Directives" in chapter 6 of the ARM. And read example in chapter 4 of the ARM. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Initial Setup of Master/Slave Bind servers
On Mon, 29 Dec 2008, Mark A. Moore wrote: > I have setup our BIND Master & Slave servers with appropriate > configuration in the named.conf. For some reason the zone files are not > getting replicated from the Master to the slave. Do I have to initially > create each of the zone files on the slave so that updates are > replicated? No. Maybe check your logs on both servers to see if there are any complaints about this. Or provide us with real details and maybe we can help troubleshoot. Jeremy C. Reed ISC Sales & Support Engineer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using 2 CPUs with BIND
What is your syslogger configuration for /var/adm/messages, /var/log/named, and /var/log/named.info ? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: openssl alert when 9.8i installed?
On Fri, 2 Jan 2009, aklist wrote: > Hi All: I downloaded 9.6.0 and ran > > ./configure --with-openssl > > and received the warning that I should have 9.8d or better installed. I went > ahead and updated to 9.8i and confirmed that it was running, but when I run > configure I still get the error? Maybe you have multiple versions of OpenSSL installed. Look at the configure output to see which one it was using. You can use --with-openssl=/path/to/openssl if needed. > Is the error "informational" or is there a problem? Just to test I went ahead > and ran "make" and BIND successfully compiled...just wondering if there's a > problem or not? Both. It probably still works, but the warning should encourage you to use the version with security fixes. Jeremy C. Reed ISC Sales & Support Engineer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing 9.6 on freebsd7 configure problems
On Fri, 2 Jan 2009, aklist wrote: > Hi: I'm trying to install BIND 9.6.0 from source but am having problems with > the configure statement. I tried: > > ./configure --prefix=/usr --sysconfdir=/etc/namedb --mandir=/usr/share/man \ > --localstatedir=/var --disable-threads --with-openssl=/usr > > followed by "make && make install" > > and 9.6 was installed, but when I try to start it I receive an error > > Jan 2 15:57:48 ns1 named[1096]: starting BIND 9.6.0 -t /var/named -u bind > Jan 2 15:57:48 ns1 named[1096]: built with '--with-openssl' Make sure you are running the correct named binary. (Notice your "built with" is incomplete.) > Jan 2 15:57:48 ns1 named[1096]: none:0: open: /etc/named.conf: file not found > Jan 2 15:57:48 ns1 named[1096]: loading configuration: file not found > Jan 2 15:57:48 ns1 named[1096]: exiting (due to fatal error) > > shouldn't the "open" statement be pointing at "/etc/namedb/named.conf" and if > so, what did I do wrong? Or do I have to manually edit a path somewhere? Jeremy C. Reed ISC Sales & Support Engineer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Was BIND 9.4.3 announced on bind-announce / bind-users ?
On Fri, 2 Jan 2009, Chris Thompson wrote: > I am somewhat embarrassed to find myself unaware that BIND 9.4.3 was > (apparently) released on 19 November, superceding 9.4.3rc1 from 5 November. > > Unless I have done something very strange to my mail folders, I never > received the usual notification from ISC. Was this just me, or was there > a more general problem? (This was shortly after the grand ISC mailing > list reorganisation on 14 November, after all ...) I also don't see the announcement(s). I have reported this internally and we will make sure this is handled. Jeremy C. Reed ISC Sales & Support Engineer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: statistics-channels No such URL
On Sat, 3 Jan 2009, Jonathan Petersson wrote: > So I did find the reason: > Jan 3 09:45:04 localhost named[5038]: statistics-channels specified > but not effective due to missing XML library > > anything besides: > [r...@localhost bind-9.6.0]# rpm -qa | grep libxml2 > libxml2-2.7.2-2.fc10.i386 > libxml2-devel-2.7.2-2.fc10.i386 > > That's needed? Bind is compiled from source with --with-libxml2 > --enable-threads Make sure you are running the same named that you built. Your HAVE_LIBXML2 is not defined. See your config.h for HAVE_LIBXML2. Look at the xml related logs in your config.log to show what happened. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fresh (non cached) dig
On Mon, 5 Jan 2009, Stephen Ward wrote: > On Mon, 05 Jan 2009 16:24:04 +, Chris Thompson wrote: > > > On Jan 5 2009, John Wobus wrote: > > > >>[...] There is no nameserver > >>operation > >>that dig could do to tell a caching nameserver to act differently for > >>one query. You could clear the nameserver's cache, or even clear the > >>one name you are interested in out of the cache. > > > > You can use +norecurse and check whether the AA bit is set in the reply. > > Even quite old versions of BIND will not set the AA bit in the response > > if the answer is from the cache, in this case. > > Thanks for this Chris. I never knew that. And Todd, that is just what the > doctor ordered! Do some tests with data already cached. And watch the TTL of the records as you do multiple same digs. Jeremy C. Reed ISC Sales & Support Engineer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Ever growing jnl files
On Wed, 7 Jan 2009, Mike Eggleston wrote: > On Wed, 07 Jan 2009, Nicholas F Miller might have said: > > > We have a few dynamic zones that are provisioned using Addhost. When > > addhost adds records to the zone every night it will run "nsupdate < > > update.file". The update.file will contain records like these: > > > > prereq yxrrset machine.colorado.edu. in a > > update delete machine.colorado.edu. in a > > > > prereq yxrrset machine.colorado.edu. in hinfo > > update delete machine.colorado.edu. in HINFO > > > > This all works fine but the jnl doesn't ever go away after nsupdate > > runs like this. The jnl will continue to be appended to every night > > when nsupdate is run again. If we use nsupdate without feeding it a > > file the jnl will disappear like it's supposed to. Is this a glitch in > > bind bind-9.5.0-P2? I am not sure how the remote server would behave different with "nsupdate" versus "nsupdate < file" (assuming same input). > What about a crontab entry for once a week or once a month that does a > freeze/unfreeze to force the jnl file to get played into the zone files? This is unrelated. The synchronization of the dynamic update data (in the journal database) to the real zone file is done occasionally -- and may be delayed by up to 15 minutes. (This time is not configurable other by redefining DNS_DUMP_DELAY macro to number of seconds in the build environment and rebuilding BIND.) The journal file may continue to grow when it is also used for IXFR tracking for incremental zone transfers. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Named goes deaf
On Wed, 7 Jan 2009, Scott Haneda wrote: > Hello, running BIND 9.4.2-P2 on OS X 10.5, this is just what comes with OS X Consider upgrading to 9.4.3-P1. It has some improvements with port allocation that may help you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [openSuSE 11.1] the working directory is not writable
On Fri, 9 Jan 2009, Lothar Behrens wrote: > Jan 9 11:55:53 vmhost named[11970]: starting BIND 9.5.0-P2 -t /var/ > lib/named -u named Chrooting to /var/lib/named > Jan 9 11:55:53 vmhost named[11970]: the working directory is not > writable > > My working directory is /var/lib/named and the permissions ara as > follows: Your working directory is /var/lib/named/var/lib/named > vmhost:/var/lib # ls -l named ... > drwxr-xr-x 4 named named 4096 Jan 6 18:21 var Look under that ./var/lib > directory "/var/lib/named"; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Current named statistics format documentation
See http://ftp.isc.org/www/bind/arm95/Bv9ARM.ch06.html#id2593348 (Sorry that is for a different version of BIND, but it does cover more statistics info.) If you need any specific clarifications, please let us know. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL issues
> Is this intermittent SERVFAIL issue resolved in 9.5.1-P1? 9.5.1 has many improvements that solve various SERVFAIL issues seen in the 9.5.0-P1/P2 code and includes /dev/poll, kqueue, or epoll on supported systems. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
