FORMERR resolving AAAA/IN records

2009-03-26 Thread b19141 
Oliver Henriot  wrote:

>Dear list users,
>
>I have a bind 9.3 server on a centos 5.2 machine which logs huge (about
>12 errors every second) quantities of FORMERR messages while trying to
>resolve /IN records which look like this :
>
>Mar 25 08:44:24 myserver named[1124]: FORMERR resolving
>'auniarael.com//IN': 216.69.185.38#53
>
>I'm a bit of a bind noob so I scoured the bind 9.3 ARM and the web
>looking for info which could help me understand what is going wrong. I
>found nothing of much use to me, appart from a thread on this list from
>2006 in which Barry Finkel has a similar question. I followed the
>logging instructions he gives and solved the overfull /var/log problem
>but I presume I still have these FORMERR problems occuring.
>
>Just for info, if it of any use, in a log file from before modifying
>logging, I had 1826550 lines of  FORMERR but of these, only 275
>unique adresses, so it's always the same requests and always the same
>errors...
>I don't think it's a recursion problem, I have restricted that to my
>networks.
>I only get these logs on this server, not on any of the others.
>
>I'd greatly appreciate if someone could point me in the right direction
>to try and work out what is going wrong and fix it.

Look at the output of these queries:

dnsserver% dig auniarael.com @216.69.185.38

; <<>> DiG 8.3 <<>> auniarael.com @216.69.185.38 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUERY SECTION:
;;  auniarael.com, type = A, class = IN

;; ANSWER SECTION:
auniarael.com.  1H IN A 68.178.232.143

;; AUTHORITY SECTION:
auniarael.com.  1H IN NScpns01.secureserver.net.
auniarael.com.  1H IN NScpns02.secureserver.net.

;; Total query time: 62 msec
;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38  216.69.185.38
;; WHEN: Thu Mar 26 09:05:56 2009
;; MSG SIZE  sent: 31  rcvd: 105

dnsserver% !! 
dig auniarael.com @216.69.185.38 

; <<>> DiG 8.3 <<>> auniarael.com @216.69.185.38  
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0
;; QUERY SECTION:
;;  auniarael.com, type = , class = IN

;; AUTHORITY SECTION:
.   1D IN SOA   cpns01.secureserver.net. dns.jomax.net. 
(
20080922; serial
8H  ; refresh
2H  ; retry
1W  ; expiry
1D ); minimum

auniarael.com.  1H IN NScpns01.secureserver.net.
auniarael.com.  1H IN NScpns02.secureserver.net.

;; Total query time: 62 msec
;; FROM: dnsserver.anl.gov to SERVER: 216.69.185.38  216.69.185.38
;; WHEN: Thu Mar 26 09:06:02 2009
;; MSG SIZE  sent: 31  rcvd: 157

dnsserver%

Note that the first query defaults to an "A" record search, and the
authority section gives the names of the two name servers.  This is
fine.  The second query is specifically for an "" record.
Note the authority section - 

 ;; AUTHORITY SECTION:
 .   1D IN SOA...

The authority is the root.  BIND (correctly) does not believe this
and returns FORMERR (format error).  This occurs, as Mark Andrews
pointed out to me a numbe of months ago, because the DNS administrator
has placed all of the records for various zones into one zone, and thus
cannot configure an SOA record that is correct.  A search for an "A"
record that exists will return correct values, but a search for a
record that does not exist forces DNS to return the faulty SOA record.

I just ran my FORMERR script against our current /var/adm/messsages,
and I see a handful of DNS servers producing most of the FORMERR
messages:

 cnt DNS Server IP
 --- --
  37 60.191.254.243
  37 219.152.120.12
  24 203.93.208.86
  24 124.207.117.60
  12 75.126.8.248
  12 75.126.57.130
  12 65.55.238.126
  12 65.54.240.126
  12 213.199.161.77
  12 207.68.160.190
  12 207.46.66.126
   6 66.211.162.250
   6 66.135.220.69
   6 66.135.220.68
   4 159.215.217.197
   4 159.215.16.197
   4 159.215.117.197
   3 209.235.30.142
   3 204.77.28.20
   1 68.156.138.136
   1 66.194.84.50
   1 65.24.6.70
   1 216.74.148.58
   1 216.64.220.37
   1 208.86.225.61

--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994

Re: Combined master + forward zone

2009-04-20 Thread b19141 
Petteri Heinonen  wrote:

>Ok, thanks for confirming my doubts. As a related issue, how is Bind
>supposed to be used in a domain where Windows Domain Controllers are
>used for Windows domain services, but Bind is used for DNS? I mean, in
>a Windows domain DDNS updates are used by both Domain Controllers and
>by normal domain clients. For Domain Controllers, it is essential that
>they can register their SRV records dynamically in DNS. Now in case of
>distributed domain (several Domain Controllers on separate sites, but
>all still belonging to the same Windows domain and all using the same
>DNS zone), there should be also own DNS service for each site (for
>fault tolerance and redundancy etc). But, as only one site can host the
>master DNS server which accepts DDNS update requests, all sites'
>machines have to be configured to use that single Bind instance as
>their primary DNS server?
>
>So the actual question: if DDNS update functionality is needed, am I
>bound to use only one Bind instance as the primary DNS server for all
>the hosts, on all the separate sites?

There have been lots of posts on Windows AD/BIND integration over the
years.  Check the list archives.  What I suggest is placing the six AD
zones

 DomainDNSZones.example.com
 ForestDNSZones.example.com
 _msdcs.example.com
 _sites.example.com
 _tcp.example.com
 _udp.example.com

on a MS Windows DNS Server on one Domain Controller and slaving those
zones on your BIND servers.  That way Windows handles the GSS-TSIG
secure updates, and the BIND slaves will transfer the zones if and when
they are updated.  One tricky part is configuring zone transfer policy
on the MS DNS.  You have three options:

 1) Allow zone transfers to any server.
 2) Allow zone transfers only to a specified set of IP addresses.
 3) Allow zone transfers to those name servers in the NS table.

In my case, I have four slave servers, two with only one interface and
two with three interfaces each.  I did not want to choose option 2) and
enter the eight IP addresses in the zone transfer properties for each
of the AD zones, so I chose option 3).  This requires that the MS DNS
Server have the IP addresses of the slaves in its cache, because the
MS code will not go searching for a slave's IP addresss when a zone
transfer request arrives from slave server.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Windows/BIND integration [was: Combined master + forward zone]

2009-04-23 Thread b19141 
I wrote:
>> 
>> There have been lots of posts on Windows AD/BIND integration over the
>> years.  Check the list archives.  What I suggest is placing the six AD
>> zones
>> 
>>  DomainDNSZones.example.com
>>  ForestDNSZones.example.com
>>  _msdcs.example.com
>>  _sites.example.com
>>  _tcp.example.com
>>  _udp.example.com
>> 
>> on a MS Windows DNS Server on one Domain Controller and slaving those
>> zones on your BIND servers.  That way Windows handles the GSS-TSIG
>> secure updates, and the BIND slaves will transfer the zones if and when
>> they are updated.


and Michael Milligan  replied:
>And don't forget to set a group policy on all DCs to not update the A
>records in the apex zone.  Otherwise the DCs will complain in the Event
>logs forever... this assumes the BIND servers are authoritative for
>example.com, in this example.
>
>See http://support.microsoft.com/kb/246804 for Windows 2000
>
>See http://support.microsoft.com/kb/267855 for Windows 2003 and later,
>specifically under "Netlogon fix" and tell it not to register the
>LdapIPAddress.
>
>(There is also more information there on preventing all the DCs from
>creating NS records in the zone, which becomes problematic when there
>are more than about 10 DCs.  I had one customer with 100s of DCs, and
>each one put in an NS record in the zone for itself...  ugh.  With a
>little magic, dropped that back to a handful of DCs at big data centers.)


It is not as simple as that.  There are a number of Windows registry
setting in this area; here is a brief explanation (I know that this
is a BIND forum, not a MS forum):

1) TCP/IP properties - register this machine in DNS.
   If this is unchecked on a Domain Controller, then Windows will not
   try to self-register the DC in DNS.  Which is what is desired for
   A mixed BIND/MS Windows DNS Server where the DC is manually
   registered in the BIND DNS.

   But this has side-effects.  With self-register set to NO, then the
   DC will NOT register the SRV records associated with its services,
   because MS believes that both sets of registrations will be sent to
   the same MS DNS Server.  It does not account for self-registration
   to a BIND DNS server and SRV records in the AD "_" zones on a Windows
   DNS Server.  If one has a DC that is not to be used that much, then
   the administrator can always change the weights on the SRV records,
   as we have done for the DC in our disaster recovery site.

2) MS created a new registry setting, RegisterDNSARecords, which is used
   to control the registration in DNS of the domain "A" records
   (e.g., example.com IN A 192.168.2.5).  The values for this setting:

1 ==> Register the DNS "A" records for this DC
0 ==> Do not register the DNS "A" records for this DC.
not present (i.e., null) ==> Rely in the self-registration
 setting.

   In a mixed environment, the domain "A" record would be in the BIND
   server, and not dynamic (Q259028).  The two "A" records are listed
   in Q258213:

A record(s) for the DnsDomainName for a domain controller
A record(s) for the gc._msdcs.DnsForestName if the domain
 controller is also a global catalog

   If this registry setting is 0, then netlogon.dns file (which can be
   used to load into a BIND server) will NOT have the "A" record for
   the domain, and the "A" record for the GC will also be removed
   from the netlogon.dns file AND from DNS.

3) Further complicating matters are three other registry settings:

UseDynamicDns
DisableDynamicUpdate
DnsUpdateOnAllAdapters

   which I will not explain here.  These newer registry settings were
   created to fix problems that arose with controlling DDNS.

We have in our mixed environment:

 Self-registration: Y
 RegisterDNSARecords: 0
 DNSUpdateOnAllAdapters: 1
 DisableDynamicUpdate: 1

This combination works fine with Windows 2003 and Windows 2008 DCs,
with one exception.  There is no DDNS activity to the BIND servers,
and there are no EventID entries produced about failing DDNS.
This works in Windows 2008 R2 with a fresh install.  If one takes a
W2003 Server and does an upgrade install of 2008 R2, then there is
DDNS activity to the BIND boxes and EventID records.  Once I can get
more AC power to our Windows 2008 testbed, I will install a Solaris BIND
server and do some more testing before I call Microsoft to complain.
There should be no difference between a 2008 R2 fresh install and an
upgrade install, but we have found one difference.  Contact me privately
for more details.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___

bind as slave DNS to windows AD dns server

2009-05-21 Thread b19141 
Aleksander Kamenik  wrote:

>I'm trying to setup BIND named to be a slave a MS Windows 2008 server's 
>AD domain.
>
>I set it up to be the slave and it works fine and I can resolv A records 
>from the domain on the slave bind. However I can't resolve some SRV 
>records like
>
>_ldap._tcp.dc._msdcs.DOMAIN
>
>Without this functionality a windows PC is unable to connect to the 
>windows domain.
>
>At first it looked like the Windows DNS server gave BIND a partial zone 
>file. Later after some googling I realized it has something to do with 
>dynamic updates which I don't know how to set up and am not familiar with.
>
>Most google replies deal with setting up bind as the master server. Is 
>it at all possible for BIND to act as a slave and forward the SRV 
>updates to the master? If so, please point me to relevant documentation.

What zones are you slaving on your BIND server?  There should be six:

 DomainDNSZones.example.com
 ForestDNSZones.example.com
 _msdcs.example.com
 _sites.example.com
 _tcp.example.com
 _udp.example.com

If you have these six zones slaved on your BIND server, and these zones
are being transferred successfully, then there should be no problems.
See the archives of this list, where there have been many
BIND/AD-related postings over the past years.

You wrote:

 Is it at all possible for BIND to act as a slave and forward the
 SRV updates to the master?

I am not sure what you mean?  The Windows Domain Controllers will send
any SRV updates to the Windows DNS Server, if the AD structure is
properly configured.  Client machine might ask your BIND servers for
SRV information, but the DCs should not be sending dynamic DNS updates
to your BIND slave for SRV records.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Understanding 'format error" Messages

2010-04-15 Thread b19141 
I am trying to understand "format error" messages like this one from
BIND 9.7.0-P1:

 Apr 15 15:36:02 dnsserver.it.anl.gov named[8662]:
   [ID 873579 daemon.notice] DNS format error
   from 209.234.234.42#53 resolving markets.nytimes.wallst.com/
   for client 164.54.214.14#13132: invalid response

dnsserver% dig markets.nytimes.wallst.com @209.234.224.42

; <<>> DiG 8.3 <<>> markets.nytimes.wallst.com @209.234.224.42
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;  markets.nytimes.wallst.com, type = A, class = IN

;; ANSWER SECTION:
markets.nytimes.wallst.com.  1M IN A  209.234.225.89

;; Total query time: 56 msec
;; FROM: dnsserver.it.anl.gov to SERVER: 209.234.224.42  209.234.224.42
;; WHEN: Thu Apr 15 15:36:39 2010
;; MSG SIZE  sent: 44  rcvd: 60

dnsserver% dig markets.nytimes.wallst.com @209.234.224.42 

; <<>> DiG 8.3 <<>> markets.nytimes.wallst.com @209.234.224.42 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;  markets.nytimes.wallst.com, type = , class = IN

;; AUTHORITY SECTION:
wallst.com. 1M IN SOA   lb-www-p1-bb2-01.mgmt.local. 
hostmaster.lb-www-p1-bb2-01.mgmt.local. (
390 ; serial
3H  ; refresh
1H  ; retry
1W  ; expiry
1M ); minimum


;; Total query time: 56 msec
;; FROM: dnsserver.it.anl.gov to SERVER: 209.234.224.42  209.234.224.42
;; WHEN: Thu Apr 15 15:36:56 2010
;; MSG SIZE  sent: 44  rcvd: 118

dnsserver%

I do not see what the error is in the response to the  query.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Questions on BIND Start/stop Timings Solaris 9 vs. Ubuntu hardy

2010-04-16 Thread b19141 
I did some timings with BIND 9.6.1-P3 and 9.7.0-P1 on two servers:

 SunOS 5.9 sun4u sparc SUNW,Sun-Blade-1500  (old hardware)
 Ubuntu hardy x86_64 GNU/Linux  (more modern hardware)

I had noticed long times for "rndc reload" to complete, and I wanted to
see if 9.6.1-P3 was different than 9.7.0-P1.

My test DNS has three small "regular" zones defined.  It also has our
list of 75,507 spyware/malware zones that we define to point to a
"honeypot" machine to log and respond to the traffic.

I have marked with "<=" areas where I have questions.

SunOS 5.9:
 ---
 9.7.0-P1
 Apr 15 10:27:48  ./rndc reload
 Apr 15 10:28:21  reloading configuration succeeded
 Apr 15 10:28:21  zone binhafeez.ae/IN: loaded serial ...
 Apr 15 10:30:38  zone thabengmanagement.co.za/IN: loaded serial ...
  named process taking 99.44% of CPU.   <=
 Apr 15 10:32:51  reloading zones succeeded
 Apr 15 10:32:51  next command prompt
 ---
 Apr 15 10:46:07  ./rndc stop
 Apr 15 10:46:07  shutting down: flushing changes
 Apr 15 10:46:07  no longer listening on 146.137.180.21
 Apr 15   named process not shown in "top" output.
 Apr 15 10:47:41  ps -ef | grep named shows named process gone.  <=
 ---
 Apr 15 10:53:09  Start BIND.
 Apr 15 10:53:09  built with '--prefix=/export/home/named/bind'
 '--with-openssl=/krb5'
 '--sysconfdir=/export/home/named'
 '--enable-threads'
 '--localstatedir=/var'
 Apr 15 10:53:56  named taking 87% of CPU
 Apr 15 10:54:49  ps -ef | grep named shows two named processes.
   root 21638 21637 94 10:53:09 ?1:34 /e...
   root 21637 19863  0 10:53:09 pts/20:00 /e...
 Apr 15 10:53:40  zone binhafeez.ae/IN: loaded serial ...
 Apr 15 10:55:55  zone thabengmanagement.co.za/IN: loaded serial ...
 Apr 15 10:58:08  two named processes   <=
 Apr 15 10:58:09  next command prompt
 Apr 15 10:58:13  one named process
 ---
 Apr 15 11:29:07  ./rndc stop
 Apr 15 11:29:07  next command prompt
  named taking 90% - 95%  of CPU   <=
 Apr 15 11:30:45  named process finally stops
 ---
 9.6.1-P3
 Apr 15 11:32:34  Start BIND.
 Apr 15 11:32:34  built with '--prefix=/export/home/named/bind'
 '--with-openssl=/krb5'
 '--sysconfdir=/export/home/named'
 '--enable-threads'
 '--localstatedir=/var'
  two named processes running
  named taking 80% - 99% of CPU
 Apr 15 11:33:05  zone binhafeez.ae/IN: loaded serial ...
 Apr 15 11:35:17  zone thabengmanagement.co.za/IN: loaded serial ...
 Apr 15 11:37:31  running  <=
 Apr 15 11:37:31  next comand prompt
 Apr 15 11:37:32  one named process running
 ---


Ubuntu hardy:
 ---
 9.7.0-P1
 Apr 15 10:38:54  ./rndc reload
  named process taking 11% - 20% of CPU
 Apr 15 10:39:04  zone binhafeez.ae/IN: loaded serial ...
 Apr 15 10:40:06  zone thabengmanagement.co.za/IN: loaded serial ...
 Apr 15 10:40:19  next command prompt
 
 Apr 15 11:07:51  ./rndc stop
 Apr 15 11:07:51  next command prompt
 Apr 15 11:07:52  no longer listening on 146.139.115. 146#53
 Apr 15   named taking 87% of CPU.
 Apr 15 11:10:00  exiting
 Apr 15 11:10:06  named process is gone.
 ---
 Apr 15 11:12:27  Start BIND.
 Apr 15 11:12:27  built with '--prefix=/etc/iscbind/bind/'
 '--sysconfdir=/etc/iscbind'
 '--mandir=/usr/share/man'
 '--infodir=/usr/share/info'
  named taking 80% of CPU
  two named processes running
   root 31162 1 60 11:12 ?00:00:38 /et
 Apr 15 11:12:37  zone binhafeez.ae/IN: loaded serial ...
 Apr 15 11:13:12  zone thabengmanagement.co.za/IN: loaded serial ...
 Apr 15 11:13:14  next command prompt
 Apr 15 11:13:15  one named process running
 ---
 Apr 15 11:18:25  ./rndc stop
 ---
 9.6.1-P3
 Apr 15 11:22:57  Start BIND.
 Apr 15 11:22:58  built with '--prefix=/etc/iscbind/bind/'
 '--sysconfdir=/etc/iscbind'
 '--localstatedir=/var'
 '--mandir=/usr/share/man'
 '--infodir=/usr/share/info'
 Apr 15 11:23:07  zone binhafeez.ae/IN: loaded serial ...
 Apr 15 11:23:27  zone thabengmanagement.

Re: Questions on BIND Start/stop Timings Solaris 9 vs. Ubuntu hardy

2010-04-29 Thread b19141 
I wrote on April 16:
>I did some timings with BIND 9.6.1-P3 and 9.7.0-P1 on two servers:
>
> SunOS 5.9 sun4u sparc SUNW,Sun-Blade-1500  (old hardware)
> Ubuntu hardy x86_64 GNU/Linux  (more modern hardware)
>
>I had noticed long times for "rndc reload" to complete, and I wanted to
>see if 9.6.1-P3 was different than 9.7.0-P1.
>
>My test DNS has three small "regular" zones defined.  It also has our
>list of 75,507 spyware/malware zones that we define to point to a
>"honeypot" machine to log and respond to the traffic.
>
>I have marked with "<=" areas where I have questions.
>
>SunOS 5.9:
> ---
> 9.7.0-P1
> Apr 15 10:27:48  ./rndc reload
> Apr 15 10:28:21  reloading configuration succeeded
> Apr 15 10:28:21  zone binhafeez.ae/IN: loaded serial ...
> Apr 15 10:30:38  zone thabengmanagement.co.za/IN: loaded serial ...
>  named process taking 99.44% of CPU.   <=
> Apr 15 10:32:51  reloading zones succeeded
> Apr 15 10:32:51  next command prompt
> ---
> Apr 15 10:46:07  ./rndc stop
> Apr 15 10:46:07  shutting down: flushing changes
> Apr 15 10:46:07  no longer listening on 146.137.180.21
> Apr 15   named process not shown in "top" output.
> Apr 15 10:47:41  ps -ef | grep named shows named process gone.  <=
> ---
> Apr 15 10:53:09  Start BIND.
> Apr 15 10:53:09  built with '--prefix=/export/home/named/bind'
> '--with-openssl=/krb5'
> '--sysconfdir=/export/home/named'
> '--enable-threads'
> '--localstatedir=/var'
> Apr 15 10:53:56  named taking 87% of CPU
> Apr 15 10:54:49  ps -ef | grep named shows two named processes.
>   root 21638 21637 94 10:53:09 ?1:34 /e...
>   root 21637 19863  0 10:53:09 pts/20:00 /e...
> Apr 15 10:53:40  zone binhafeez.ae/IN: loaded serial ...
> Apr 15 10:55:55  zone thabengmanagement.co.za/IN: loaded serial ...
> Apr 15 10:58:08  two named processes   <=
> Apr 15 10:58:09  next command prompt
> Apr 15 10:58:13  one named process
> ---
> Apr 15 11:29:07  ./rndc stop
> Apr 15 11:29:07  next command prompt
>  named taking 90% - 95%  of CPU   <=
> Apr 15 11:30:45  named process finally stops
> ---
> 9.6.1-P3
> Apr 15 11:32:34  Start BIND.
> Apr 15 11:32:34  built with '--prefix=/export/home/named/bind'
> '--with-openssl=/krb5'
> '--sysconfdir=/export/home/named'
> '--enable-threads'
> '--localstatedir=/var'
>  two named processes running
>  named taking 80% - 99% of CPU
> Apr 15 11:33:05  zone binhafeez.ae/IN: loaded serial ...
> Apr 15 11:35:17  zone thabengmanagement.co.za/IN: loaded serial ...
> Apr 15 11:37:31  running  <=
> Apr 15 11:37:31  next comand prompt
> Apr 15 11:37:32  one named process running
> ---
>
>
>Ubuntu hardy:
> ---
> 9.7.0-P1
> Apr 15 10:38:54  ./rndc reload
>  named process taking 11% - 20% of CPU
> Apr 15 10:39:04  zone binhafeez.ae/IN: loaded serial ...
> Apr 15 10:40:06  zone thabengmanagement.co.za/IN: loaded serial ...
> Apr 15 10:40:19  next command prompt
> 
> Apr 15 11:07:51  ./rndc stop
> Apr 15 11:07:51  next command prompt
> Apr 15 11:07:52  no longer listening on 146.139.115. 146#53
> Apr 15   named taking 87% of CPU.
> Apr 15 11:10:00  exiting
> Apr 15 11:10:06  named process is gone.
> ---
> Apr 15 11:12:27  Start BIND.
> Apr 15 11:12:27  built with '--prefix=/etc/iscbind/bind/'
> '--sysconfdir=/etc/iscbind'
> '--mandir=/usr/share/man'
> '--infodir=/usr/share/info'
>  named taking 80% of CPU
>  two named processes running
>   root 31162 1 60 11:12 ?00:00:38 /et
> Apr 15 11:12:37  zone binhafeez.ae/IN: loaded serial ...
> Apr 15 11:13:12  zone thabengmanagement.co.za/IN: loaded serial ...
> Apr 15 11:13:14  next command prompt
> Apr 15 11:13:15  one named process running
> ---
> Apr 15 11:18:25  ./rndc stop
> ---
> 9.6.1-P3
> Apr 15 11:22:57  Start BIND.
> Apr 15 11:22:58  built with '--prefix=/etc/iscbind/bind/'
> '--sysconfdir=/etc/iscbind'
> '--localstatedir=/var'
> '--mandir=/usr/share/man'
> '--info

Another Question about SERVFAIL

2010-05-25 Thread b19141 
One of our networking personnel is trying to access

 ftp.cisco.com

and is unable to do so from Argonne.  He has no problem from home,
(Comcast).  The Comcast DNS servers are

 68.87.72.134
 68.87.77.134

and report that they are running "Nominum Vantio 4.2.1.0" (about which
I know very little).

My DNS servers are running BIND 9.7.0-P1.  I did some DNS queries here
and I have made comments after each DNS query.

Are my comments and suppositions correct?
===
dnsserver% dig ftp.cisco.com  

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.cisco.com. IN  A

;; Query time: 177 msec
;; SERVER: 146.139.254.5#53(146.139.254.5)
;; WHEN: Tue May 18 11:01:45 2010
;; MSG SIZE  rcvd: 31

dnsserver% 

Note the SERVFAIL response.  BIND detects that something is wrong.
===
dnsserver% dig cisco.com ns 

; <<>> DiG 9.7.0-P1 <<>> cisco.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52864
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;cisco.com. IN  NS

;; ANSWER SECTION:
cisco.com.  38065   IN  NS  ns1.cisco.com.
cisco.com.  38065   IN  NS  ns2.cisco.com.

;; ADDITIONAL SECTION:
ns1.cisco.com.  2668IN  A   128.107.241.185
ns2.cisco.com.  2831IN  A   64.102.255.44

;; Query time: 1 msec
;; SERVER: 146.139.254.5#53(146.139.254.5)
;; WHEN: Tue May 18 14:08:01 2010
;; MSG SIZE  rcvd: 95

dnsserver% 

There are two authoritative name servers for cisco.com .
===
dnsserver% dig ftp.cisco.com @ns1.cisco.com.

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @ns1.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33283
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ftp.cisco.com. IN  A

;; ANSWER SECTION:
ftp.cisco.com.  60  IN  A   198.133.219.241

;; AUTHORITY SECTION:
ftp.cisco.com.  86400   IN  NS  rtp5-ddir-ns.cisco.com.
ftp.cisco.com.  86400   IN  NS  sjce-ddir-ns.cisco.com.

;; ADDITIONAL SECTION:
rtp5-ddir-ns.cisco.com. 86400   IN  A   64.102.255.39
sjce-ddir-ns.cisco.com. 86400   IN  A   128.107.240.86

;; Query time: 60 msec
;; SERVER: 128.107.241.185#53(128.107.241.185)
;; WHEN: Tue May 18 14:08:21 2010
;; MSG SIZE  rcvd: 133

dnsserver% 

This response (from one of the two name servers) has problems.

1) There is an answer, but without the "aa" (authoritative answer)
   flag, the response appears to be coming from the cache.

2) The authority section lists the two nameservers that are
   authoritative for the zone ftp.cisco.com.

3) I am not a DNS expert, but with "ra" (recursion available) and
   "rd" (recursion desired) both set, I would expect my query to
   recurse to a name server that will return an authoritative answer.
   Or, since I sent the request to a specific name server, that
   server would return no answers but a referral to the authoritative
   name servers.
===
dnsserver% dig ftp.cisco.com @rtp5-ddir-ns.cisco.com.

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @rtp5-ddir-ns.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.cisco.com. IN  A

;; ANSWER SECTION:
ftp.cisco.com.  60  IN  A   198.133.219.241

;; Query time: 288 msec
;; SERVER: 64.102.255.39#53(64.102.255.39)
;; WHEN: Tue May 18 14:08:46 2010
;; MSG SIZE  rcvd: 47

dnsserver% 
dnsserver% dig ftp.cisco.com @sjce-ddir-ns.cisco.com.

; <<>> DiG 9.7.0-P1 <<>> ftp.cisco.com @sjce-ddir-ns.cisco.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3781
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.cisco.com. IN  A

;; ANSWER SECTION:
ftp.cisco.com.  60  IN  A   198.133.219.241

;; Query time: 219 msec
;; SERVER: 128.107.240.86#53(128.107.240.86)
;; WHEN: Tue May 18 14:09:12 2010
;; MSG SIZE  rcvd: 47

dnsserver% 

Here I queried both supposedly authoritative name servers, and 
from each I get a non-authoritative answer.  When I did the same
query yesterday afternoon, neither of these two name servers was
accessible.

I assume that with BIND 9.7.0-P1, if the response is not
authoritative, then BIND will not trust the answ

Re: Upgrade path?

2010-06-14 Thread b19141 
>sasa sasa  wrote:
>
>Hi list,
>
>Is it ok to upgrade from 9.4.2 to 9.7.0-P2 directly? 
>i mean i already have 9.4.2, i can install latest one with ./configure,
>make and make install, is there a problem with this steps?
>
>please note i already tried it and it worked fine on a cache-only DNS.

The way I have BIND installed on Solaris (and soon to be on Ubuntu)
is this:  In the

 named

directory I have symbolic links:

 bind -> bind-9.7.0-P2
 dig -> bind/bin/dig
 named -> bind/sbin/named
 host -> bind/bin/hos
 et alii for the other executables.

When I did the "make install" for bind-9.7.0-P2, the "bind" symlink
pointed to the production

 bind-9.7.0-P1

and the only drawback was that for the few minutes while the "make
install" was running, I had to point the bind symlink to the new
directory.  As soon as that finished, and I did an "ldd" on all of
the executables as a check, I moved the symlink back to bind-9.7.0-P1.
When it was time to put -P2 in production, all I had to do was

 rndc stop
 rm bind
 ln -s bind-9.7.0-P2 bind
 ls -al bind
 Start named via a script in /etc/init.d .

If I had found problems with -P2, I could easily have reverted back
to -P1.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Microsoft's nslookup Implementation Problems

2010-06-14 Thread b19141 
On 06/13/10 13:00, Merton Campbell Crockett wrote:
> Microsoft's nslookup is broken.  What alternative applications that can
> be installed and used in a Windows XP environment that will continue to
> work in a Windows 7 environment after a decision is made to upgrade Windows?

In this discussion, I have not seen any definition/details as to
what is "broken".  In the "standard" nslookup, I see some deficiencies:

1) The code checks to see that the DNS server being used is registered
   in DNS - both forward and reverse.  If not, nslookup quits.

2) There are times when the user poses a question to nslookup, and
   what is produced is not an answer.  For example, there could be
   in the DNS response packet, "ANSWER: 0" and an SOA record as
   authority.  The "dig" utility shows the header fields, so we know
   that there is no answer.  But the novice nslookup user sees the SOA
   and wonders why that is an answer to his/her question.

But neither of these deficiencies is Microsoft's fault.  These are
deficiencies from the early days of nslookup, I believe.  I have no
idea if MS has modified the nslookup code.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
D~v
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.7.0-P2 Bus Error - Solaris 9

2010-06-14 Thread b19141 
This morning on a Solaris 9 system, I issued these comands:

titania% dig cnnet.upr.edu

; <<>> DiG 9.7.0-P1 <<>> cnnet.upr.edu
;; global options: +cmd
;; connection timed out; no servers could be reached
titania% !! +trace
dig cnnet.upr.edu +trace

; <<>> DiG 9.7.0-P1 <<>> cnnet.upr.edu +trace
;; global options: +cmd
.   454314  IN  NS  d.root-servers.net.
.   454314  IN  NS  c.root-servers.net.
.   454314  IN  NS  i.root-servers.net.
.   454314  IN  NS  g.root-servers.net.
.   454314  IN  NS  m.root-servers.net.
.   454314  IN  NS  e.root-servers.net.
.   454314  IN  NS  j.root-servers.net.
.   454314  IN  NS  a.root-servers.net.
.   454314  IN  NS  l.root-servers.net.
.   454314  IN  NS  k.root-servers.net.
.   454314  IN  NS  h.root-servers.net.
.   454314  IN  NS  b.root-servers.net.
.   454314  IN  NS  f.root-servers.net.
;; Received 508 bytes from 146.139.254.5#53(146.139.254.5) in 2 ms

edu.172800  IN  NS  c.gtld-servers.net.
edu.172800  IN  NS  a.gtld-servers.net.
edu.172800  IN  NS  f.gtld-servers.net.
edu.172800  IN  NS  l.gtld-servers.net.
edu.172800  IN  NS  g.gtld-servers.net.
edu.172800  IN  NS  e.gtld-servers.net.
edu.172800  IN  NS  d.gtld-servers.net.
;; Received 299 bytes from 192.36.148.17#53(i.root-servers.net) in 4 ms

upr.edu.172800  IN  NS  dns1.uprm.edu.
upr.edu.172800  IN  NS  dns2.uprm.edu.
upr.edu.172800  IN  NS  ns1.upr.edu.
upr.edu.172800  IN  NS  upr1.upr.clu.edu.
;; Received 183 bytes from 192.31.80.30#53(d.gtld-servers.net) in 83 ms

cnnet.upr.edu.  28800   IN  NS  GOLIATH.cnnet.upr.edu.
cnnet.upr.edu.  28800   IN  NS  NS3.cnnet.upr.edu.
cnnet.upr.edu.  28800   IN  NS  NS1.cnnet.upr.edu.
;; Received 137 bytes from 136.145.5.66#53(ns1.upr.edu) in 65 ms

;; connection timed out; no servers could be reached
Bus Error (core dumped)
titania% ls -al core
-rw---   1 b19141   staff2448292 Jun 14 07:25 core
titania% 

titania.it.anl.gov# /usr/afsws/local/bin/gdb bind/bin/dig 
/export/home/b19141/core
GNU gdb 6.7.1
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.9"...

warning: Can't read pathname for load map: I/O error.
Reading symbols from /krb5/lib/libcrypto.so.0.9.8...done.
Loaded symbols for /krb5/lib/libcrypto.so.0.9.8
Reading symbols from /usr/lib/libnsl.so.1...done.
Loaded symbols for /usr/lib/libnsl.so.1
Reading symbols from /usr/lib/libsocket.so.1...done.
Loaded symbols for /usr/lib/libsocket.so.1
Reading symbols from /usr/lib/libpthread.so.1...done.
Loaded symbols for /usr/lib/libpthread.so.1
Reading symbols from /usr/lib/libthread.so.1...done.
Loaded symbols for /usr/lib/libthread.so.1
Reading symbols from /usr/lib/libc.so.1...done.
Loaded symbols for /usr/lib/libc.so.1
Reading symbols from /usr/lib/libdl.so.1...done.
Loaded symbols for /usr/lib/libdl.so.1
Reading symbols from /usr/lib/libmp.so.2...done.
Loaded symbols for /usr/lib/libmp.so.2
Reading symbols from /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1...done.
Loaded symbols for /usr/platform/SUNW,Sun-Fire-V240/lib/libc_psr.so.1
Reading symbols from /usr/lib/nss_dns.so.1...done.
Loaded symbols for /usr/lib/nss_dns.so.1
Reading symbols from /usr/lib/libresolv.so.2...done.
Loaded symbols for /usr/lib/libresolv.so.2
Reading symbols from /usr/lib/nss_files.so.1...done.
Loaded symbols for /usr/lib/nss_files.so.1

warning: Can't read pathname for load map: I/O error.

warning: Can't read pathname for load map: I/O error.
Core was generated by `/export/home/b19141/dig cnnet.upr.edu +trace'.
Program terminated with signal 10, Bus error.
#0  0x0002e6a4 in connect_timeout (task=0x1b63b8, event=0x0) at dighost.c:2578
2578if ((query != NULL) && (query->lookup->current_query != NULL) &&
(gdb) 

Do I need to file an official bug report?
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory

Re: Bind 9.7.0-P2 Bus Error - Solaris 9

2010-06-14 Thread b19141 
b19141> This morning on a Solaris 9 system, I issued these comands:
b19141> titania% dig cnnet.upr.edu
b19141> ; <<>> DiG 9.7.0-P1 <<>> cnnet.upr.edu
[...]
b19141> Bus Error (core dumped)

ebers...@isc.org (Paul Ebersman) replied:

>Tried to repro on ubuntu and mac os with this bind version. Unless I try
>to control-C out, I can't repro this. If left to run, dig just times out
>(all three NS are unreachable for that zone, at least from my machines).
>
>Did you try to abort the +trace before it timed out?

I tried again a few minutes ago, and I got the same

 "Bus Error (core dumped)"

I did not hit control-c.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.7.0-P2 Bus Error - Solaris 9

2010-06-14 Thread b19141 
I just tried the same command on a Solaris 10 system, also 9.7.0-P2:

andvari-dr# ./dig cnnet.upr.edu +trace

; <<>> DiG 9.7.0-P1 <<>> cnnet.upr.edu +trace
;; global options: +cmd
.   517599  IN  NS  e.root-servers.net.
.   517599  IN  NS  a.root-servers.net.
.   517599  IN  NS  i.root-servers.net.
.   517599  IN  NS  g.root-servers.net.
.   517599  IN  NS  h.root-servers.net.
.   517599  IN  NS  d.root-servers.net.
.   517599  IN  NS  m.root-servers.net.
.   517599  IN  NS  c.root-servers.net.
.   517599  IN  NS  f.root-servers.net.
.   517599  IN  NS  j.root-servers.net.
.   517599  IN  NS  k.root-servers.net.
.   517599  IN  NS  b.root-servers.net.
.   517599  IN  NS  l.root-servers.net.
;; Received 500 bytes from 146.137.252.65#53(146.137.252.65) in 3 ms

edu.172800  IN  NS  d.gtld-servers.net.
edu.172800  IN  NS  a.gtld-servers.net.
edu.172800  IN  NS  e.gtld-servers.net.
edu.172800  IN  NS  l.gtld-servers.net.
edu.172800  IN  NS  g.gtld-servers.net.
edu.172800  IN  NS  f.gtld-servers.net.
edu.172800  IN  NS  c.gtld-servers.net.
;; Received 299 bytes from 192.5.5.241#53(f.root-servers.net) in 7531 ms

upr.edu.172800  IN  NS  dns1.uprm.edu.
upr.edu.172800  IN  NS  dns2.uprm.edu.
upr.edu.172800  IN  NS  ns1.upr.edu.
upr.edu.172800  IN  NS  upr1.upr.clu.edu.
;; Received 183 bytes from 192.12.94.30#53(e.gtld-servers.net) in 114 ms

cnnet.upr.edu.  28800   IN  NS  GOLIATH.cnnet.upr.edu.
cnnet.upr.edu.  28800   IN  NS  NS1.cnnet.upr.edu.
cnnet.upr.edu.  28800   IN  NS  NS3.cnnet.upr.edu.
;; Received 137 bytes from 136.145.1.4#53(upr1.upr.clu.edu) in 79 ms

;; connection timed out; no servers could be reached
Bus Error (core dumped)
andvari-dr# uname -a
SunOS andvari-dr.it.anl.gov 5.10 Generic_142900-12 sun4u sparc 
SUNW,Sun-Fire-V240
andvari-dr# /usr/afsws/local/bin/gdb bind/bin/dig core
GNU gdb (GDB) 7.0
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.10".
For bug reporting instructions, please see:
...
Reading symbols from /export/home/named/bind-9.7.0-P1/bin/dig...done.
[New LWP 3]
[New LWP 4]
[New LWP 1]
Reading symbols from /usr/lib/libgss.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libgss.so.1
Reading symbols from /usr/sfw/lib/libcrypto.so.0.9.7...(no debugging symbols 
found)...done.
Loaded symbols for /usr/sfw/lib/libcrypto.so.0.9.7
Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libnsl.so.1
Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libsocket.so.1
Reading symbols from /usr/lib/libscf.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libscf.so.1
Reading symbols from /usr/lib/libpthread.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libpthread.so.1
Reading symbols from /usr/lib/libthread.so.1...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libthread.so.1
Reading symbols from /usr/lib/libxml2.so.2...(no debugging symbols 
found)...done.
Loaded symbols for /usr/lib/libxml2.so.2
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/libm.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libm.so.2
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
[New Thread 1 (LWP 1)]
[New Thread 2 (LWP 2)]
[New Thread 3]
[New Thread 4 (LWP 4)]
Loaded symbols for /usr/lib/libc.so.1
Reading symbols from /lib/libcmd.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libcmd.so.1
Reading symbols from /lib/libdoor.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libdoor.so.1
Reading symbols from /lib/libuutil.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libuutil.so.1
Reading symbols from /lib/libgen.so.1...(no debugging symbol

Re: Bind 9.7.0-P2 Bus Error - Solaris 9

2010-06-15 Thread b19141 
At Mon, 14 Jun 2010 09:06:50 -0500 (CDT),
b19...@anl.gov wrote:

>> This morning on a Solaris 9 system, I issued these comands:

JINMEI Tatuya /   replied:

> I believe I found the cause of the bug.  Please try the patch copied
> below.

I tested the patch on Solaris 9 and 10, and no core files were
produced.  I tested only this one command:

 dig cnnet.upr.edu +trace

--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users