got "BAD (HORIZONTAL) REFERRAL" error

[jeff]

hi all, i have setup a bind server,  host the zone faisco.com, and 
work fine several daysbut one of my new client said that they can't resolve my 
domain, meanwhile they can resolve other web site without any problem.i run 
'dig' on their machine, this is the result:; <<>> DiG 9.4.0 
<<>> www.faisco.com +trace;; global options: printcmd. 
3600 IN NS m.root-servers.net.. 3600 IN NS l.root-servers.net.. 3600 IN NS 
k.root-servers.net.. 3600 IN NS j.root-servers.net.. 3600 IN NS 
i.root-servers.net.. 3600 IN NS h.root-servers.net.. 3600 IN NS 
g.root-servers.net.. 3600 IN NS f.root-servers.net.. 3600 IN NS 
e.root-servers.net.. 3600 IN NS d.root-servers.net.. 3600 IN NS 
c.root-servers.net.. 3600 IN NS b.root-servers.net.. 3600 IN NS 
a.root-servers.net.;; Received 417 bytes from 192.168.0.10#53(192.168.0.10) in 
0 mscom. 165333 IN NS g.gtld-servers.net.com. 165333 IN NS 
h.gtld-servers.net.com. 165333 IN NS i.gtld-servers.net.com. 165333 IN NS 
j.gtld-servers.net.com. 165333 IN NS k.gtld-servers.net.com. 165333 IN NS 
l.gtld-servers.net.com. 165333 IN NS m.gtld-servers.net.com. 165333 IN NS 
a.gtld-servers.net.com. 165333 IN NS b.gtld-servers.net.com. 165333 IN NS 
c.gtld-servers.net.com. 165333 IN NS d.gtld-servers.net.com. 165333 IN NS 
e.gtld-servers.net.com. 165333 IN NS f.gtld-servers.net.;; Received 464 bytes 
from 192.203.230.10#53(e.root-servers.net) in 284 mscom. 165333 IN NS 
g.gtld-servers.net.com. 165333 IN NS h.gtld-servers.net.com. 165333 IN NS 
i.gtld-servers.net.com. 165333 IN NS j.gtld-servers.net.com. 165333 IN NS 
k.gtld-servers.net.com. 165333 IN NS l.gtld-servers.net.com. 165333 IN NS 
m.gtld-servers.net.com. 165333 IN NS a.gtld-servers.net.com. 165333 IN NS 
b.gtld-servers.net.com. 165333 IN NS c.gtld-servers.net.com. 165333 IN NS 
d.gtld-servers.net.com. 165333 IN NS e.gtld-servers.net.com. 165333 IN NS 
f.gtld-servers.net.;; BAD (HORIZONTAL) REFERRAL;; Received 464 bytes from 
192.41.162.30#53(l.gtld-servers.net) in 383 mscom. 165333 IN NS 
g.gtld-servers.net.com. 165333 IN NS h.gtld-servers.net.com. 165333 IN NS 
i.gtld-servers.net.com. 165333 IN NS j.gtld-servers.net.com. 165333 IN NS 
k.gtld-servers.net.com. 165333 IN NS l.gtld-servers.net.com. 165333 IN NS 
m.gtld-servers.net.com. 165333 IN NS a.gtld-servers.net.com. 165333 IN NS 
b.gtld-servers.net.com. 165333 IN NS c.gtld-servers.net.com. 165333 IN NS 
d.gtld-servers.net.com. 165333 IN NS e.gtld-servers.net.com. 165333 IN NS 
f.gtld-servers.net.;; BAD (HORIZONTAL) REFERRAL;; Received 464 bytes from 
192.26.92.30#53(c.gtld-servers.net) in 329 mscom. 165333 IN NS 
g.gtld-servers.net.com. 165333 IN NS h.gtld-servers.net.com. 165333 IN NS 
i.gtld-servers.net.com. 165333 IN NS j.gtld-servers.net.com. 165333 IN NS 
k.gtld-servers.net.com. 165333 IN NS l.gtld-servers.net.com. 165333 IN NS 
m.gtld-servers.net.com. 165333 IN NS a.gtld-servers.net.com. 165333 IN NS 
b.gtld-servers.net.com. 165333 IN NS c.gtld-servers.net.com. 165333 IN NS 
d.gtld-servers.net.com. 165333 IN NS e.gtld-servers.net.com. 165333 IN NS 
f.gtld-servers.net.;; BAD (HORIZONTAL) REFERRAL;; Received 464 bytes from 
192.5.6.30#53(a.gtld-servers.net) in 466 mscom. 165333 IN NS 
g.gtld-servers.net.com. 165333 IN NS h.gtld-servers.net.com. 165333 IN NS 
i.gtld-servers.net.com. 165333 IN NS j.gtld-servers.net.com. 165333 IN NS 
k.gtld-servers.net.com. 165333 IN NS l.gtld-servers.net.com. 165333 IN NS 
m.gtld-servers.net.com. 165333 IN NS a.gtld-servers.net.com. 165333 IN NS 
b.gtld-servers.net.com. 165333 IN NS c.gtld-servers.net.com. 165333 IN NS 
d.gtld-servers.net.com. 165333 IN NS e.gtld-servers.net.com. 165333 IN NS 
f.gtld-servers.net.;; BAD (HORIZONTAL) REFERRAL;; Received 464 bytes from 
192.12.94.30#53(e.gtld-servers.net) in 383 mslots of 'BAD (HORIZONTAL) 
REFERRAL'???and the correct result should be like this:; <<>> DiG 
9.4.0 <<>> www.faisco.com +trace;; global options: 
printcmd. 43757 IN NS a.root-servers.net.. 43757 IN NS b.root-servers.net.. 
43757 IN NS c.root-servers.net.. 43757 IN NS d.root-servers.net.. 43757 IN NS 
e.root-servers.net.. 43757 IN NS f.root-servers.net.. 43757 IN NS 
g.root-servers.net.. 43757 IN NS h.root-servers.net.. 43757 IN NS 
i.root-servers.net.. 43757 IN NS j.root-servers.net.. 43757 IN NS 
k.root-servers.net.. 43757 IN NS l.root-servers.net.. 43757 IN NS 
m.root-servers.net.;; Received 228 bytes from 192.168.1.254#53(192.168.1.254) 
in 156 mscom. 172800 IN NS g.gtld-servers.net.com. 172800 IN NS 
l.gtld-servers.net.com. 172800 IN NS k.gtld-servers.net.com. 172800 IN NS 
f.gtld-servers.net.com. 172800 IN NS d.gtld-servers.net.com. 172800 IN NS 
c.gtld-servers.net.com. 172800 IN NS a.gtld-servers.net.com. 172800 IN NS 
e.gtld-servers.net.com. 172800 IN NS h.gtld-servers.net.com. 172800 IN NS 
j.gtld-servers.net.com. 172800 IN NS i.gtld-servers.net.com. 172800 IN NS 
m.gtld-servers.net.com. 172800 IN NS b.gtld-servers.net.;; Received 504 bytes 
from 192.203.230.10#53(e.root-servers.net) in 531 msfaisco.com. 172800 IN NS 
dns1.fais

Re: I need to find statistics on a running server.

[Jeff Sumner]

I’ve turned on query logging, then grepped for the count of lines logged in a 
particular second. 

 

Worked well enough for the job at the time.

 

J

 

De: bind-users  em nome de "King, Harold 
Clyde (Hal) via bind-users" 
Responder A: "King, Harold Clyde (Hal)" 
Data: quinta-feira, 12 de janeiro de 2023 1:20 PM
Para: bind-users 
Assunto: I need to find statistics on a running server.

 

I need to find some answers like queries per second.  Any fast ideas folks?


--

Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Services

The University of Tennessee
103c5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599

-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more information. 
bind-users mailing list bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users 

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple BIND instances

[Jeff Peng]

于 2012-2-7 15:09, sasa sasa 写道:

I got a server with 16GB memory, want to install 2 BIND on CentOS, one cache 
only and another authoritative.
Is it better to install 2 OS virtually and run BIND in them or run 2 instances 
of BIND on the same OS? I mean what is the best practice to take advantage of 
the hardware resources without risking having single DNS with cache and 
authoritative?


One OS with two or more public IPs for different BIND instances is 
better IMO.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Multiple BIND instances

[Lightner, Jeff]

Virtualization doesn't reduce use of resources but DOES separate into what are 
perceived to be multiple "servers" so I'm not sure what you mean by "you still 
have one server".





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Matus UHLAR - fantomas
Sent: Tuesday, February 07, 2012 3:18 AM
To: bind-users@lists.isc.org
Subject: Re: Multiple BIND instances

On 06.02.12 23:09, sasa sasa wrote:
>I got a server with 16GB memory, want to install 2 BIND on CentOS, one
> cache only and another authoritative.

> Is it better to install 2 OS virtually and run BIND in them or run 2
> instances of BIND on the same OS?

According to what I've heard, virtualization has quite high overhead in
such situations.

> I mean what is the best practice to take advantage of the hardware
> resources without risking having single DNS with cache and
> authoritative?

You still have one server, virtualization would not change much about
this.

You can even run a single BIND instance with two separate views and
that should not affect functionality.

I suppose you are running 64bit OS, so you can have really huge cache
(>4GB)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

about the MX and NS values

[Jeff Peng]

I was thinking why RFC requires the values of MX and NS must be hostname 
not IP.

Any glue? Thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: about the MX and NS values

[Jeff Peng]

于 2012-2-9 15:27, Mark Andrews 写道:

When you serve 10 zones do you want to update 1 address
record or 10 NS record on a address change?

When you serve 10 mail domains do you want to update 1
address record or 10 MX records on a address change?


Yup that's clean.
thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A question for the reference

[Jeff Peng]

Hello,

Please see this case:

$ dig funnygamesite.com @k.gtld-servers.net

; <<>> DiG 9.7.3 <<>> funnygamesite.com @k.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35540
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;funnygamesite.com. IN  A

;; AUTHORITY SECTION:
funnygamesite.com.  172800  IN  NS  ns1.dnsbed.com.
funnygamesite.com.  172800  IN  NS  ns2.dnsbed.com.

;; ADDITIONAL SECTION:
ns1.dnsbed.com. 172800  IN  A   174.140.172.238
ns2.dnsbed.com. 172800  IN  A   50.31.252.20

;; Query time: 188 msec
;; SERVER: 192.52.178.30#53(192.52.178.30)
;; WHEN: Tue Mar  6 09:30:42 2012
;; MSG SIZE  rcvd: 110


When a resolver query funnygamesite.com from one of the gtld name 
servers, will the resolver use the reference (AUTHORITY SECTION and 
ADDITIONAL SECTION) directly? or it make another query for 
ns1.dnsbed.com and ns2.dnsbed.com and get the authorative answers for them?


Thanks.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A question for the reference

[Jeff Peng]

于 2012-3-6 10:23, Spain, Dr. Jeffry A. 写道:

I tested this by capturing network traffic on a bind 9.9.0 recursive resolver. 
The commands 'rndc flush' followed by 'dig @localhost funnygamesite.com' 
resulted in the following:
1. A query to m.gtld-servers.net.
2. The same referral response that you got below.
3. A follow-up query 500 microseconds after the response to ns1.dnsbed.com.
4. Ns1.dnsbed.com then provided the answer (127.0.0.1).

Thus it appears that bind 9.9.0 is relying on the data in the Authority and 
Additional sections of the first query for the addresses of funnygamesite.com's 
authoritative name servers. It is not making any additional queries for the 
addresses of those name servers. Jeff.



Thank you Spain for the helpful info.
That make the question clear.

Regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I set TTL served to users in bind?

[Jeff Peng]

于 2012-3-9 16:11, Drunkard Zhang 写道:

I got some bind servers doing iteration resolution, and return the
results to users. But I found that some names got too big TTLs, whose
RRs can not be replaced correctly by new RRs in time. This leads to
user‘s blame, we have to flush the caches by hand, and restart the
SOHO router to resolve the "dead site" issue.

So I wonder can bind set a (lower) TTL by force before response to
users. If I can, which option? I digged ARM, but got nothing.



Many ISP's caching DNS servers do this stuff.
AFAIK there is not such an option for that, but you can do it from 
BIND's source.


HTH.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can I set TTL served to users in bind?

[Jeff Peng]

于 2012-3-9 17:20, Cathy Almond 写道:

Many ISP's caching DNS servers do this stuff.
>  AFAIK there is not such an option for that, but you can do it from
>  BIND's source.

max-cache-ttl ?



Thanks Cathy for pointing out that.
From what googled:
http://www.menandmice.com/knowledgehub/dnsqa/44/

max-cache-ttl does do this but I never know that.

Regards.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: glub or authauthority NS is cached and used at a cache dns server?

[Jeff Peng]

You might want to read my this blog；
http://www.nsbeta.info/archives/115

HTH

于 2012-3-21 15:07, Felix New 写道:


 when i dumpdb from the cache dns, some domain's ns records are glue 
DNS, and others are authauthority.


The TTL are different. which type is used in Cache DNS?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Name Resolution issue with one domain

[Lightner, Jeff]

I don’t think the target is blocking as I get the following:

dig www.dubaiairport.com

; <<>> DiG 9.8.1 <<>> www.dubaiairport.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36668
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dubaiairport.com.  IN  A

;; ANSWER SECTION:
www.dubaiairport.com.   7200IN  A   213.42.55.169

;; AUTHORITY SECTION:
dubaiairport.com.   172799  IN  NS  dcaowa01.dubaiairport.com.
dubaiairport.com.   172799  IN  NS  svr-b003.dubaiairport.com.

;; Query time: 337 msec
;; SERVER: 192.94.73.20#53(192.94.73.20)
;; WHEN: Wed Mar 21 19:25:08 2012
;; MSG SIZE  rcvd: 100

The point is your firewall should NOT block outbound queries for port 53 or 
other ports.   There is a well know cache poisoning attack based on knowing the 
outbound (source) port that is going to be used so the port should be 
randomized.   Port 53 MUST be accessible on the target DNS server as that is 
the one that is going to answer the query.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of babu 
dheen
Sent: Wednesday, March 21, 2012 3:14 PM
To: Matus UHLAR - fantomas; bind-users@lists.isc.org
Subject: Re: Name Resolution issue with one domain

Dear All,

When i executed #dig www.dubaiairport.com, i am 
getting bleow response

; <<>> DiG 9.3.4-P1 <<>> www.dubaiairport.com
;; global options:  printcmd
;; connection timed out; no servers could be reached

 When i checked the firewall logs, as you all confirmed, traffic is leaving 
from both non standard and standard port. But firewall logs clearly shows that 
traffic from source port =53 and its getting dropped. But other DNS traffic 
towards various domains also going with source port 53 for which we have no 
issue.

 Is this port restriction done at remote domain firewall?
 Is there any way to enforce non standard port for this domain query at our 
BIND level from our side?


Mar 21 21:50:26 start_time="2012-03-21 21:47:54" duration=151 policy_id=20 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=403 rcvd=0 src=10.1.1.1 dst=213.42.52.75 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75 port=53 
session_id=512159 reason=Close - AGE OUT

Mar 21 21:50:46 start_time="2012-03-21 21:49:15" duration=90 policy_id=24 
service=dns proto=17 src zone=Inter-Connect dst zone=External action=Permit 
sent=927 rcvd=0 src=10.1.1.1 dst=213.42.52.79 src_port=53 dst_port=53 
src-xlated ip=10.1.1.1 port=53 dst-xlated ip=213.42.52.75  port=53 
session_id=451904 reason=Close - AGE OUT

Regards
Babu

From: Matus UHLAR - fantomas 
To: bind-users@lists.isc.org
Sent: Wednesday, 21 March 2012 11:41 AM
Subject: Re: Name Resolution issue with one domain

On 21.03.12 09:23, Mark Andrews wrote:
>Stupid firewall rules in front of the nameservers.  They block
>traffic sent from port 53 which is the port lots of nameservers
>used to send query traffic.  When will firewall administrators learn
>that the source ports can be anything, that they are not significant,
>and that blocking traffic based on the source port is stupid.

maybe the admin set that up to force local servers using random ports,
instead of 53, for outgoing requests. Nobody should use port 53 for
_ougtoing_ requests.

>bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com
>09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53:  18071+$ [1au] A? 
>www.dubaiairport.com. ar: OPT UDPsize=4096 (49)
>
>; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com 
>@svr-b003.dubaiairport.com
>;; global options: +cmd
>;; connection timed out; no servers could be reached
>bsdi#

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; 
http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bo

RE: Restricting access & keeping identical data across views

[Lightner, Jeff]

Is signing not done at zone file level?

For our views even when the zones are identical I keep separate copies for the 
internal and external views so I would have thought this wouldn't be an issue.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Niall O'Reilly
Sent: Wednesday, March 28, 2012 5:38 AM
To: Jon A.
Cc: bind-users@lists.isc.org
Subject: Re: Restricting access & keeping identical data across views


On 28 Mar 2012, at 02:16, Jon A. wrote:

> I'm looking for a best practice to keep zone data across multiple views on 
> multiple servers sync

FWIW, you're not alone.

I have three views too, internal, external, and mendacious.
The last is for coercing unregistered clients connecting to
LANs where registration is required.

What we have works.  It will need a major overhaul for DNSSEC.
I think I know what will be needed, but would find a BP
or HOWTO helpful, provided it met my use-case closely enough.
I'm not averse to contributing some effort to such a project.

ATB
Niall O'Reilly

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Split DNS and zone transfers

[Lightner, Jeff]

You can also do it by IP in views but need separate IPs for each view.   You 
can do that with virtual IPs on the same NICs as the primary IPs.   Such 
virtual IPs of course have to be in the same subnet as the primary and also 
you’d need to insure firewall (including host level if any) is opened for the 
new IPs.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Eric 
Chandler
Sent: Monday, April 16, 2012 11:47 AM
To: bind-users@lists.isc.org
Subject: RE: Split DNS and zone transfers

I’ve been pointed to the right place to figure this out.  The answer is in 
using TSIG.  That saved me a lot of time. I searched everywhere but the 
most-obvious place – the bind9 faq.


Eric Chandler
Systems Architect

From: bind-users-bounces+eric.chandler=vonage@lists.isc.org 
[mailto:bind-users-bounces+eric.chandler=vonage@lists.isc.org] On Behalf Of 
Eric Chandler
Sent: Monday, April 16, 2012 11:36 AM
To: bind-users@lists.isc.org
Subject: Split DNS and zone transfers

I have a situation where I need to filter out our private infrastructure from 
our public-facing DNS servers. This is certainly something that should have 
been done a long time ago, but I just recently took over the spot. Now, I’ve 
seen plenty of examples using views and separate zonefiles, but what I can’t 
find are examples of the same domain zone-xfering both zonefiles.

Our DNS infrastructure is large and the configuration varies from server type 
to server type. Some are configured to be the primary auth servers – facing the 
Internet. Others are public-facing, but accessed only by customer devices, and 
still others service our internal systems. I would like to get us down to just 
1 set of configuration files across the board, using views as the way to do it, 
but what I can’t get around are split zone transfers.

In this example, we have a straightforward example of a split zone:

view "trusted" {

 match-clients { 192.168.23.0/24; }; // our network

  recursion yes;

  // other view statements as required

  zone "example.com" {

   type master;

   // private zone file including local hosts

   file 
"internal/master.example.com";

  };

  // add required zones

 };

view "badguys" {

 match-clients {"any"; }; // all other hosts

 // recursion not supported

 recursion no;

 // other view statements as required

 zone "example.com" {

   type master;

   // public only hosts

   file 
"external/master.example.com";

  };

  // add required zones

 };

Now, what I would like to have are slave servers that would zone-xfer both the 
internal and external-flavored files for example.com and serve them using the 
same view structure. The hidden masters can generate the split zone files based 
on private IP address ranges, but I see no way to  use zone transfers to get 
both types of files replicated to the many slave servers that I would need to 
get them to.

This obviously won’t work, but this is what I’m after from a logical sense.


view "trusted" {

 match-clients { 192.168.23.0/24; }; // our network

  recursion yes;

  // other view statements as required

  zone "example.com" {

   type slave;

masters = { 1.2.3.4, 4.5.6.7 };

   // private zone file including local hosts

   file 
"internal/master.example.com";

  };

  // add required zones

 };

view "badguys" {

 match-clients {"any"; }; // all other hosts

 // recursion not supported

 recursion no;

 // other view statements as required

 zone "example.com" {

   type slave;

masters = { 1.2.3.4, 4.5.6.7 };

   // public only hosts

   file 
"external/master.example.com";

  };

  // add required zones

 };

I suppose I could set up another pair of hidden masters to serve up the 
internal zones, or another pair of IP addrs on the masters, but I’m hoping not 
to go down that road.

Thanks,

Eric Chandler
Systems Architect

[Description: cid:image009.gif@01CB4E82.96E92D50]
23 Main Street, Holmdel, NJ 07733
•: 732.203.7437
•: 732.284.8504 (iPhone)
•: eric.chand...@vonage.com
þ: www.vonage.com
[Description: cid:image010.jpg@01CB4E82.96E92D50]

NOTE: The information contained in this email message is considered 
confidential and proprietary to the sender and is intended solely
for review and use by the named recipient.  Any unauthorized review, use or 
distribution is strictly prohibited. If you have received this
message in error, please advise the sender by reply email and delete the message






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right

RE: multiple ints: views or separate records?

[Lightner, Jeff]

As far as influence it seems you could restrict the connections on virtual IPs 
to specific subnets so that they don’t have a choice.  This can be done via 
ACLs in the views and/or via firewall rules (e.g. in iptables if this were a 
Linux host).

From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Jonathan Reed
Sent: Friday, May 25, 2012 3:52 PM
To: bind-users@lists.isc.org
Subject: multiple ints: views or separate records?

Hi,

I have a few systems with multiple physical and virtual interfaces. One system 
has a single A record but im considering splitting it up. I'd like to persuade 
users to talk with a specific interface depending mostly on the app and 
sometimes from the subnet where their request originates. I want to keep things 
really easy for the users. What's your experience in influencing that decision 
while keeping things dead simple? keeping in mind that they have the potential 
of communicating with the system from a number of different angles.

Is using views my best approach? Or would it be recommended to just settle and 
publish a bunch of CNAMEs (or A) and having them stick to using those? Or 
maintain both? Said another way, how well have your users adapted to name 
changes?

Thanks.









Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Moving DNS out of non-cooperative provider

[Lightner, Jeff]

Just to verify - when you say "old provider" you're just talking about 
somewhere you had pointed your DNS records to and NOT the actual Registrar for 
the domain?

If it is the Registrar you have to make changes at the Registrar's site to 
change which DNS servers to use.  If they're not being cooperative that might 
be problematical.  (I wouldn't think they'd prevent you from changing which DNS 
servers to use for your domain - even the putzes that like to lock domains when 
you try to transfer to a registrar still allow you to control your DNS setup 
within their sites but I guess it's possible they could do it if they were also 
your hosting provider and didn't want you pointing away from their web servers.)





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Tom 
Diehl
Sent: Monday, June 18, 2012 12:19 PM
To: Alexander Gurvitz
Cc: bind-users@lists.isc.org
Subject: Re: Moving DNS out of non-cooperative provider

On Mon, 18 Jun 2012, Alexander Gurvitz wrote:

> Can someone enlighten me on the following scenario (I guess it's
> explained somewhere, but can't find the info.):
>
> example.com was served by ns.OLDprovider.net example.com owner wants
> to move his domain to ns.NEWprovider.net oldprovider.net is not
> cooperating, and continues to serve example.com 172800 NS
> ns.OLDprovider.net (*.gtld-servers.net and ns.newprovider.com now
> serve example.com 172800 NS ns.NEWprovider.net)
>
> Recursive resolver ns.isp.com queried for www.example.com every few
> minutes, and currently have example.com 45892 NS ns.OLDprovider.net in
> it's cache. www.example.com have TTL of 3600.
> Thus each hour ns.isp.com queries ns.OLDprovider.net, with each query
> gets new NS record, and... refreshes the NS TTL ?
>
> Will ns.isp.com EVER query ns.NEWprovider.net ?
>
> I'd be happy to know how BIND behaves, but also how other servers may
> behave in this case.

It is not a question of how bind behaves. It is a question of how does dns 
work. Bottom line is, setup nameservers with $NEWPROVIDER and change the 
nameserver records with your registrar and move on. All will be well when the 
ttl's time out.

Until the ttl's timeout, resolvers with the old nameservers cached will still 
query them. Once the ttl's time out the new servers will be queried.

Hope this helps,

--
Tom Diehl   tdi...@rogueind.com  Spamtrap address mtd...@rogueind.com




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Compiling and testing on Fedora

[Lightner, Jeff]

Turning off SELinux also requires a reboot after changing mode.





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Shawn Bakhtiar
Sent: Thursday, June 21, 2012 1:19 AM
To: bind-us...@isc.org
Subject: RE: Compiling and testing on Fedora



Did you turn OFF SELinux?

prompt>setenforce 0

Then run the test,
> From: dan.lut...@level3.com
> To: bind-us...@isc.org
> Subject: Compiling and testing on Fedora
> Date: Wed, 20 Jun 2012 23:33:08 +
>
> Hi all,
>
> I've had a major problem with using Fedora Core (10 through 15), when 
> compiling and running "make test":
>
> A:System test acl
> I:Couldn't start server ns2 (pid=17344)
> R:FAIL
> S:allow_query:Wed Jun 20 23:21:47 GMT 2012
> T:allow_query:1:A
> A:System test allow_query
> I:Couldn't start server ns2 (pid=17368)
> R:FAIL
> S:addzone:Wed Jun 20 23:22:01 GMT 2012
> T:addzone:1:A
> A:System test addzone
> I:Couldn't start server ns2 (pid=17393)
> R:FAIL
> S:autosign:Wed Jun 20 23:22:15 GMT 2012
> T:autosign:1:A
> A:System test autosign
> I:generating keys and preparing zones
> I:Couldn't start server ns1 (pid=17734)
> R:FAIL
> S:builtin:Wed Jun 20 23:22:35 GMT 2012
> T:builtin:1:A
> A:System test builtin
> I:Couldn't start server ns1 (pid=17755)
> R:FAIL
> S:cacheclean:Wed Jun 20 23:22:49 GMT 2012
> T:cacheclean:1:A
> A:System test cacheclean
> I:Couldn't start server ns1 (pid=17776)
> R:FAIL
>
> I'm running the "bin/tests/system/ifconfig.sh up" script, and see the "lo:1" 
> through "lo:7" interfaces come up. I don't have this problem on any of my 
> Solaris systems, just the Fedora servers. I do have several lo: interfaces 
> already defined, and they cannot be removed
>
> Has anyone seen such an issue, and if so, how did you fix it?
>
> Dan Luther
> Operations Engineer
> Systems Operation Engineering
> Level 3 Communications
> One Technology Center, Tulsa OK 74103
> p: 918-547-4370
> e: dan.lut...@level3.com
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind dies with assertion failure

[Lightner, Jeff]

As mentioned more than once on this list.  Redhat starts with an upstream 
version of a given package (say BIND 9.7) then backports security and bug fixes 
from later upstream versions into theirs and add extended versioning (say 
9.7-2.3.1).  One would have to check Redhat's version to see what fixes it 
actually contains.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil 
Mayers
Sent: Tuesday, July 03, 2012 3:47 AM
To: bind-users@lists.isc.org
Subject: Re: bind dies with assertion failure

On 07/03/2012 01:16 AM, Oscar Ricardo Silva wrote:
> I *THINK* I found the reason for why we're exposed to this bug ... It
> would appear that Redhat based their BIND package on 9.8.2rc1.  Guess
> where the patch for this bug was applied?  9.8.2rc2.

Are you sure about this?

 From what I can see in our local yum repo of the RHEL6 ISOs, it shipped with 
bind 9.7.

Sure that isn't a local package, or you're joined into a non-production channel?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: bind dies with assertion failure

[Lightner, Jeff]

I disagree about this being off topic.   It IS in fact a BIND question but like 
many BIND implementations is specific to the user's setup.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Oscar Ricardo Silva
Sent: Tuesday, July 03, 2012 10:33 AM
To: bind-users@lists.isc.org
Subject: Re: bind dies with assertion failure

(Sorry, forgot to include the right Subject line so re-sending)


 > Message: 1
 > Date: Mon, 02 Jul 2012 17:40:51 -0500  > From: Oscar Ricardo Silva 
 >   > To: bind-users@lists.isc.org  > Subject: Re: 
 > bind dies with assertion failure  > Message-ID: 
 > <4ff22373.2000...@mail.utexas.edu>
 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed  >  > I may have 
 > missed something but has this been patched in a 9.8.x version  > of BIND?  
 > According to the 9.9.0 release notes this has been addressed  > but just 
 > wondering about the availability for other vulnerable versions.
 >   Also, is there a known trigger?
 >
 > The reason I'm running is that we're currently running the stock version  > 
 > of BIND available with RHEL6.  It's their policy to backport patches and  > 
 > if there's a patch available then they may apply it faster rather than  > 
 > deploying a new version.
 >
 >
 >
 > Oscar


Since this problem is likely being caused by the version of BIND provided by 
Redhat and not with the release version, this issue is not pertinent to the 
list. I don't want to clutter up the list with off-topic conversations.

If anyone is interested in Redhat's response we can take the conversation 
offlist but I'm not hopeful they'll do anything about it.
While it's always better to compile and install from the latest stable version, 
it's also nice to use their package management system especially when you have 
to deal with multiple systems.



Oscar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Loaded zone files query

[Lightner, Jeff]

That assumes its Linux and is being logged to local /var/log/messages.   For 
other *nix the log location and name is apt to be different.






-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Carl 
Byington
Sent: Tuesday, July 10, 2012 3:47 PM
To: bind-users@lists.isc.org
Subject: Re: Loaded zone files query

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 2012-07-10 at 13:22 -0600, Kirk Hoganson wrote:
> Does anyone know of a simple way to discover how many zone files bind
> has successfully loaded after the daemon starts?

cd /var/log
rm -f named.temp*
grep 'named' messages | \
   csplit --prefix=named.temp - '/named.*starting BIND/' >/dev/null f=$(ls -1 
named.temp* | tail -1) grep 'zone.*loaded serial' $f | wc -l rm -f named.temp*

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAk/8ho4ACgkQL6j7milTFsHHRQCdGJGLBpyPQkQYaQh6zxsd7zO1
qMkAnAvd76dFQM48foc6nJSunR3jMFnZ
=i2k4
-END PGP SIGNATURE-


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: disabling "Any" requests

[Lightner, Jeff]

Your answer was clearly meant to be tongue in cheek but I'm not sure you 
understood.

The OP wasn't asking how to stop all (any) lookups - it was how to stop "dig -t 
any" which isn't the same thing at all.  Presumably they still want to allow 
dig -t mx, dig www... etc...

Personally I don't know why "dig -t any" would be a problem.   It's not exactly 
the same as doing an axfr transfer of the zone - it still only gets limited 
information.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Chuck Swiger
Sent: Thursday, July 12, 2012 9:39 AM
To: Dns Administrator
Cc: bind-users@lists.isc.org
Subject: Re: disabling "Any" requests

On Jul 12, 2012, at 2:27 AM, Dns Administrator wrote:
> Hi  bind-users,
>please excuse my ignorance being a novice to dns, but is there some way of 
> disabling or choking "Any" type requests?

Sure-- a firewall or even taking a pair of wire-cutters to the ethernet cable 
will accomplish that.  :-)

Regards,
--
-Chuck

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Can't receive emails from another machine

[Lightner, Jeff]

To check whether BIND is your problem simply run "dig -t MX " on 
the host that is trying to send the email to your mail host.  If it returns the 
right IP address for your mail host then BIND isn't the problem.

For iptables/postfix this isn't really the right forum.   You might want to try 
posting your question at some place like LinuxQuestions.org..





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Stayvoid
Sent: Monday, July 30, 2012 8:23 PM
To: bind-users@lists.isc.org
Subject: Can't receive emails from another machine

Hello,

I'm using Postfix.
I can send / receive emails from / to localhost via telnet. [1] But I can't 
receive emails from another machine.

I guess that there are three variants:
1. Postfix doesn't work properly;
2. Bind doesn't work properly;
3. IPTables doesn't work properly.

I can't be 100% sure but I think that it's not connected with Postfix.
So I have to check Bind or / and IPTables.

I hope that you'll help me to check my Bind settings.
What should I paste?

Thanks

[1] https://help.ubuntu.com/community/Postfix#Testing
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Version statement...

[Jeff Justice]

I am trying to mask our DNS servers version output to a custom string, but it 
doesn't seem to be working for me.  In a nutshell, I have added this to my 
options block of my named.conf:

   version "[DNS Server]";

But when I do a query, it still shows the actual version number i.e. BIND 
9.9.1-P2, both from the command line and from an outside query tool.

What am I missing?

Jeff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Version statement...

[Jeff Justice]

Doesn't seem to work with or without the brackets.  Does it matter what order 
it appears in the options list? Or a limit on number of characters?

Jeff


On Aug 17, 2012, at 12:34 AM, David Miller  wrote:

> 
> On 8/17/2012 1:13 AM, Jeff Justice wrote:
>> I am trying to mask our DNS servers version output to a custom string, but 
>> it doesn't seem to be working for me.  In a nutshell, I have added this to 
>> my options block of my named.conf:
>> 
>>  version "[DNS Server]";
> 
> options {
>   version "string";
> 
> works for me in 9.8.  Maybe BIND doesn't like the square brackets?
> 
> 
>> But when I do a query, it still shows the actual version number i.e. BIND 
>> 9.9.1-P2, both from the command line and from an outside query tool.
>> 
>> What am I missing?
>> 
>> Jeff
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
> 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Version statement...

[Jeff Justice]

Okay, here's what I know:

named-checkconf says there are no errors.
There is only one named process running.
When I apply my edited named.conf, the log shows named stopping and restarting 
with no errors.

How can I check to see the path where my named process thinks named.conf is 
located?

Jeff


On Aug 17, 2012, at 6:38 AM, Carsten Strotmann  wrote:

> Jeff Justice  writes:
> 
> Hi Jeff,
> 
>> I am trying to mask our DNS servers version output to a custom string,
>> but it doesn't seem to be working for me.  In a nutshell, I have added
>> this to my options block of my named.conf:
>> 
>>   version "[DNS Server]";
>> 
>> But when I do a query, it still shows the actual version number
>> i.e. BIND 9.9.1-P2, both from the command line and from an outside
>> query tool.
>> 
>> What am I missing?
> 
> make sure BIND can load the changed configuration file "named.conf",
> test with "named-checkconf" and check the BIND nameserver logfiles for
> errors. The issue here is probably that the running nameserver does not
> read the configuration file. Also check if there is more than one
> "named" process running (should be only one in most installations).
> 
> -- Carsten
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Version statement...

[Jeff Justice]

Okay, I have confirmed the correct named.conf file by simply removing it then 
restarting bind.  It throws an error until replaced.

So any other ideas why the version directive won't work?  Can anyone confirm 
with 9.9.1-P2?

Jeff


On Aug 17, 2012, at 9:02 PM, Michael Hoskins (michoski)  
wrote:

> -Original Message-
> 
> From: Jeff Justice 
> Date: Friday, August 17, 2012 6:10 PM
> To: "bind-users@lists.isc.org" 
> Subject: Re: Version statement...
> 
>> Okay, here's what I know:
>> 
>> named-checkconf says there are no errors.
>> There is only one named process running.
>> When I apply my edited named.conf, the log shows named stopping and
>> restarting with no errors.
>> 
>> How can I check to see the path where my named process thinks named.conf
>> is located?
> 
> I think configuration and OS tools are your best bet...
> 
> You could check ps if you haven't already (sometimes it's there), you
> could check /etc/sysconfig/named or /etc/rc.conf*, or grep init scripts.
> You could use lsof and look for clues.
> 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Mangled secondary records...

[Jeff Justice]

I made a change in all of the master records and wanted to force the slave to 
update.

I deleted all the host files on the secondary and restarted named.

It pulls all the domains in and creates new host files, but when you view the 
host files for each domain, they appear to be garbled.

Running the same BIND version on both primary and secondary.

Help!  Secondary is effectively down as a result...

Jeff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mangled secondary records...

[Jeff Justice]

Hmmmokay.  It makes me wonder why my primary isn't doing this as well 
though.  They have been running the same version.

Jeff


On Aug 18, 2012, at 2:53 AM, Michael Hoskins (michoski)  
wrote:

> -Original Message-
> 
> From: Jeff Justice 
> Date: Saturday, August 18, 2012 12:24 AM
> To: "bind-users@lists.isc.org" 
> Subject: Mangled secondary records...
> 
>> I made a change in all of the master records and wanted to force the
>> slave to update.
>> 
>> I deleted all the host files on the secondary and restarted named.
>> 
>> It pulls all the domains in and creates new host files, but when you view
>> the host files for each domain, they appear to be garbled.
>> 
>> Running the same BIND version on both primary and secondary.
>> 
>> Help!  Secondary is effectively down as a result...
> 
> Are you sure you're not just seeing "compiled" zones that are now default
> in 9.9?
> 
> http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#zonefile_form
> at
> 
> http://www.isc.org/software/bind/new-features/9.9
> 
> http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.dns.bind/2012-0
> 6/msg00094.html
> 
> If you really want the old behavior, try your exercise again after adding
> "masterfile-format text;" to your options clause.
> 
> This is a FAQ.  :-)
> 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Mangled secondary records...

[Jeff Justice]

Nevermind.  I get it now.  Thanks for pointing me in the right direction.

Jeff


On Aug 18, 2012, at 3:21 AM, Jeff Justice  wrote:

> Hmmmokay.  It makes me wonder why my primary isn't doing this as well 
> though.  They have been running the same version.
> 
> Jeff
> 
> 
> On Aug 18, 2012, at 2:53 AM, Michael Hoskins (michoski)  
> wrote:
> 
>> -----Original Message-
>> 
>> From: Jeff Justice 
>> Date: Saturday, August 18, 2012 12:24 AM
>> To: "bind-users@lists.isc.org" 
>> Subject: Mangled secondary records...
>> 
>>> I made a change in all of the master records and wanted to force the
>>> slave to update.
>>> 
>>> I deleted all the host files on the secondary and restarted named.
>>> 
>>> It pulls all the domains in and creates new host files, but when you view
>>> the host files for each domain, they appear to be garbled.
>>> 
>>> Running the same BIND version on both primary and secondary.
>>> 
>>> Help!  Secondary is effectively down as a result...
>> 
>> Are you sure you're not just seeing "compiled" zones that are now default
>> in 9.9?
>> 
>> http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#zonefile_form
>> at
>> 
>> http://www.isc.org/software/bind/new-features/9.9
>> 
>> http://newsgroups.derkeiler.com/Archive/Comp/comp.protocols.dns.bind/2012-0
>> 6/msg00094.html
>> 
>> If you really want the old behavior, try your exercise again after adding
>> "masterfile-format text;" to your options clause.
>> 
>> This is a FAQ.  :-)
>> 
>> 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Version statement...

[Jeff Justice]

Jeremy, it is exactly as you asked.  Apparently the "real" version is displayed 
using certain commands, and the "user-defined" version is displayed in other 
places.

I have since learned that you get different version output from dig, named -v, 
and a dns query and the version statement only affects specific outputs.  So it 
depends on how it's queried.  That doesn't seem clear in the documentation 
unless I missed it...thus my confusion.

Jeff

On Aug 18, 2012, at 6:10 PM, Jeremy C. Reed  wrote:

> How are you testing it? Where do you see the wrong version?
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: 2 dns records for same server

[Lightner, Jeff]

That is to say don't put the external servers in /etc/resolv.conf on your 
clients - only put the internal one there.  (Or the Windows equivalent setup 
should only see your internal DNS server.)

I would correct the prior post not to say "EVER" but rather "not directly".   
Often in an internal/external configuration only the "external" server queries 
the internet and the internal one forwards requests it gets to the external 
one.   It doesn't matter if the external server the internal DNS server is 
pointing to also has records for the domains because the internal server would 
already have answered for the domains it is authoritative for before trying to 
forward.   We have internal/external setup here for one domain and have no 
problems doing this.   (Oddly enough we also have views but that's another 
story...)







-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Monday, August 20, 2012 8:24 AM
To: Dwayne Hottinger
Cc: bind-users@lists.isc.org
Subject: Re: 2 dns records for same server

Dwayne wrote on 08/19/2012 07:37:39 PM:
> My hosts get the ip's of all 3 dns
> servers when they recieve dhcp information.

I think this is the issue.  The internal clients should only point to the 
internal DNS server.  They should never be querying the DNS that returns the 
public IP addresses EVER!




Confidentiality Notice:
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that you 
may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or telephone 
and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: What can cause excessive amount of _dns-sd queries?

[Lightner, Jeff]

Maybe blocking access by that IP will force the customer's tech folks to 
contact you?





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Thursday, August 23, 2012 10:05 AM
To: Eivind Olsen
Cc: bind-users-bounces+wbrown=e1b@lists.isc.org; bind-users@lists.isc.org
Subject: Re: What can cause excessive amount of _dns-sd queries?

Elvind wrote on 08/23/2012 09:18:06 AM:

> Yeah, now I'm just wondering which OS / application / malware /
> whatever could be responsible for this :)

Someone trying to use ZeroCOnf:  http://zeroconf.org  I believe Macs come 
configured to use it by default, Linux and Windows can be configured to use it.

> (no, the client isn't directly under my control, it belongs to some
customer)

Good luck with that!



Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zone Transfer issue on BIND9

[Lightner, Jeff]

You're putting the allow transfer on each zone?   I don't think that's your 
issue but it seems odd to me.  Here we do it at the view level.

Also it appears you're using the same IP for at least two of your views - for 
view transfers to work properly here we setup virtual IPs on the DNS servers 
and set the ACLs appropriately.
i.e. our "real" IPs are in the ACL we used prior to setting up views and are 
now only used for the main [external] view and we have different ACLs for the 
virtual IPs used within the internal view.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Phil 
Mayers
Sent: Friday, August 24, 2012 7:41 AM
To: bind-users@lists.isc.org
Subject: Re: Zone Transfer issue on BIND9

On 24/08/12 12:09, sn...@email.it wrote:
> Hi there,
> I have an issue related to zone transfer which I couldn't fix. I've
> found a "presumable" fix googling a lot but it doesn't seem to work.

You haven't said *how* it isn't working. Be specific.

Note that the FAQ link you reference puts the "server {}" block INSIDE the 
view. You have it in the global config. That seems like something to 
investigate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Dig from workstation to answer?

[Lightner, Jeff]

I know that dig +trace can be used to see the path of name resolution starting 
from root server down to final answer.

What I’m wondering is if there is some set of options that would go from 
workstation to final answer?   That is to say only go to the root server if 
that is where the DNS topology internally sends me.

For example from my workstation if I search an internal domain we use I know 
which internal DNS server it goes to ask the question.   That DNS server in 
turn may refer to a separate internal DNS server which is authoritative for the 
domain or has the record cached.   A dig +trace is useless because the root 
servers know nothing about the domain.   I’ve found various things that give me 
parts of the information but wonder if there isn’t something that would do 
something like trace so I can see each DNS server that was referred to in such 
lookups.









Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

openldap, dlz and dynamic dns updates from isc-dhcpd

[Jeff Lasslett]

Hello List,

I would like to use openldap to store DHCP config and DNS zones.
I've scoured the web for howtos and I've learned a lot.

For openldap backed DNS it seems that DLZ is the best option (faster,
and the data is better organised in ldap).

My main question is about dynamic updates from the DHCP server.  I
would like to know if bind 9.9 can update
an openldap DLZ with dynamic updates from a DHCP server.

I've read about Andrew Tridgell's work on getting BIND to update DLZs
(http://jpmens.net/2011/01/21/bind-gets-a-new-updateable-dlz-driver-dlopen/).

Can encryption be used to dynamically update BIND's DLZs, just as it
can if zone files are used?

Thanks,
Jeff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: openldap, dlz and dynamic dns updates from isc-dhcpd

[Jeff Lasslett]

Hi Evan,

Thanks for your reply.  I must confess that I am working on my first
DHCP and BIND deployment and I'm sure that I don't yet understand
everything.  So it's likely that I'm working with some wrong
assumptions.

On 25 September 2012 04:01, Evan Hunt  wrote:

> I'm not aware of such a DLZ driver existing yet, but there's no
> technical reason why it couldn't be written.

Thanks. That's useful to know,

Here's a possibly wrong assumption:  there are BIND deployments that
use openldap (or an RDBMS, or something else) rather than zone files
to hold DNS mappings (name to ip address & vice versa), and these
alternative backends are updated when the DHCP server hands out or
revokes a lease.
Is this so? If so, how is the DNS information updated?

>> Can encryption be used to dynamically update BIND's DLZs, just as it
>> can if zone files are used?
>
> I'm not sure what you mean by "using encryption".

:-)  I'm not sure either.  In DHCP config, within a zone { ... }
block, there are key  directives.   It seems that BIND & DHCP
can use a key to be sure of each other and the validity of DNS updates
coming from the DHCP server.   Am I on the right track?   When I wrote
'encryption' this is what I was referring to.

Thanks,
Jeff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Moving BIND from Solaris to Linux

[Lightner, Jeff]

We use RHEL mainly because that's our distro of choice for most of our 
applications.  It is the most popular "commercial" distro is the one most 3rd 
party commercial applications (e.g. Oracle) support.   (Of course SLES has a 
lot of support as well but not quite a much - others will tell you Ubuntu is 
commercially supported by Canonical but what I'm talking about is the platform 
other vendors are willing to say they support their applications upon.)

The benefit of using RHEL is they provide you with BIND (including a chroot'ed 
version) packages so you get security and bug fixes.

The downside is the way RedHat does things is to use an upstream version as 
their base then they backup bug and security fixes into it from later upstream 
versions.  They add extended versioning to what you actually have but you end 
up looking as if you're still running say, BIND 9.3.1 on RHEL5, but the one 
you're actually running has diverged from the base.   This causes many folks 
(e.g. PCI security scanning organizations, people on the BIND mailing list) to 
think you're running an insecure version because they don't check for the 
extended versioning.  In fact you're not running insecurely.   You can hide the 
version of BIND so that security scanners don't find it.However, as newer 
features are added upstream they don't all necessarily make it into the RHEL 
modified version.

One idea would be to use RHEL but still download and compile your own BIND on 
top of it.  However, if the only thing on your RHEL server is BIND you have to 
wonder why you're paying RedHat a subscription.   The main benefit would be 
continuity of platform if you're running multiple servers for diverse purposes 
as we are.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Fajar A. Nugraha
Sent: Monday, October 01, 2012 9:20 AM
To: Graham Butler
Cc: bind-users@lists.isc.org
Subject: Re: Moving BIND from Solaris to Linux

On Mon, Oct 1, 2012 at 7:58 PM, Graham Butler  wrote:
> We are currently looking at replacing our Solaris boxes with a flavour
> of Linux to run BIND with a focus on Red Hat and Ubuntu. I am trying
> to collect some evidence to which OS is being used to run BIND and
> why, before we make a decision. Could you please respond by sending
> me, or the list, information on which OS you are using to run BIND and
> any information on why your decided to run it on that particular platform.
>
>
>
> I am also asking other list for similar information on Squid, Exim,
> Apache, etc...

Searching "unix linux migration" in Google would probably save you lots of time 
instead of waiting for list responses.

Anyway, in my past experience, the bigesst difference was not so much the OS, 
but rather the hardware. x86 (or rather, amd64) kick other platform's a**, 
performance-wise, on hardware with relatively-similar budget.

When you mostly run "popular" open source software, running it on Linux would 
usually offer additional advantage of making your life easier since the distro 
maintainers would take care of providing up-to-date or secure-enough packages.

--
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Moving BIND from Solaris to Linux

[Lightner, Jeff]

The reason I did the full discussion is that many shops are moving from 
proprietary UNIX (Solaris, AIX, HP-UX) or Windows to Linux solutions.If 
they are moving much infrastructure but just starting with BIND then he needs 
to consider what I wrote.

Also I don't really agree that Ubuntu is the best solution.   One could run 
CentOS which has no subscription fee but is binarily compatible with RHEL then 
download and compile BIND for it.In an organization using Solaris they 
presumably have "professional administrators" and are more likely to find folks 
with RHEL experience when hiring staff that will fill totally comfortable with 
CentOS.   If continuity and staffing aren't considerations and this is truly 
going to be a one off he could use Suse or Slackware or any one of a thousand 
Linux distros (or even one of the *BSD distros - since BSD is where Solaris 
came from originally).

If it's a one off "best" is truly subjective.  There are many people that 
detest Ubuntu and many people that love it -though the din from the former 
seems to have overwhelmed the latter since Unity desktop and other moves by 
Canonical :-)





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Fajar A. Nugraha
Sent: Monday, October 01, 2012 9:58 AM
To: bind-users@lists.isc.org
Subject: Re: Moving BIND from Solaris to Linux

> One idea would be to use RHEL but still download and compile your own BIND on 
> top of it.

Yup, IIRC there are (S)RPM for latest bind versios posted on this list.

>  However, if the only thing on your RHEL server is BIND you have to wonder 
> why you're paying RedHat a subscription.

Yeah. If you only need latest binary, ubuntu (plus it's ppa) is probably a 
better choice, e.g
https://launchpad.net/~hauke/+archive/bind9

Then again, the OP only mentions open source apps, with no mention of Oracle 
and such. So using latest ubuntu LTS is probably a better choice in that case.

--
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Moving BIND from Solaris to Linux

[Lightner, Jeff]

So in the end you didn't use Ubuntu's package - you rolled your own.   My point 
was you can do the same on RHEL and most other Linux distros.   That is to say 
you don't have to use the package provided in any distro's normal repositories 
- you always have the option of downloading source directly from ISC and 
compiling it yourself.

FYI:  The OP replied yesterday noting that in fact they are doing as I 
suspected and migrating various things off Solaris of which BIND is just one.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Barry S. Finkel
Sent: Tuesday, October 02, 2012 10:47 PM
To: bind-users@lists.isc.org
Subject: RE: Moving BIND from Solaris to Linux

On 10/2/2012 4:26 AM, "Lightner, Jeff"  wrote:
> The reason I did the full discussion is that many shops are moving from 
> proprietary UNIX (Solaris, AIX, HP-UX) or Windows to Linux solutions.If 
> they are moving much infrastructure but just starting with BIND then he needs 
> to consider what I wrote.
>
> Also I don't really agree that Ubuntu is the best solution.   One could run 
> CentOS which has no subscription fee but is binarily compatible with RHEL 
> then download and compile BIND for it.In an organization using Solaris 
> they presumably have "professional administrators" and are more likely to 
> find folks with RHEL experience when hiring staff that will fill totally 
> comfortable with CentOS.   If continuity and staffing aren't considerations 
> and this is truly going to be a one off he could use Suse or Slackware or any 
> one of a thousand Linux distros (or even one of the *BSD distros - since BSD 
> is where Solaris came from originally).
>
> If it's a one off "best" is truly subjective.  There are many people
> that detest Ubuntu and many people that love it -though the din from
> the former seems to have overwhelmed the latter since Unity desktop
> and other moves by Canonical:-)
>
When I was managing a DNS server and we wanted to move from Solaris to Ubuntu, 
I looked at an Ubuntu package.  It contained GeoIP, which we did not need.  And 
I wanted the latest BIND for DNSSEC support/enhancements.  We had been 
compiling from source on Solaris, so I continued to compile from source on 
Ubuntu.  That way I knew EXACTLY what I was running.  I do not remember what 
other patches were installed by the Debian/ Ubuntu team.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: issues with BIND since a change of server

[Lightner, Jeff]

Have you checked the host level firewall (e.g. iptables)?





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of John 
Miller
Sent: Thursday, October 04, 2012 12:01 PM
To: bind-users@lists.isc.org
Subject: Re: issues with BIND since a change of server

Hi Thomas,

Since this is Ubuntu, what does /var/log/syslog have to say about the matter?  
Do you have any specific configuration for rndc controls, or are you primarily 
using the stock Ubuntu named.conf.local and named.conf.options?

John

On 10/04/2012 11:27 AM, Thomas Manson wrote:
> Hi,
>
>I had to change of server because the previous was getting old, and
> I had to do it very fast because of a mis-communication of my host...
>
>I'm on Ubuntu 12.04 server, x86_64.
>
> root@ns0:/etc/bind# aptitude show bind9
> Package: bind9
> New: yes
> State: installed
> Automatically installed: no
> Version: 1:9.8.1.dfsg.P1-4ubuntu0.3
>
>
>since then I've some trouble :
>
> * I've a RNDC error on stopping the service :
>
> root@ns0:/etc/bind# service bind9 start
>   * Starting domain name service... bind9
> ...done.
> root@ns0:/etc/bind# service bind9 status
>   * bind9 is running
> root@ns0:/etc/bind# service bind9 stop
>   * Stopping domain name service... bind9
> rndc: connect failed: 127.0.0.1#953: connection refused waiting for
> pid 28560 to die
> ...done.
>
> and it appears that nothing listen on port 953 :
>
> root@ns0:/etc/bind# netstat -a | grep 953
> unix  2  [ ACC ] STREAM LISTENING 9853953  private/anvil
> root@ns0:/etc/bind#
>
>
> When I perform a zonecheck on one of my domain, I get an error saying
> that the server do not listen :
>
>
> The server do not listen or answer on the port TCP 53: (translated
> from
> french)
>
>   * Réf: /IETF RFC1035 (p.32 4.2. Transport)
> /
>
> The DNS assumes that messages will be transmitted as datagrams or in
> a byte stream carried by a virtual circuit. While virtual circuits
> can be used for any DNS activity, datagrams are preferred for
> queries due to their lower overhead and better performance.
>
>
> while the port is open, checked from another machine :
>
> thomas@home:/home/special/www$ sudo nmap 88.190.17.222 -sS -p 53
>
> Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-04 14:55 CEST Nmap
> scan report for ns0.ordiworld.fr 
> (88.190.17.222)
> Host is up (0.023s latency).
> PORT   STATE SERVICE
> 53/tcp open  domain
>
> Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
> thomas@home:/home/special/www$ thomas@home:/home/special/www$
> thomas@home:/home/special/www$ thomas@home:/home/special/www$ telnet
> ns0.ordiworld.fr  53 Trying 88.190.17.222...
> Connected to ns0.ordiworld.fr .
> Escape character is '^]'.
>
>
> coucou
> Connection closed by foreign host.
>
>
> One time, after adding a log cagtegory, the zonecheck was performed
> with success, without the port 53 errors, but after a restart, the
> error appears again !
>
> I've 474 domain names... Bind is running with the root account.
>
> I've increased the max open file (soft and hard limit) to 65535, (by
> editing /etc/security/limits.conf and running ulimit -n 65535 from
> root prompt and restart bind)
>
> I would appreciate any help, I'm really lost here...
>
>
>
> I've set some logging option but don't see errors in the produced files  :
>
> ##""
> //include "/etc/bind/zones.rfc1918";
> logging {
>   channel security_file {
> file "/var/log/named/security.log" versions 3 size 30m;
> severity dynamic;
> print-time yes;
>   };
>   category security {
> security_file;
>   };
>
>
>  channel query.log {
>  file "/var/log/named/query.log";
>  severity debug 3;
>  };
>  category queries { query.log; };
>
>
> channel config.log {
>  file "/var/log/named/config.log";
>  severity debug 3;
> };
> category config { config.log; };
>
>
>
> channel general.log {
>  file "/var/log/named/general.log";
>  severity debug 3;
> };
> category general { general.log; };
>
>
> channel default.log {
>  file "/var/log/named/default.log";
>  severity debug 3;
> };
> category default { default.log; };
>
> channel resolver.log {
>  file "/var/log/named/resolver.log";
>  severity debug 3;
> };
> category resolver { resolver.log; };
>
>
> channel network.log {
>  file "/var/log/named/network.log";
>  severity debug 3;
> };
> category network { network.log; };
>
> };
> ##""
>
>
>
>
>
> /etc/resolv.conf :
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 127.0.0.1
> nameserver 88.191.254.

RE: Performance tuning

[Lightner, Jeff]

For question 1:
“Loading” is a function of the web site not DNS.  Your first question could 
have to do what the default site is in your web configuration and what kind of 
rewrite rules are getting you to the other.

If it were me I’d probably do some timed “host” or “dig” commands for the two 
records to verify name resolution itself wasn’t a problem.

I guess it MIGHT be a minutely slower to resolve www if it is a CNAME to the 
other as opposed to both being A records.   However, since this is a fairly 
common practice I doubt it is likely to be of major importance in overall 
timing.

From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Adamiec, Lawrence
Sent: Monday, November 26, 2012 1:13 PM
To: bind-users@lists.isc.org
Subject: Re: Performance tuning

To the best of my knowledge, there are no problems with our DNS.  We only host 
25 domains.

The report must also address these two specific questions:


  1.  Why does www.kentlaw.iit.edu load quicker 
than kentlaw.iit.edu in any browser?
  2.  What happens if we remove the forwarders option from named.conf?
I can't duplicate the issue in Q1 and I'm trying to determine a way of testing 
Q2.

Larry

On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton 
mailto:do...@dougbarton.us>> wrote:
What a delightfully vague requirement. :)

I would push back a bit on exactly what problems are attempted to be
solved here. The BIND defaults are about as efficient as they can be,
especially so in later versions.

Doug


On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote:
> Hi,
>
> I have been tasked with authoring a DNS report "to achieve optimal
> performance."  The report must include:
>
> CPU usage
> memory usage
> bandwidth usage
> throughput
> latency
>
> I have found some information regarding the number of queries processed
> per minute but nothing of value for the above areas.
>
> Is there some documentation that discusses the above areas?
>
> We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server.  My
> report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1
>
> Thank you in advance.
>
> Larry
>
> Lawrence Adamiec
> UNIX Mgr
> IIT Chicago-Kent College of Law










Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Linux issue with make test failures, 9.9.2-P1

[Jeff Earickson]

Hi,

The "make test" stuff is failing miserably for me on Linux (Redhat
6.3, x64) with 9.9.2-P1:

if test -f ./runall.sh; then sh ./runall.sh; fi
S:acl:Wed Dec  5 08:10:01 EST 2012
T:acl:1:A
A:System test acl
I:Couldn't start server ns2 (pid=7621)
R:FAIL
S:allow_query:Wed Dec  5 08:10:15 EST 2012
T:allow_query:1:A
A:System test allow_query
I:Couldn't start server ns2 (pid=7684)
R:FAIL
S:addzone:Wed Dec  5 08:10:29 EST 2012
T:addzone:1:A
A:System test addzone
I:Couldn't start server ns2 (pid=7735)
R:FAIL
(etc)

I:System test result summary:
I:43 FAIL
I: 6 PASS
I: 3 SKIPPED

The same "make test" worked perfectly on Solaris SPARC.  I ran
bin/tests/systems/ifconfig.sh up as
root, then ran "make test" (tried both as me and as root) -- failure.
This happened on both a vmware
virtual server and a physical server.  Any ideas?  What changed?  A bug?

Jeff Earickson
Colby College
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Linux issue with make test failures, 9.9.2-P1

[Jeff Earickson]

Evan,

Yup, I knew all of that and that is what I have always done.  This morning
I got things to work by skipping the -j option of gmake to do parallel compiles,
and the tests then worked.

Before I always did:

configure
gmake -j2
ifconfig.sh up (as root)
gmake test

Once I didn't do the parallel compile (-j2), the tests worked.  But I did not
see any failures from a parallel compile either.  Weird.

Jeff Earickson
Colby College

On Thu, Dec 6, 2012 at 10:40 AM, Evan Hunt  wrote:
> Jeff Earickson  wrote:
>> The "make test" stuff is failing miserably for me on Linux (Redhat
>> 6.3, x64) with 9.9.2-P1:
>
> I'm pretty sure you haven't set up the local addresses the test servers
> need to run on.  From the top of the bind9 tree, run the command:
>
> $ sudo sh bin/tests/system/ifconfig.sh up
>
> ...then run "make test" and you'll probably get better results.
>
> The ifconfig.sh command sets up loopback addresses 10.53.0.1 through
> 10.53.0.7.  The system tests run servers on those addresses and make
> them talk to each other.  Without addresses configured, about 90% of
> the tests will fail.
>
> --
> Evan Hunt -- e...@isc.org
> Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: restart named; missing TCP socket

[Lightner, Jeff]

Why use rndc to stop then the init script to start?   Is there no 
/etc/rc.d/rc.named restart?   On RHEL5 the init script has a restart option so 
it will stop then start.

If a socket is open then it could take a finite amount of time for it to close 
making it unavailable on the restart if you haven't given it time enough to 
cleanup.

If no restart option in init maybe try to add a sleep to your command line:
Rndc stop;sleep 5;/etc/rc.d/rc.named start





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Tony 
Finch
Sent: Wednesday, December 12, 2012 8:20 AM
To: bind-users@lists.isc.org
Subject: restart named; missing TCP socket

I have had a few instances recently when named has failed to re-open its TCP 
listening socket after a restart. This is particularly likely if I try to 
bounce it quickly with a command line like

# rndc stop; /etc/rc.d/rc.named start

The servers in question are recursive (apart from a few local zones) with 
simple ACLs. (I have had the same problem on servers with less simple ACLs too.)

listen-on-v6   { ::1; };
listen-on  { 127.0.0.1; };
allow-query{ localhost; };
allow-transfer { localhost; };

What do others do to avoid this problem?

Tony.
--
f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, 
veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, 
occasionally poor at first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How can I migrate my Domain from ISP hosted to my own BIND server?

[Lightner, Jeff]

To expand on that.  The steps Manish wrote are what you do internally.

What Sten is writing is external – your domains are “registered” somewhere and 
the “Registrar” points to the appropriate DNS servers – you’ll need to insure 
that it is pointing to your internal DNS servers.

You can find out the registrar by running “whois” on your domains.

Often when you have external hosting the hosting provider is also acting as 
your Registrar and using their own DNS servers.  You’ll need to co-ordinate 
with them if that is the case.   Also sometimes in hosting setups if you’ve 
paid someone else to do your web design and hosting they are the actual 
Registrant (owner of the domain from ICANN’s point of view) so you may have to 
verify who owns the domains first.  We’ve dealt with some of these hosting 
companies on acquisitions that took the position that they “owned” the domain 
and didn’t have to give it up – Sometimes it takes some legal work to get them 
to understand that registering a domain doesn’t make them “owner” when it is a 
name they registered on behalf of a client so they were doing it only as an 
agent (IANAL).





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Sten 
Carlsen
Sent: Friday, December 14, 2012 6:04 AM
To: bind-users@lists.isc.org
Subject: Re: How can I migrate my Domain from ISP hosted to my own BIND server?

You can find an external DNS provider (I use one that is free) and have them 
slave your zones. Just make your TTLs suitable, so even if your own server 
dies, the zones will be served from the provider for weeks.

Changes will propagate fast.

On 14/12/12 11:40, Mark Andrews wrote:



In message 


, Manish Rane writes:

Hi Team,



I need to migrate my domain which is hosted at my ISP on to my own

internal BIND server and have my own NS record. Does anyone steps I

need to take care of or complete procedure?



1. take a copy of the zone and make your server a master for it.

2. set up new slaves from the new master.

3. make the old master a slave from this new master.

4. add the new NS records and associated addresses records.

5. wait for the old NS RRset to clear the caches as well as any negative

   cache entries for the address records for the new servers.

6. update the parent NS RRset to be the final state.  Add glue as necessary.

   remove old glue records that are no longer necessary.

7. remove the old NS records from the zone.

8. wait for the combined NS RRset to clear caches.

9. decommision old nameservers.





--

Thanks and Regards,

Manish R

___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

 from this list



bind-users mailing list

bind-users@lists.isc.org

https://lists.isc.org/mailman/listinfo/bind-users



--

Best regards



Sten Carlsen



No improvements come from shouting:

   "MALE BOVINE MANURE!!!"





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: open-source tool for filter out stats from dns logs

[Jeff Wright]

There might be some tools already out there (like Splunk) that do this
for you.  I think you can get a free Splunk license if you parse
relatively small amounts of daily data.  If you're particularly
concerned about open-source, this thread might also help:
http://stackoverflow.com/questions/183977/what-commercial-and-open-source-competitors-are-there-to-splunk.

Regards,

Jeff
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: injecting a temp entry into dns cache

[Jeff Reasoner]

Interesting. Intentionally "poison" your own cache so your users aren't
inconvenienced by anothers misconfiguration. Not sure how you go about
doing that on box. Perhaps bigger brains on this list can say.

I have had occasion to forge answers locally as an immediate fix for
name resolution issues which caused significant operational problems.

I elected to add the zone in named.conf and answer the query correctly
(and authoritatively) until I could get the owner to correct things. You
will probably need to add other zone records too - MX and any other A
records you can think to search for.

Personally, I wouldn't consider doing something like that in this
situation as you've described. However, mere inconvenience as I perceive
it may be significant your view. 

On Sat, 2013-02-02 at 16:41 -0500, Veaceslav Revutchi wrote:
> There is a credit union website that our users access from work and
> their dns has been broken for the past few days where the www. version
> works,  but the plain name (without the www.) points to some old IP
> that's not responding. Tried to call them and all I got was that they
> know they have some kind of problem, but they ask users to type www.
> in their browser until it's resolved.
> 
> In situations like this I would like to be able to inject an entry
> into the cache on our recursive resolvers and point it to the correct
> IP until the domain
> owner fixes the problem (poison my own cache so to speak). Is this
> something that can be done with bind without having to create a zone
> for the broken domain and make our servers act as authoritative for
> it?
> 
> Thank you,
> Slava
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: chroot/etc/named/ directory?

[Lightner, Jeff]

Haven't done it on RHEL/CentOS 6.x yet but in RHEL5 with the bind-chroot 
installed I've always had:
/var/named/chroot as the jail for BIND.
/var/named/chroot/etc = Location of global config files such as named.conf
/var/named/chroot/var/named = Location of the zone files.

I don't see a /var/named/chroot/etc/named in RHEL5 but then again that is based 
on BIND 9.3.  RHEL6 is almost certainly based on a higher upstream version.   
Since CentOS is built from RHEL source it would have that higher version as 
well.






-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Mike 
Hoskins (michoski)
Sent: Wednesday, February 13, 2013 12:44 PM
To: bind-users@lists.isc.org
Subject: Re: chroot/etc/named/ directory?

-Original Message-

From: Robert Moskowitz 
Date: Wednesday, February 13, 2013 10:53 AM
To: "bind-users@lists.isc.org" 
Subject: chroot/etc/named/ directory?

>I am upgrading my server from bind-9.3.6 via Centos 5.5 to 9.8.2 in
>Centos 6.3.
>
>I have and will run bind chrooted and on my test setup I noticed a 'new'
>subdirectory in the chroot tree:
>
>/var/named/chroot/etc/named/
>
>I cannot find any documentation as what is indended to be placed in
>this subdirectory.  my includes for named.conf?
>
>I am assuming the pki subdirectory is for DNSSEC related files, but I
>have not found any documentation indicating so.  But then I have not
>plowed through DNSSEC documention in depth yet.

If you installed bind*-chroot, it will populate the /var/named/chroot 
hierarchy.  It's not strictly required (though I would suggest it), but if you 
intend to run BIND chrooted "/var/named/chroot" is essentially "/".
You'll have to place the usual things BIND needs to operate under that 
directory -- configs, zones, etc.  Assuming this came from the chroot RPM, 
you'll already have other essential pieces for chroot such as your 
null/random/zero devices.  Since you mention CentOS, you'll likely also want to 
pay attention to things like ROOTDIR in /etc/sysconfig/named.

Having said all that, you might search the archives (SRPMS have been provided 
by community members) or other sources for a newer BIND while you're at 
it...9.8.2 isn't ancient, but also not technically "up to date"
now.  I am personally waiting for 9.9.3 to leave beta, but 9.8.4-P1 probably 
makes sense for you today.  This won't affect your chroot setup, just something 
worth considering since you're upgrading.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: SOA issue

[Lightner, Jeff]

Also make sure you’ve incremented the serial number in the zone file by at 
least 1.





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Chris Buxton
Sent: Wednesday, February 13, 2013 12:58 PM
To: Paul A
Cc: bind-us...@isc.org
Subject: Re: SOA issue

On Feb 13, 2013, at 9:22 AM, Paul A wrote:


Can anyone tell help me figure out why this SOA is not changing no matter what 
I do. The zone was edited and has a new SOA but no matter what I do bind 
doesn’t reload the zone with the new SOA. I tried rndc freeze/unfreeze and 
still nothing. Short of reloading bind what else can I do.

TIA, Paul

named-compilezone -o - sturdymemorial.org 
db.sturdymemorial
zone sturdymemorial.org/IN: loaded serial 
2013021307
sturdymemorial.org.   86400 
IN SOA  reuben.meganet.net. 
postmaster.naisp.net. 2013021307 10800 3600 
604800 600
OK

Your zone only has an SOA record. A zone without NS records will not load.

If that's not really the issue, because you've edited the output above, a 
couple of hints:

- rndc reload  is unnecessary if rndc freeze  executes correctly. A 
dynamic zone (one that you would freeze and thaw) cannot be reloaded. Thawing 
the zone effectively reloads it.

- Do not edit a dynamic zone's zone file without first freezing it. Otherwise, 
when you freeze it, the data in memory will be written to disk, overwriting 
your changes.

- Are you sure you're editing the right file?

Chris Buxton
BlueCat Networks


rndc reload sturdymemorial.org
zone reload up-to-date


dig @localhost  sturdymemorial.org soa

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57470
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;sturdymemorial.org.IN  SOA

;; ANSWER SECTION:
sturdymemorial.org. 600 IN  SOA 
reuben.meganet.net. 
postmaster.naisp.net. 2012011801 10800 3600 
604800 600

from the log file

named[26675]: received control channel command 'reload 
sturdymemorial.org'
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Security Advisory: CVE-2013-2266 (Adam Tkac)

[Jeff Wright]

Dear Adam,

In order to minimize exploitation, we are trying to not spell out the
specific nature of the flaw publicly. I will respond to you directly
with a more detailed explanation.

Regards,

Jeff Wright
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Looking for info about BIND support for International Domain Names

[Jeff Reasoner]

You'll need libidn and libiconv.

IDN code is in the bind-9.x tarball in contrib/idn/idnkit-1.0-src

You need to include the --with-idn=yes and --with-iconv=yes options.

I recall having had to configure and build idn first, and then build
bind including the options in each.

Jeff R.

On Tue, 2013-09-24 at 09:45 -0400, M. Meadows wrote:
> Wondering about IDN support for BIND. 
> UTF-8 character set?
> Searched for these in this forum and didn't find much.
> May have missed it.
> Anything helpful already out there for review?
> 
> Thanks!
> Martin Meadows
> Indianapolis, IN
> 
> 
> plain text document attachment (ATT1)
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Install DNS Server

[Lightner, Jeff]

Any reason why you’re using CentOS 5.7 given that 6.4 (and maybe later) is 
available?

if this is a new system you really ought to think about use the 6.x stuff.   
5.x is long in the tooth even though still supported it has many older upstream 
packages of things including BIND.   CentOS does put bug and security fixes in 
(or RedHat does and CentOS gets them because they build from RHEL source) but 
you still end up with something very old (BIND 9.3.x) that most folks on this 
list don’t want to talk about because it is long past EOL for BIND.





From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Sten 
Carlsen
Sent: Thursday, October 10, 2013 6:38 AM
To: Chandran Manikandan
Cc: bind-users@lists.isc.org
Subject: Re: Install DNS Server

Hi

I do that and more on an ATOM machine with 2GB RAM. I use Postfix instead of 
qmail but see no reason qmail would not work.

I installed all the relevant RPMs, configured them and it works.

One thing to remember is that you need two or more DNS servers, I do that by 
being a stealth master with several slaves on my 3rd party provider.

On 10/10/13 12.27, Chandran Manikandan wrote:
Hi All,
I am running Centos 5.7 32 bit server machine.
I have installed and successfully run qmail,web,ftp with the same machine.
Now am DNS hosting with third party. I would like to install and keep DNS 
hosting myself.
How to do that , How to install Dns server with the same machine or different 
machine as well what is the complete procedure and steps.

Any one help me.

--
Thanks,
Manikandan.C
System Administrator




___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list



bind-users mailing list

bind-users@lists.isc.org

https://lists.isc.org/mailman/listinfo/bind-users



--

Best regards



Sten Carlsen



No improvements come from shouting:



   "MALE BOVINE MANURE!!!"





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Performance Tuning RHEL 5 and Bind

[Lightner, Jeff]

Any reason you're using RHEL5 as opposed to RHEL6 if you're building new 
servers?   RHEL5 is very long in the tooth and will go EOL sooner than RHEL6.   
Since you're using a BIND package not shipped with RHEL5 there's no reason on 
that account not to move up to RHEL6.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
wbr...@e1b.org
Sent: Monday, October 21, 2013 9:47 AM
To: bind-users@lists.isc.org
Subject: Re: Performance Tuning RHEL 5 and Bind

> From: Alan Clegg 

> Fix your windows clients.

You can't fix stupid.




Confidentiality Notice:
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that you 
may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or telephone 
and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Adding DS records

[Lightner, Jeff]

FYI:  web.com recently bought NetSol and at least one other Registrar that 
escapes me at the moment.   It might be worthwhile to see if any of their 
companies do this as you might have an easier time transferring and avoid some 
of the common games Registrars play to prevent it.

I heartily recommend that you NOT go to GoDaddy.Once they have your domain 
they play all sorts of games to keep it.

On that subject.  If you DO decided to transfer domains from one registrar to 
another be sure to do the following at the old Registrar BEFORE requesting the 
transfer at the new one:
1)  Turn off domain lock - most Registrars have this enabled by default now.
2)   Turn off private registration if enabled.
3)   Insure the administrative contact email is one you can send email to them 
from and can receive emails from them.
4)   Obtain the transfer authorization code.   Most Registrar web sites have 
"transfer" buttons that are easy to find but these are for transferring domains 
TO them rather than AWAY.  Usually you have to do some research on their sites 
to find how to generate the code.

Jeffrey C. Lightner
Sr. UNIX Administrator

DS Waters of America, Inc.
5660 New Northside Drive NW
Suite 250
Atlanta, GA  30328






-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Thomas Schulz
Sent: Friday, December 20, 2013 12:59 PM
To: bind-users@lists.isc.org
Subject: Re: Adding DS records

> >> If I was a NetSol customer, I would ask them, "Why not?"
> >
> >And if I were a NetSol customer, I would ask myself, Why?
>
> If I were a capitalist, I'd vote with my wallet and go somewhere with
> the features I want.

Well, we started with them back when they were the only company registering 
domain names. And up to now there were no problems (other than perhaps price).

Any recomendations for another company for a  .com domain in the US?
I suppose that I could always use the DLV, but I would rather not.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena®, Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Same internal and external zone

[Lightner, Jeff]

There is nothing that precludes you from having the same zone on different DNS 
servers.   You make each "authoritative" so that any look up that hits that DNS 
server gets that server's records.   You can then have separate entries for 
some items and the same for others.

We do that here with at least one domain where our internal Windows servers 
keeps track of internally USED IPs and our external facing DNS servers keep 
track of externally reachable IPs.  For the few records where we want to have 
the internal user use the externally reachable IP we just add the record to 
both.







-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Joshua Smith
Sent: Friday, February 14, 2014 1:03 PM
To: Sarath
Cc: bind-users@lists.isc.org
Subject: Re: Same internal and external zone

Can you not delegate xyz.xyz.example.com to route 53 on your internal name 
server?

--
Josh Smith
KD8HRX

Email/jabber: juice...@gmail.com
Phone: 304.237.9369(c)

Sent from my iPhone.

> On Feb 14, 2014, at 12:53 PM, Sarath  wrote:
>
> Hi All,
>
> I have a situation where the same domain for example xyz.example.com is both 
> internal and external.
>
> The internal xyz.example.com is on an internal host (private address ) which 
> is the default DNS server for all internal hosts (all hosts use this DNS 
> server in their resolve.conf ) And the external xyz.example.com is on another 
> public ip server (aws route 53 ).
>
> The problem is i have a hostname for example xyz.xyz.example.com which
> is on the public DNS server..and my local network hosts cannot Resolve
> that hostname which is on the public DNS server (route 53)
>
> The reason is because local DNS server is also authoritative for 
> xyz.example.com, and as it does not find xyz.xyz.example.com on the local 
> zone it gives no reply..
>
> I cannot add the record of xyz.xyz.example.com on my local DNS server (which 
> is bind )because that host is DNS load balanced using route 53 health checks..
>
> Is there any other solution to get this done in bind, like adding a cname 
> also won't work..
>
> Please let me know if there is some solution or workaround for this
>
> Thanks
> Sarath
> 
> Powered by BigRock.com
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

whois expiration limit?

[Lightner, Jeff]

Hi,  I know this is the BIND list but I’m thinking folks who deal with DNS 
probably may be able to answer this question about whois.

We recently transferred and renewed a domain by 2 years which pushed its 
expiration to 01/25/2025.   The order confirmation shows that expiration and 
looking at the domain at the Registrar’s web site under our account it shows 
that expiration as well.   However, when running whois both here and at the 
Registrar’s site it shows expiration 01/25/2024.  It makes me wonder if there 
is a 10 year limit in whois since 2024 would be within 10 years but 2025 would 
be outside of it.

I didn’t see anything in RFC 3912 describing whois that even suggests a limit 
for expirations dates.

Not a big deal as I may be dead by then either way – just wondering if anyone 
knows of a reason this would occur.

Please don’t suggest I contact the Registrar.  I already did and they seemed as 
clueless as I am.










Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: whois expiration limit?

[Lightner, Jeff]

Thanks.  My thinking was the limit was on the whois database since the 
Registrar was telling me it was registered for more than 10 years.

It appears based on this Registration FAQ regarding “compliance” that the 
registrar may simply be showing it as 2024 because they can’t really report 
2025 and be in compliance.

I was just having a hard time finding anything that mentioned the 10 year limit 
even though it seemed likely that was the issue.

Hopefully you’re correct that the Registrar will automatically adjust it before 
2024.   I’ll set myself a reminder for next year and prompt them if they don’t 
automatically update it themselves so we don’t have to remember in 2024 that we 
already paid for another year.






From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Dave 
Warren
Sent: Wednesday, February 19, 2014 4:17 PM
To: bind-users@lists.isc.org
Subject: Re: whois expiration limit?

On 2014-02-19 20:44, Lightner, Jeff wrote:
Hi,  I know this is the BIND list but I’m thinking folks who deal with DNS 
probably may be able to answer this question about whois.

We recently transferred and renewed a domain by 2 years which pushed its 
expiration to 01/25/2025.   The order confirmation shows that expiration and 
looking at the domain at the Registrar’s web site under our account it shows 
that expiration as well.   However, when running whois both here and at the 
Registrar’s site it shows expiration 01/25/2024.  It makes me wonder if there 
is a 10 year limit in whois since 2024 would be within 10 years but 2025 would 
be outside of it.

I didn’t see anything in RFC 3912 describing whois that even suggests a limit 
for expirations dates.

Not a big deal as I may be dead by then either way – just wondering if anyone 
knows of a reason this would occur.

Please don’t suggest I contact the Registrar.  I already did and they seemed as 
clueless as I am.

http://www.icann.org/en/resources/compliance/faqs#7

"Each registrar has the flexibility to offer initial and renewal registrations 
in one-year increments, provided that the maximum remaining unexpired term 
shall not exceed ten years."

In reality, they'll probably issue the renewal automagically once you're under 
the 9-year mark and the domain is renewal-eligible.



--

Dave Warren

http://www.hireahit.com/

http://ca.linkedin.com/in/davejwarren







Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer





How and Why I Should Support Bottled Water!
Do not relinquish your right to choose bottled water as a healthy alternative 
to beverages that contain sugar, calories, etc. Your support of bottled water 
will make a difference! Your signatures count! Go to 
http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and sign a 
petition to support your right to always choose bottled water. Help fight 
federal and state issues, such as bottle deposits (or taxes) and organizations 
that want to ban the sale of bottled water. Support community curbside 
recycling programs. Support bottled water as a healthy way to maintain proper 
hydration. Our goal is 50,000 signatures. Share this petition with your friends 
and family today!



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Does bind read /etc/hosts?

[Lightner, Jeff]

The confusion can come in because some UNIX variants (notably HP-UX) nslookup 
was modified to honor /etc/nsswitch.conf so it DOES check /etc/hosts if "files" 
precedes "dns".

However, in most things (e.g. Linux, Solaris) nslookup (and the newer host 
command) do not look at /etc/hosts regardless of nsswitch.conf setting.



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Niall O'Reilly
Sent: Tuesday, July 15, 2014 6:57 AM
To: houguanghua
Cc: bind-users@lists.isc.org
Subject: Re: Does bind read /etc/hosts?

At Tue, 15 Jul 2014 10:28:30 +,
houguanghua wrote:
>
> Before Bind consults authority NS, does it access /etc/hosts? In my
> testing, it does not even seem to access /etc/hosts.

  That's right.  BIND tools (dig, ...) are DNS tools.
  Local files aren't part of the DNS.

  For more information, please see
http://serverfault.com/questions/498500/why-does-the-host-command-not-resolve-entries-in-etc-hosts

  Best regards,
  Niall O'Reilly
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Value of memory

[Lightner, Jeff]

Also remember that "used" reported by "free" in Linux on the first line 
includes memory pre-allocated to cache and buffers that is readily usable on 
demand so isn't really allocated to specific processes like you'd see in a 
similarly configured UNIX system.   Be sure when trying to determine "used" 
that you're looking at the values on the second line instead as that shows what 
you have when buffers/cached are not included in the totals.



-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Fajar A. Nugraha
Sent: Thursday, August 07, 2014 12:07 AM
To: Robert Moskowitz
Cc: bind-us...@isc.org
Subject: Re: Value of memory

On Thu, Aug 7, 2014 at 10:39 AM, Robert Moskowitz  wrote:
> I have a server that is only running bind 9.8.2 (Centos 6.5).  It has
> 2Gb memory and free reports ~1.7Gb used.
>
> I am looking at replacing this server with an armv7 board running
> Redsleeve (until Centos 7 is out and stable for armv7).  I have a
> choice of boards, one with 1Gb memory ($60) and one with 2Gb memory ($90).
>
> This server servers out my zones and supports the couple handfull of
> systems on my net.  I would like to eventually get to DNSSEC, but that
> is another stalled project.
>
> About the only meaningful difference between the two boards (btw,
> Cubieboard2 and Cubietruck) for my needs is the memory.  I know more
> memory is better, but how much better?
>
> Oh, why the move to arm?  Power consumption.  ROI for the C2 board is
> one year just on power saving.

It depends on how much load your server currently handle, and how your cache is 
configured.

I'd start with looking at your server load. Arm still have lower per-core 
performance compared to x86, so if you currently see high CPU utilization by 
named, I'd stick with x86.

Next see how your memory cache is configured. That should be where bind uses 
most memory. AFAIK by default max-cache-size is unlimited and max-cache-ttl is 
set to several days. See how much memory bind currently uses for cache, and 
then you can try configuring those two parameters (e.g. set an explicit 
max-cache-size to 512MB) and see how much memory bind (and the rest of the OS) 
uses then, and how well it performs. If it's still acceptable, then you can 
probably go with the 1GB board.

Cache can reduce the number of queries issued upstream and is very important on 
busy servers, but if you serve a relatively low number of queries from your 
clients then you won't see much difference between
(e.g.) 512MB and 1GB cache.

--
Fajar
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Change in behaviour regarding ndots and searchlist

[Lightner, Jeff]

I've begun seeing this recently in nslookup on Windows workstations as well.
It appears it is appending search domains even when I've specified an FQDN.   
That is I have two search domains such as ex1.com and ex2.net and I typed short 
name "ralph" for nslookup or host it would give me "ralph.ex1.com" IP if it 
existed or "ralph.ex2.net" if the ralph.ex1.com didn't exist and the latter 
did.   Now what I'm seeing is even if I specify "ralph.ex1.com" it is looking 
up and failing on "ralph.ex1.com.ex2.net".

If I put a dot at the end of the FQDN (e.g. ralph.ex1.com. instead of just 
ralph.ex1.com) it doesn't do that.The Windows admins recently built a 
couple of new domain controllers for Windows DNS so I assumed it had something 
to do with those.   Do you by any chance have Windows DNS in your environment?

There was an article posted last week to this forum regarding bleed over of 
internal domains to the internet and vice-versa when one is using a domain 
internally that might be registered to someone else externally which is the 
case in our environment.It may also be that the issue is because the 
formerly externally registered domain appears to have gone to expired/renewal 
status recently and it may be the Registrar is somehow causing this bleed over 
effect in the way they present records.




-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews
Sent: Monday, September 15, 2014 5:16 AM
To: BIND Users
Subject: Re: Change in behaviour regarding ndots and searchlist


Partially qualified names are DANGEROUS.  You realy do not want to use them 
ever no matter how convient or useful they appear to be.

In message <20140915083532.ga29...@danton.fire-world.de>, Sebastian Wiesinger w
rites:
> Hello,
>
> I noticed a change in the host tool in regard to how searches are done
> when there are >= "ndots" dots in the query. In the following case
> ndots is always nonexistant in the configuration.
>
> With bind 9.8 (Debian 1:9.8.4.dfsg.P1):
>
> $ host -d test.example
> Trying "test.example"
> Received 105 bytes from 127.0.0.1#53 in 6 ms Trying
> "test.example.office.example.com"
> Trying "test.example.backup.example.org"
> Trying "test.example.example.com"
> Trying "test.example.example.org"
> Trying "test.example.winzone.example.com"
> Trying "test.example.nms.example.com"
> Host test.example not found: 3(NXDOMAIN) Received 104 bytes from
> 127.0.0.1#53 in 1 ms
>
>
> With bind 9.9 (Debian 1:9.9.5.dfsg-4~bpo70, same on Ubuntu
> 1:9.9.5.dfsg-3):
>
> $ host -d test.example
> Trying "test.example"
> Host test.example not found: 3(NXDOMAIN) Received 105 bytes from
> 127.0.0.1#53 in 15 ms Received 105 bytes from 127.0.0.1#53 in 15 ms
>
>
> So with "host" from bind 9.8 the absolute name is tried first and
> after that the search list is tried.
>
> With bind 9.9 this is no longer the case.
>
> Does anyone know if that was a deliberate change? I liked the old
> behaviour because I could search for internal subdomains without
> specifying/knowing the full FQDN.
>
> As a workaround I raised the ndots value to 2 but that increases the
> number of queries because the searchlist is tried first for things
> like linux.org. Also it increases the potential for MITM as
> "linux.org.example.com." is tried first.
>
> Regards
>
> Sebastian
>
> --
> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0
> B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS
> NOTICE THE SCYT HE.
> -- Terry Pratchett, The Fifth Elephant
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe  from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users

RE: Change in behaviour regarding ndots and searchlist

[Lightner, Jeff]

While the final dot has been required within zone files to prevent unwanted 
appendages to records it has NOT  been required by tools such as host and 
nslookup on either Windows or Linux/UNIX which routinely use "search" domains.  
 As I noted this is something that seems to have changed recently.It 
doesn't happen for every record either so we're just now looking into what has 
changed and as stated I suspect it is the new Windows Domain Controllers 
recently installed.

The article I mentioned posted last week does suggest that using short names is 
a bad idea now due to the new plethora of TLDs and the bleed over but that 
doesn't mean it never worked.The article says that what made short names 
work in the past was platform dependent so really wasn't a good idea even for 
internal systems.  Despite that it IS the way many people have run their 
environments for years.




-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sebastian Wiesinger
Sent: Monday, September 15, 2014 9:50 AM
To: bind-users@lists.isc.org
Subject: Re: Change in behaviour regarding ndots and searchlist

* Barry Margolin  [2014-09-15 15:18]:
> In article ,
>  Steven Carr  wrote:
>
> > On 15 September 2014 13:29, Lightner, Jeff  wrote:
> > > I've begun seeing this recently in nslookup on Windows workstations as
> > > well.It appears it is appending search domains even when I've 
> > > specified
> > > an FQDN.   That is I have two search domains such as ex1.com and ex2.net
> > > and I typed short name "ralph" for nslookup or host it would give
> > > me "ralph.ex1.com" IP if it existed or "ralph.ex2.net" if the 
> > > ralph.ex1.com
> > > didn't exist and the latter did.   Now what I'm seeing is even if I 
> > > specify
> > > "ralph.ex1.com" it is looking up and failing on "ralph.ex1.com.ex2.net".
> >
> > Without the final explicit "." your name is not fully qualified.
>
> But if a name has more than ndots dots, it's supposed to be tried as
> given first, before adding search domains.

But currently (9.9) it will not add search domains at all. Which I find odd.

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE) 'Are 
you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

__
CONFIDENTIALITY NOTICE: This e-mail may contain privileged

or confidential information and is for the sole use of the intended

recipient(s). If you are not the intended recipient, any disclosure,

copying, distribution, or use of the contents of this information

is prohibited and may be unlawful. If you have received this electronic

transmission in error, please reply immediately to the sender that

you have received the message in error, and delete it. Thank you
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Filter dns update requests?

[Jeff Sadowski]

Is there a way to setup bind to use an external filtering script to
filter out requests?

example1: Say I have a cisco dhcp server and some windows clients and
some other clients.
Further lets say I have two domains on my dhcp scope.

WinCli1 is on ad.abc.org
WinCli2 is on ad.xyz.org
Printer1 gets its domain from the dhcp server which is ad.abc.org

bind allows ddns for both ad.abc.org and ad.xyz.org

currently I see entries as follows

WinCli1 has DNS A entries WinCli1.ad.abc.org WinCli1.ad.abc.org.ad.abc.org
and PTR  => WinCli1.ad.abc.org.ad.abc.org

WinCli2 has DNS A entries WinCli2.ad.xyz WinCli2.ad.xyz.org.ad.abc.org
and PTR  => WinCli2.ad.xyz.org.ad.abc.org

Printer1 has DNS A entry Printer1.ad.abc.org
and PTR  => Printer1.ad.abc.org

The only device I like how it is is the printer.
I would like to filter out the DNS entries for the Windows Clients
So that in the example above. I would like what I think is obvious
as follows

WinCli1 has DNS A entry WinCli1.ad.abc.org
and PTR  => WinCli1.ad.abc.org

WinCli2 has DNS A entry WinCli2.ad.xyz
and PTR  => WinCli2.ad.xyz

Printer1 has DNS A entry Printer1.ad.abc.org
and PTR  => Printer1.ad.abc.org

further more I was wondering if there isn't a way to filter out some
entries all together.

example2: Say I do not want some entry in my DNS ever.

Curently

PrinterBadName has DNS A entry PrinterBadName
and PTR  => PrinterBadName

I would like no entries filtering out bad names.

Is there a way to do things like this with bind?
Or someway to intercept DNS update requests and only send what I want
to the DNS servers?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Filter dns update requests?

[Jeff Sadowski]

On Thu, Jan 29, 2015 at 10:02 AM, Tony Finch  wrote:
> Jeff Sadowski  wrote:
>
>> Is there a way to setup bind to use an external filtering script to
>> filter out requests?
>
> Have you read the ARM's section on dynamic update policies? The built-in
> facilities are quite flexible, and there is also an "external" policy
> which you can implement yourself.
>
> http://ftp.isc.org/isc/bind9/9.10.2b1/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies
>
Nice I setup

zone "my.test" {
type master;
update-policy { grant any external local:2525; };
file "updateable/db.test";
};

Now I'll have to write my own program to take the input and process it.
I pretty sure I'll want to deny just about everything rewrite it in my
own program and resubmit with the names I want.

Is there any way to get requests for all domains?
Or can I only process domains I am a master for?

> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> Fair Isle, Faeroes: Northwest 5 to 7 veering north 7 to severe gale 9,
> occasionally storm 10 later in Faeroes. Very rough or high, becoming high or
> very high except in east Fair Isle. Rain or squally wintry showers. Moderate
> or poor, occasionally good in east Fair Isle.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: SRV records etc

[Lightner, Jeff]

SRV definitely still required for some applications.   Some cloud based 
application providers have you add them to verify you own the domain to which 
they're tying their services so you don't use them to hijack other people's 
domains.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin
Sent: Tuesday, February 10, 2015 9:14 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: SRV records etc

In article ,
 Kevin Oberman  wrote:

> HINFO is getting pretty rare. The security issues are pretty obvious 
> and its advantages are rather limited.

I thought they were deprecated ages ago, but I can't find anything official 
about that.

--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting Error || unable to convert errno to isc_result

[Lightner, Jeff]

On RHEL the kernel doesn't change within the main release (RHEL6) in this case 
will always be 2.6.32-xx and RHEL does the support including back porting 
bug and security fixes into their extended release (which isn't the same as the 
base kernel).   They do the same thing for the BIND release they support within 
the main RHEL release.

To go to a 3.x kernel one would have to go to RHEL7 but that isn't necessary 
given the way RedHat does support. 

Jeffrey C. Lightner
Sr. UNIX Administrator
 
DS Services of America, Inc.
2300 Windy Ridge
Suite 600 N
Atlanta, GA  30339
 
P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlight...@dsservices.com


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink
Sent: Wednesday, February 11, 2015 3:33 PM
To: bind-users@lists.isc.org
Subject: Re: Getting Error || unable to convert errno to isc_result

Hello

What uncle Google found for me:

http://www.bind9.net/BIND-FAQ

Quote:

"Q:
Why do I get the following errors:

general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error: 
unexpected error

A:
This is the result of a Linux kernel bug.
See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2";

Kernel 2.6.32 end of support date was 6/1/2014, and if I am not mistaken, Bind 
9.8 is not supported anymore either (only branches 9.9 and 9.10)

I don't want to bother you with obvious answers, but IMO you should consider 
upgrading to supported versions of both your OS and BIND, since there were some 
serious security issues reported and patched lately and your vulnerable system 
may be at a risk.

Maybe ISC people will have some solution for you, but generally, people are 
encouraged to keep up with the supported versions.

--
Best Regards,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
---
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
---

On 02/11/2015 01:04 PM, Md. Mahbubul Alam Reyad wrote:
> Hi Mukund
>
> Its bind-9.8.2-0.23 and the OS is Red Hat Enterprise Linux Server 
> release 6.0 (kernel- 2.6.32-431.17.1.el6.x86_64)
>
> Sincerely Yours
> ---
> Md. Mahbubul Alam Reyad
> Assistant Manager
> CORE-IP Network || Technology
> Cell: +880 1976672281 || Skype: new_reyad www.qubee.com.bd T +88 02 
> 8812113 || F +88 02 8812115
>
>
> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund 
> Sivaraman
> Sent: Wednesday, February 11, 2015 5:43 PM
> To: Md. Mahbubul Alam Reyad
> Cc: bind-users@lists.isc.org
> Subject: Re: Getting Error || unable to convert errno to isc_result
>
> Hi Mahbubul
>
> On Wed, Feb 11, 2015 at 11:39:19AM +, Md. Mahbubul Alam Reyad wrote:
>> Hi all
>>
>> Recently I am getting the following error in my DNS. Can anyone know the 
>> reason, impact & solution of this error?
>>
>> general: error: unable to convert errno to isc_result: 92: Protocol 
>> not available
>> general: error: socket.c:1700: unexpected error:
> Which version of BIND is this? What OS (and its version) are you using it on?
>
>   Mukund
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Getting Error || unable to convert errno to isc_result

[Lightner, Jeff]

Possible yes but I'd suspect it had been addressed if it were severe enough - I 
haven't actually looked at it.   Another poster suggested a later update to 
BIND that is available in RHEL repository that may have addressed it if the 
version the OP has doesn't.

I just wanted to make the note about RHEL's methodology as it confuses folks 
(and security scanning tools) that only look at the base upstream version 
component of a package name rather than RHEL's extended versioning in the name. 
  RedHat sends errata alerts when they address things to let folks know to 
update packages to their latest extended version. Just because you see a 
kernel "2.6.32" it doesn't mean it is exactly the same as the upstream vanilla 
version with that number.   It DOES mean that NEW features in upstream versions 
such as 3.x won't be there (unless of course a security issue that affects 3.x 
is found to also affect 2.6.32 at which point they'll backport).

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink
Sent: Wednesday, February 11, 2015 5:04 PM
To: bind-users@lists.isc.org
Subject: Re: Getting Error || unable to convert errno to isc_result

Okay, sorry, did not know about the backporting.

Still, isn't it possible that this old bug is still present in this version of 
RHEL6?

--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.rysl...@dialtelecom.cz
---
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
---

On 02/11/2015 10:32 PM, Lightner, Jeff wrote:
> On RHEL the kernel doesn't change within the main release (RHEL6) in this 
> case will always be 2.6.32-xx and RHEL does the support including back 
> porting bug and security fixes into their extended release (which isn't the 
> same as the base kernel).   They do the same thing for the BIND release they 
> support within the main RHEL release.
>
> To go to a 3.x kernel one would have to go to RHEL7 but that isn't necessary 
> given the way RedHat does support.
>
>
>
> -Original Message-
> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Daniel Ryslink
> Sent: Wednesday, February 11, 2015 3:33 PM
> To: bind-users@lists.isc.org
> Subject: Re: Getting Error || unable to convert errno to isc_result
>
> Hello
>
> What uncle Google found for me:
>
> http://www.bind9.net/BIND-FAQ
>
> Quote:
>
> "Q:
> Why do I get the following errors:
>
> general: errno2result.c:109: unexpected error:
> general: unable to convert errno to isc_result: 14: Bad address
> client: UDP client handler shutting down due to fatal receive error:
> unexpected error
>
> A:
> This is the result of a Linux kernel bug.
> See: http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=2";
>
> Kernel 2.6.32 end of support date was 6/1/2014, and if I am not 
> mistaken, Bind 9.8 is not supported anymore either (only branches 9.9 
> and 9.10)
>
> I don't want to bother you with obvious answers, but IMO you should consider 
> upgrading to supported versions of both your OS and BIND, since there were 
> some serious security issues reported and patched lately and your vulnerable 
> system may be at a risk.
>
> Maybe ISC people will have some solution for you, but generally, people are 
> encouraged to keep up with the supported versions.
>
> --
> Best Regards,
> Daniel Ryšlink
> System Administrator
>
> Dial Telecom a. s.
> Křižíkova 36a/237
> 186 00 Praha 3, Česká Republika
> Tel.:+420.226204627
> daniel.rysl...@dialtelecom.cz
> ---
> www.dialtelecom.cz
> Dial Telecom, a.s.
> Jednoduše se připojte
> ---
>
> On 02/11/2015 01:04 PM, Md. Mahbubul Alam Reyad wrote:
>> Hi Mukund
>>
>> Its bind-9.8.2-0.23 and the OS is Red Hat Enterprise Linux Server 
>> release 6.0 (kernel- 2.6.32-431.17.1.el6.x86_64)
>>
>> Sincerely Yours
>> ---
>> Md. Mahbubul Alam Reyad
>> Assistant Manager
>> CORE-IP Network || Technology
>> Cell: +880 1976672281 || Skype: new_reyad www.qubee.com.bd T +88 02
>> 8812113 || F +88 02 8812115
>>
>>
>> -Original Message-
>> From: bind-users-boun...@lists.isc.org 
>> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund 
>> Sivaraman
>> Sent: Wednesday, February 11, 2015 5:43 PM
>> To: Md. Mahbu

RE: Request to provide procedure for bind upgrade

[Lightner, Jeff]

The package is “bind” not “named”.   The daemon is called “named”.   You can 
type “rpm –qf $(which named)” to determine which package installed that daemon. 
  (Likely it was bind.)

Also if you’re running the chroot’ed version you’d want the package 
“bind-chroot”.

I’d suggest you run “rpm –qa |grep –i bind” to see what BIND packages you have 
installed.   Note you should ignore things like “ypbind” if installed as that 
is part of NIS rather than BIND.

You can then do “yum list ” against packages to see if there are newer 
versions without installing them.

e.g.  if you saw things like bind-libs, bind-utils, bind, system-config-bind, 
bind-chroot in the output of “rpm –qa” (it will also show version on these)

Do “yum list bind-libs bind-utils bind system-config-bind bind-chroot” which 
will show you both the installed versions you have and the latest available 
packages for update in the repository.

Ideally you have more than one DNS server and would only update one, test it to 
be sure everything is working, then update the next one.



From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sundram Bharti
Sent: Monday, February 16, 2015 10:17 AM
To: bind-users@lists.isc.org
Subject: Request to provide procedure for bind upgrade

Hi Team,

My DNS current version is "BIND 9.8.4-P1" and OS is "Fedora Core release 6 
(Zod)".

So could you let me know.

"yum update named" works for upgrade to current version, if yes then what will 
be the fall back procedure of upgrade fails?



--

BR//

Sundram Bharti

+919717977886
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Request to provide procedure for bind upgrade

[Lightner, Jeff]

Good point.

Fedora isn't really a good choice for Production systems - it is bleeding edge 
with short life cycle (usually new version is out 6 months later and they only 
support the most recent 2.)

Fedora is used as a test bed for what ends up in RHEL later.   RHEL has much 
longer life cycle but requires a paid subscription for updates.   CentOS is a 
binary recompile from RHEL sources that doesn't require a paid subscription.   
The question is whether you need vendor support for the OS.  If yes then RHEL 
would be the way to go.  If not CentOS would work.

Note that RHEL6 and CentOS6 are NOT the same as Fedora 6 - they are much later. 
  Also RHEL7 and CentOS7 are out so if you're reloading to new OS you should 
start with those rather than RHEL6/CentOS6.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Chuck Anderson
Sent: Monday, February 16, 2015 11:17 AM
To: Sundram Bharti
Cc: bind-users@lists.isc.org
Subject: Re: Request to provide procedure for bind upgrade

Fedora Core 6 is no longer supported.  It went End-Of-Life in 2007:

http://en.wikipedia.org/wiki/Fedora_%28operating_system%29#Releases

On Mon, Feb 16, 2015 at 10:16:37AM -0500, Sundram Bharti wrote:
> Hi Team,
> 
> My DNS current version is "BIND 9.8.4-P1" and OS is "Fedora Core 
> release 6 (Zod)".
> 
> So could you let me know.
> 
> "_yum update named_" works for upgrade to current version, if yes then 
> what will be the fall back procedure of upgrade fails?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Config large tuning and out of memory

[Lightner, Jeff]

CentOS 5.x does have a 64 bit version.   5.2 is quite old - they're up to 5.10 
or 5.11 these days.   I don't think you can just change from 32 bit to 64 bit - 
I think it requires a reinstall from the 64 bit installation media.  

 If you have do a reinstall you're better off going to at least CentOS 6 
because RHEL5 (and therefore CentOS 5) should be nearing end of life.   Even 
better would be to go to CentOS 7 given it is the latest release so will have a 
much longer lifespan..

If you're running any other applications on the server you'd want to verify 
they don't have a problem running on a 64 bit OS before doing any upgrade.  
Some applications are 32 bit only and may run fine on a 64 bit OS (you can 
usually install both 32 bit and 64 bit versions of most RPMs).However, 32 
bit applications may have reduced performance on a 64 bit OS.

If you do have to reinstall and choose to go to later release you'd of course 
want to be sure any applications will run on that later release.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Rich Goodson
Sent: Tuesday, March 03, 2015 11:44 AM
To: Job
Cc: bind-users@lists.isc.org
Subject: Re: Config large tuning and out of memory

Job,

I won't go in to this in detail, as it's more complicated than "your 32 bit 
system can't address more than 4GB of RAM", but your 32 bit OS is almost 
certainly your problem.  Most of your 16GB of RAM is unused due to OS 
limitations.  

I'd recommend upgrading to a 64 bit OS, then compile a 64 bit version of BIND 
with your compile time options. 

-Rich

> On Mar 3, 2015, at 10:05 AM, Job  wrote:
> 
> Hello Rich,
> we are on 32 bit system, CentOS 5.2
> 
> Thank you
> 
> 
> Da: Rich Goodson [rgood...@gronkulator.com]
> Inviato: martedì 3 marzo 2015 17.01
> A: Job
> Cc: bind-users@lists.isc.org
> Oggetto: Re: Config large tuning and out of memory
> 
> Is your binary 64 bit, or 32?
> 
> Rich
> 
>> On Mar 3, 2015, at 9:54 AM, Job  wrote:
>> 
>> Hello,
>> 
>> i recompiled Bind 9.10.1-P1 with system large tuning enabled.
>> I have some hundreds of view (with DLZ) in our system.
>> 
>> With this feature compiled in, bind does not start:
>> 
>> Mar  3 16:50:45 cloud02gw named[13338]: reloading configuration failed: out 
>> of memory
>> 
>> I have 16 Gb of RAM, and about 14 almost free!
>> 
>> Where is the matter?
>> 
>> Thank you
>> Francesco
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>> 
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Fwd: Different answer when querying @server from different clients

[Jeff Sadowski]

P.S. I think that is an outdated method. It should break DNSSEC. Views
from bind would probably be a better way.

On Fri, Mar 6, 2015 at 3:52 PM, Arthur Ramsey
 wrote:
> I had to disable DNS ALG on Juniper SRX series firewall.
>
> Thanks for the help,
> Arthur
>
>
> On 03/06/2015 04:51 PM, Jeff Sadowski wrote:
>>
>> I remember a network engineer that rewrote some DNS entries with a
>> cisco router replacing w.x.y.z with a.b.c.d
>>
>> On Fri, Mar 6, 2015 at 3:46 PM, Arthur Ramsey
>>  wrote:
>>>
>>> I don't think it is views.  The same thing happens against Google's
>>> public
>>> DNS.  The two hosts route to the Internet differently and that seems to
>>> at
>>> the root of the issue somehow.
>>>
>>> [root@dc01 ~]# dig +short ns1.mediture.com
>>> 74.113.249.135
>>> [root@dc01 ~]# dig +short ns2.mediture.com
>>> 107.23.33.118
>>>
>>> [root@dc01 ~]# dig @8.8.8.8 +trace great.truchart.com
>>>
>>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> @8.8.8.8 +trace
>>> great.truchart.com
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> .   18851   IN  NS  h.root-servers.net.
>>> .   18851   IN  NS  c.root-servers.net.
>>> .   18851   IN  NS  f.root-servers.net.
>>> .   18851   IN  NS  k.root-servers.net.
>>> .   18851   IN  NS  j.root-servers.net.
>>> .   18851   IN  NS  m.root-servers.net.
>>> .   18851   IN  NS  l.root-servers.net.
>>> .   18851   IN  NS  a.root-servers.net.
>>> .   18851   IN  NS  g.root-servers.net.
>>> .   18851   IN  NS  e.root-servers.net.
>>> .   18851   IN  NS  b.root-servers.net.
>>> .   18851   IN  NS  i.root-servers.net.
>>> .   18851   IN  NS  d.root-servers.net.
>>> ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 144 ms
>>>
>>> com.172800  IN  NS  j.gtld-servers.net.
>>> com.172800  IN  NS  d.gtld-servers.net.
>>> com.172800  IN  NS  k.gtld-servers.net.
>>> com.172800  IN  NS  m.gtld-servers.net.
>>> com.172800  IN  NS  f.gtld-servers.net.
>>> com.172800  IN  NS  c.gtld-servers.net.
>>> com.172800  IN  NS  e.gtld-servers.net.
>>> com.172800  IN  NS  g.gtld-servers.net.
>>> com.172800  IN  NS  a.gtld-servers.net.
>>> com.172800  IN  NS  l.gtld-servers.net.
>>> com.172800  IN  NS  h.gtld-servers.net.
>>> com.172800  IN  NS  i.gtld-servers.net.
>>> com.172800  IN  NS  b.gtld-servers.net.
>>> ;; Received 496 bytes from 192.228.79.201#53(192.228.79.201) in 146 ms
>>>
>>> truchart.com.   172800  IN  NS  ns1.mediture.com.
>>> truchart.com.   172800  IN  NS  ns2.mediture.com.
>>> ;; Received 113 bytes from 192.52.178.30#53(192.52.178.30) in 129 ms
>>>
>>> great.truchart.com. 3600IN  A   192.168.168.225
>>> truchart.com.   86400   IN  NS  ns1.mediture.com.
>>> truchart.com.   86400   IN  NS  ns2.mediture.com.
>>> ;; Received 129 bytes from 107.23.33.118#53(107.23.33.118) in 31 ms
>>>
>>> [root@www02 ~]# dig @8.8.8.8 +trace great.truchart.com
>>>
>>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 +trace
>>> great.truchart.com
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> .   18813   IN  NS  h.root-servers.net.
>>> .   18813   IN  NS  c.root-servers.net.
>>> .   18813   IN  NS  f.root-servers.net.
>>> .   18813   IN  NS  k.root-servers.net.
>>> .   18813   IN  NS  j.root-servers.net.
>>> .   18813   IN  NS  m.root-servers.net.
>>> .   18813   I

RE: Single slave zone definition for two view (cache file name problem)

[Lightner, Jeff]

4.x would be quite ancient.   Where are you getting those version numbers?   
You should be using 9.x these days so I suspect the BIND version isn't what you 
think it is.Is it possible the version you're reporting is you OS rather 
than your BIND?

What is reported when you run "named -v"?

Anyway what we do is in our views is simply name the internal zone files the 
same as external and prepend internal- to the name.

e.g. myzone.com = external zone file
internal-myzone.com = internal zone file.

If they're the same you can simply copy from one to the other.   Sometimes they 
are not the same which is why you have views in the first place.




-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Constantin Stefanov
Sent: Tuesday, March 17, 2015 10:37 AM
To: bind-users@lists.isc.org
Subject: Single slave zone definition for two view (cache file name problem)

Hello.

After upgrading from BIND 4.6 to 4.10.2, named requires that different slave 
zone have separate file for cache.

With 4.6 I had the following config:

named.conf:

view "internal" {
match /* match condition */;
include "common.zones";
};

view "external" {
match /* match condition */;
include "common.zones";
};

common.zones:

zone "aaa.example.org" {
type slave;
file "slave/aaa.example.org";
masters {MASTERIP;};
};

It worked fine with 4.6 (although it was considered incorrect).

After upgrade to 4.10 named started complaining:

common.zones:3: writeable file 'slave/aaa.example.org': already in use:
common.zones:3

As I understand, now I need to have separate files for different views.

But is there a way to have them automatically assigned and to write something 
like:

file "slave/aaa.example.org.${view_name}"

or any other way to have only one defininition for common zones?

I found 'in-view' option, but again it requires two definitions for every zone: 
one with "file" and "masters" directives, and another with "in-view" option. 
Moreover, these two definitions must be in different files, as I have to 
include one in first view, and another (with
'in-view') in all other views, so I have to keep two separate files synced with 
one another.

So is it possible to have only one definition for slave zones that are shared 
between different views?

--
Konstantin Stefanov,

Research Computing Center
M.V Lomonosov Moscow State University
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Single slave zone definition for two view (cache file name problem)

[Lightner, Jeff]

It isn't really that hard to maintain two separate zone files for each domain.  
 We've been doing it for years.

It isn't really clear why you're using views if all your zone files are the 
same as you seem to imply.   Here we do views specifically because for some 
domains the zone files DO need to be different between internal and external 
views.While others are the same as I noted before it is very easy to simply 
edit one file then copy it to the other. 


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Konstantin Stefanov
Sent: Wednesday, March 18, 2015 6:31 AM
To: bind-users@lists.isc.org
Subject: Re: Single slave zone definition for two view (cache file name problem)

On 18.03.2015 13:22, Matus UHLAR - fantomas wrote:
>>> On 18.03.15 12:05, Constantin Stefanov wrote:
 I can't. It stopped working after upgrade to 9.10, but worked 
 before with 9.6. And the question is how to keep the config as 
 simple as it was before upgrade.
>>>
>>> I mean, the "in-view" definitions...
> 
> On 18.03.15 13:10, Konstantin Stefanov wrote:
>> So now I have to have two definitions for every slave zone in 
>> different files. Well, it is the thing I did, but I do not like it.
>>
>> Requirement to have 2 synced definitions in 2 different places leads 
>> to bugs.
> 
> and what did you have before? 
> multiple definitions of the same zones with the same filenames, which 
> leads to bugs (although you were lucky not to encounter them)
Yes, I was lucky and everything worked for me as I thought it had to be.

> 
> now you can have:
> 
> definitions of zones with filename in one general view
> 
> file with definitions of zones with "in-view".
> 
> multiple inclusions of the file in multiple views.
And now I am unlucky as I have to make my cofig more complex, confusing and 
bug-prone to achieve the same effect.

But I'm lucky enough to have three options to choose how to spoil my config.

> 
> the only other way is stop using views...
> ... you still can stop using views.
And I can still stop using DNS.

If I only could stop using views, I would not ask the question.

--
Konstantin Stefanov,

Research Computing Center
M.V Lomonosov Moscow State University
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

subdomain with domain

[Jeff Sadowski]

The other day I found that my secondary name servers running bind
where not dishing out

_msdcs. SRV records

This was causing join issues. It turned out that the Domain controller
had 2 different scopes one for

_msdcs.
and one for


so I shared the second _msdcs. scope with all my bind secondary servers.

All servers are running Fedora 21 with
bind.i686 32:9.9.6-8.P1.fc21

I had

zone "" {
 type slave;
# the ip address of my dc
 masters {192.168.1.2;};
 file "data/db.192.168.1.2.slave";
};

entry in all my secondary name servers. Now I have

zone "_msdcs." {
 type slave;
# the ip address of my dc
 masters {192.168.1.2;};
 file "data/db.192.168.1.2.slave";
};
zone "" {
 type slave;
# the ip address of my dc
 masters {192.168.1.2;};
 file "data/db.192.168.1.2.slave";
};

entries on all my secondary name servers. I restarted named on all my
secondary name servers and half of my secondary servers are
working(explained below) half are not. I am certain that I allowed
zone transfers to all of my secondary name servers and that I am
pushing changes to my secondary servers.

Working being that they dish out the _msdcs entries.

examples:

nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.1.254
Server: 192.168.1.254
Address:192.168.1.254#53

_ldap._tcp.dc._msdcs. service = 0 100 389 pdc..

nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.2.254
Server: 192.168.2.254
Address:192.168.2.254#53

** server can't find _ldap._tcp.dc._msdcs.: SERVFAIL


nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.3.254
Server: 192.168.3.254
Address:192.168.3.254#53

_ldap._tcp.dc._msdcs. service = 0 100 389 pdc..

nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.4.254
Server: 192.168.4.254
Address:192.168.4.254#53

** server can't find _ldap._tcp.dc._msdcs.: SERVFAIL

All servers still dish out records in the old scope. I have more
secondaries and there doesn't seem to be rime or reason to why half
work and half do not.
I made certain that 192.168.1.254 and 192.168.2.254 both had all the
same packages and double checked all named config files where
Identical.

If anyone could give me a clue on what to check next it would be
greatly appreciated.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: subdomain with domain

[Lightner, Jeff]

You can do subdomains with the one zone file rather than having separate zones 
you just have to put a new ORIGIN for the subdomain.

In the domain file for  after the SOA and existing records (NS, A, 
CNAME etc...) add a line:

$ORIGIN _msdcs..; New subdomain 
Then add the records (A, CNAME, SRV etc...) that you want for that subdomain.   
(You don't need to add SOA, NS etc... unless they're different for the 
subdomain)





Jeffrey C. Lightner
Sr. UNIX Administrator
 
DS Services of America, Inc.
2300 Windy Ridge
Suite 600 N
Atlanta, GA  30339
 
P: 770-933-1400 ext.3516
C: 678-772-0018
F: 678-460-3603
E: jlight...@dsservices.com

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Graham Clinch
Sent: Wednesday, April 01, 2015 11:56 AM
To: Jeff Sadowski; bind-users@lists.isc.org
Subject: Re: subdomain with domain

> zone "_msdcs." {
> [..]
>  file "data/db.192.168.1.2.slave";
> };
> zone "" {
> [..]
>  file "data/db.192.168.1.2.slave";
> };

Both zones are being backed by the same file, so one will be overwriting the 
other.  This may not be the cause of the half-working situation, but it won't 
be helping.  Do the bind logs (not sure where Fedora puts them though - 
/var/log/messages?) contain any errors?

Unless  is really '192.168.1.2', I would suggest naming your file after 
the zone that it is going to contain - e.g.

file "data/db._msdcs.";
and
file  "data/db.";

Graham
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Recall: subdomain with domain

[Lightner, Jeff]

Lightner, Jeff would like to recall the message, "subdomain with domain".
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Variable in name of file for named.conf

[Jeff Sadowski]

I have a number of slave domains that I would like a naming scheme and
not have to go to each and change the filename.

I have the following zones

zone "1.168.192.in-addr.arpa" {
include "named.slave";
};
zone "2.168.192.in-addr.arpa" {
include "named.slave";
};
zone "3.168.192.in-addr.arpa" {
include "named.slave";
};
zone "4.168.192.in-addr.arpa" {
include "named.slave";
};
zone "5.168.192.in-addr.arpa" {
include "named.slave";
};
zone "6.168.192.in-addr.arpa" {
include "named.slave";
};
zone "7.168.192.in-addr.arpa" {
include "named.slave";
};
zone "8.168.192.in-addr.arpa" {
include "named.slave";
};
zone "9.168.192.in-addr.arpa" {
include "named.slave";
};
zone "10.168.192.in-addr.arpa" {
include "named.slave";
};

named.slave looks as follows

type slave;
masters {192.168.1.2;};
file "data/db.@.slave";

It appears to work on my queries.

nslookup 192.168.1.2

2.1.168.192.in-addr.arpa  name = pdc.

nslookup 192.168.1.1

1.1.168.192.in-addr.arpa  name = gw1.

nslookup 192.168.2.1

1.2.168.192.in-addr.arpa  name = gw2.

the only file created in my data directory seems to be db.@.slave
with the at sign.

Do I really need to have each zone with its own file?

Is there a special syntax to get what I expect?
expected files:
data/db.1.168.192.in-addr.arpa.slave
data/db.2.168.192.in-addr.arpa.slave
data/db.3.168.192.in-addr.arpa.slave
...
data/db.10.168.192.in-addr.arpa.slave

if not I can have Make do it and build some scripts to do what I want
but if there is syntax to do what I want it would be nice.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: com.google how did they do that

[Lightner, Jeff]

Not all the new TLDs are company specific.   Some are more generic but useful 
to certain industries.

There are 2 or 3 TLDs that I assume will appear sooner or later and I really 
wish I had the capital to make them as I know as soon as they are available 
many companies will use them so they'd become nice revenue streams.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Hoskins (michoski)
Sent: Wednesday, April 01, 2015 6:43 PM
To: Reindl Harald; bind-users@lists.isc.org
Subject: Re: com.google how did they do that

-Original Message-
From: Reindl Harald 
Organization: the lounge interactive design
Date: Wednesday, April 1, 2015 at 2:44 PM
To: "bind-users@lists.isc.org" 
Subject: Re: com.google how did they do that


>Am 01.04.2015 um 20:42 schrieb Thomas Schulz:
>> As of the time I am sending this, you can point your browser to 
>> http://com.google and get a web page. How did they get com.google to 
>> resolve?
>
>.google is just another new TLD

Wow.  I see the trend now -- .hp, .ibm, .cisco -- everyone will now have 
www.company.  (Please, let's not.)

..then again, I'd claim .evil if I had a few billions.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Variable in name of file for named.conf

[Jeff Sadowski]

On Wed, Apr 1, 2015 at 8:09 PM, Barry Margolin  wrote:
> In article ,
>  Jeff Sadowski  wrote:
>
>> I have a number of slave domains that I would like a naming scheme and
>> not have to go to each and change the filename.
>>
>> I have the following zones
>>
>> zone "1.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "2.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "3.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "4.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "5.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "6.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "7.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "8.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "9.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "10.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>>
>> named.slave looks as follows
>>
>> type slave;
>> masters {192.168.1.2;};
>> file "data/db.@.slave";
>>
>> It appears to work on my queries.
>>
>> nslookup 192.168.1.2
>>
>> 2.1.168.192.in-addr.arpa  name = pdc.
>>
>> nslookup 192.168.1.1
>>
>> 1.1.168.192.in-addr.arpa  name = gw1.
>>
>> nslookup 192.168.2.1
>>
>> 1.2.168.192.in-addr.arpa  name = gw2.
>>
>> the only file created in my data directory seems to be db.@.slave
>> with the at sign.
>
> Why would you expect anything different? @ only has special meaning
> inside zone files, it's not special in named.conf.
>
>>
>> Do I really need to have each zone with its own file?
>
> Yes, you do. What's happening is that every time one of the reverse
> zones is transferred, it's overwriting that file. But the files are only
> used when initializing the zones when named starts up; you get the
> correct answers because the in-memory versions of the zones are
> distinct. But try restarting named and then see what happens when you do
> those nslookups. You'll see that 192.168.1.1 and 192.168.2.1 both return
> the same name.
>
>>
>> Is there a special syntax to get what I expect?
>> expected files:
>> data/db.1.168.192.in-addr.arpa.slave
>> data/db.2.168.192.in-addr.arpa.slave
>> data/db.3.168.192.in-addr.arpa.slave
>> ...
>> data/db.10.168.192.in-addr.arpa.slave
>>
>> if not I can have Make do it and build some scripts to do what I want
>> but if there is syntax to do what I want it would be nice.
>
> No, there's no built-in syntax to create the filename based on the zone
> name.
>
I wrote a php script to build my file for me

'slave'
,'masters'=>array('192.168.1.2')
,'autofile'=>'data/db.@.slave');

$arpa192='.168.192.in-addr.arpa';
$domain='';
$zone['_msdcs.'.$domain]=$myslave;
$zone[$domain]=$myslave;
$slavedsubnets=range('1','10');

build_subnets($slavedsubnets
,$arpa192
,$myslave);

build_zones();

function build_subnets($subnets
,$net
,$info)
{global $zone;
 foreach($subnets as $subnet)
 {$zone[$subnet.$net]=$info;
}}

function build_zones()
{global $zone,$argv;
 $pounds=str_repeat('#',30);
 $warning=$pounds.' WARNING '.$pounds."\n";
 echo $warning. '# Do not edit this file. '.
  'It was generated using "php '.
  $argv[0]."\"\n".$warning;
 foreach($zone as $z=>$infos)
 {echo 'zone "'.$z.'" {'."\n";
  foreach($infos as $item=>$value)
  {echo "\t".$item.' ';
   if(is_array($value))
   {echo '{';
foreach($value as $v){echo $v.';';}
echo '}';
   }
   else
   {switch($item)
{case 'file': echo '"'.$value.'"'; break;
 case 'autofile': echo '"'.
   str_replace('@',$z,$value).'"';
 break;
 default: echo $value; break;
   }}
   echo ";\n";
  }
  echo "};\n";
}}
?>


> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Variable in name of file for named.conf

[Jeff Sadowski]

On Thu, Apr 2, 2015 at 11:09 AM, Jeff Sadowski  wrote:
> On Wed, Apr 1, 2015 at 8:09 PM, Barry Margolin  wrote:
>> In article ,
>>  Jeff Sadowski  wrote:
>>
>>> I have a number of slave domains that I would like a naming scheme and
>>> not have to go to each and change the filename.
>>>
>>> I have the following zones
>>>
>>> zone "1.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "2.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "3.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "4.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "5.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "6.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "7.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "8.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "9.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "10.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>>
>>> named.slave looks as follows
>>>
>>> type slave;
>>> masters {192.168.1.2;};
>>> file "data/db.@.slave";
>>>
>>> It appears to work on my queries.
>>>
>>> nslookup 192.168.1.2
>>>
>>> 2.1.168.192.in-addr.arpa  name = pdc.
>>>
>>> nslookup 192.168.1.1
>>>
>>> 1.1.168.192.in-addr.arpa  name = gw1.
>>>
>>> nslookup 192.168.2.1
>>>
>>> 1.2.168.192.in-addr.arpa  name = gw2.
>>>
>>> the only file created in my data directory seems to be db.@.slave
>>> with the at sign.
>>
>> Why would you expect anything different? @ only has special meaning
>> inside zone files, it's not special in named.conf.
>>
>>>
>>> Do I really need to have each zone with its own file?
>>
>> Yes, you do. What's happening is that every time one of the reverse
>> zones is transferred, it's overwriting that file. But the files are only
>> used when initializing the zones when named starts up; you get the
>> correct answers because the in-memory versions of the zones are
>> distinct. But try restarting named and then see what happens when you do
>> those nslookups. You'll see that 192.168.1.1 and 192.168.2.1 both return
>> the same name.
>>
>>>
>>> Is there a special syntax to get what I expect?
>>> expected files:
>>> data/db.1.168.192.in-addr.arpa.slave
>>> data/db.2.168.192.in-addr.arpa.slave
>>> data/db.3.168.192.in-addr.arpa.slave
>>> ...
>>> data/db.10.168.192.in-addr.arpa.slave
>>>
>>> if not I can have Make do it and build some scripts to do what I want
>>> but if there is syntax to do what I want it would be nice.
>>
>> No, there's no built-in syntax to create the filename based on the zone
>> name.
>>
> I wrote a php script to build my file for me
>
>  $myslave=array('type'=>'slave'
> ,'masters'=>array('192.168.1.2')
> ,'autofile'=>'data/db.@.slave');
>
> $arpa192='.168.192.in-addr.arpa';
> $domain='';
> $zone['_msdcs.'.$domain]=$myslave;
> $zone[$domain]=$myslave;
> $slavedsubnets=range('1','10');
>
> build_subnets($slavedsubnets
> ,$arpa192
> ,$myslave);
>
> build_zones();
>
> function build_subnets($subnets
> ,$net
> ,$info)
> {global $zone;
>  foreach($subnets as $subnet)
>  {$zone[$subnet.$net]=$info;
> }}
>
> function build_zones()
> {global $zone,$argv;
>  $pounds=str_repeat('#',30);
>  $warning=$pounds.' WARNING '.$pounds."\n";
>  echo $warning. '# Do not edit this file. '.
>   'It was generated using "php '.
>   $argv[0]."\"\n".$warning;
>  foreach($zone as $z=>$infos)
>  {echo 'zone "'.$z.'" {'."\n";
>   foreach($infos as $item=>$value)
>   {echo "\t".$item.' ';
> 

RE: stumped on sub domain addition

[Lightner, Jeff]

Did you change the sequence/serial in the SOA and reload the zone?

Doing dig tests for euca.us I get it’s “A” record and for 
www.euca.us I get is CNAME.

That suggests you didn’t setup onqsolutions record properly.   Looking at your 
www CNAME in your zone file might let you know how to setup the one for 
onqsolutions.   Don’t forget to put the dot at end of CNAME record like you see 
for WWW.

Jeffrey C. Lightner
Sr. UNIX/Linux Administrator

DS Services of America, Inc.
2300 Windy Ridge Pkwy
Suite 600 N
Atlanta, GA  30339-8461

P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlight...@dsservices.com

From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Miller
Sent: Thursday, July 23, 2015 1:17 PM
Cc: Bind Users Mailing List
Subject: Re: stumped on sub domain addition

Hi Donovan,
Your zone file(s) as well as your named.conf config would be best here.  We 
really need more information from you than a single fqdn.
John
--
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu


On Thu, Jul 23, 2015 at 12:40 PM, lists - euca 
mailto:li...@euca.us>> wrote:
Hello,
I added a sub domain to my zone file euca.us yesterday.

“onqsolutions”.

It first was added as a CNAME, then I couldn’t get it to work.. so now it is an 
A record.
Still not working.

Can someone help troubleshoot?

onqsolutions.euca.us

TIA,
Donovan


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: stumped on sub domain addition

[Lightner, Jeff]

Your A record is working on a "dig +trace" and also working when I do dig 
@ns10.euca.us and dig @ns11.euca.us.

This suggests the record (or nxrecord) is cached somewhere for normal lookups 
and will likely be OK after that cache expires.

Record returned:
onqsolutions.euca.us.   21600   IN  A   209.236.238.19

In your SOA you have (in addition to the rest of the record):
"2015072342  ; Serial" 
That suggests you updated the record today (07/23) and it automatically updated 
serial number when you did it.

Jeffrey C. Lightner
Sr. UNIX/Linux Administrator
 
DS Services of America, Inc.
2300 Windy Ridge Pkwy
Suite 600 N
Atlanta, GA  30339-8461
 
P: 678-486-3516
C: 678-772-0018
F: 678-460-3603
E: jlight...@dsservices.com


-Original Message-
From: lists - euca [mailto:li...@euca.us] 
Sent: Thursday, July 23, 2015 2:23 PM
To: Lightner, Jeff
Cc: Bind Users Mailing List
Subject: Re: stumped on sub domain addition

Thanks for the responses.


On Jul 23, 2015, at 12:37 PM, Lightner, Jeff  wrote:

> Did you change the sequence/serial in the SOA and reload the zone?


No, I am using 'smbind' to administer bind, and it appears to not let me do 
that. I don't know if it does an 'auto reload' or not, but I've never had a 
problem with the 500+ domains that are on it as of yet, so I'm guessing it does.


>  
> Doing dig tests for euca.us I get it's "A" record and for www.euca.us I get 
> is CNAME.  
>  
> That suggests you didn't setup onqsolutions record properly.   Looking at 
> your www CNAME in your zone file might let you know how to setup the one for 
> onqsolutions.   Don't forget to put the dot at end of CNAME record like you 
> see for WWW.
>  
> Jeffrey C. Lightner

> [snip]

> From: bind-users-boun...@lists.isc.org 
> [mailto:bind-users-boun...@lists.isc.org] On Behalf OfJohn Miller
> Sent: Thursday, July 23, 2015 1:17 PM
> Cc: Bind Users Mailing List
> Subject: Re: stumped on sub domain addition
>  
> Hi Donovan,
> 
> Your zone file(s) as well as your named.conf config would be best here.  We 
> really need more information from you than a single fqdn.



Here is the file that smbind created  (note that I have been making some 
changes):
$TTL   21600
@   IN  SOA ns10.euca.us. hostmaster.euca.us. (
2015072342  ; Serial
10800   ; Refresh
7200; Retry
604800  ; Expire
21600)  ; Negative Cache TTL
;
@   IN  NSns10.euca.us.
@   IN  NSns11.euca.us.
@   IN  A   209.236.238.19
@   IN  MX  10  mail.euca.us.
design  IN  CNAME   @
dev IN  CNAME   @
elatia  IN  A   209.236.238.19
ftp IN  A   209.236.238.19
mailIN  A   209.236.238.18
mail2   IN  A   209.236.238.18
ns10IN  A   209.236.238.21
ns11IN  A   209.236.238.22
onqsolutionsIN  A   209.236.238.19
www IN  CNAME   @
www-tek IN  CNAME   @


> 
> John
> --
> John Miller
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to properly update chroot-bind

[Lightner, Jeff]

Since the OP says he's not in Production yet I'd strongly advise moving on to 
CentOS 7 for multiple reasons.  I has a new base version of BIND and also has a 
3.x kernel.

However, there is a learning curve because it also uses systemd rather than Sys 
V init.   The way bind-chroot runs is significantly different than it was on 
RHEL6 when you got to RHEL7.   (As noted CentOS versions are compiled from RHEL 
sources of the same versions.)

As noted previously on this list the version of  BIND you get with each major 
RHEL release (RHEL5, RHEL6, RHEL7) changes but the base version of BIND never 
gets updated to later BIND versions within each of these releases.  Instead 
RedHat backports security and some enhancements into the base they started with 
and add their own extended versioning.   This is true of CentOS because of its 
derivation.

There is someone on this list that does compile newer versions of BIND for RHEL 
so if you search the archive you can find newer versions than are shipped by 
RHEL/CentOS.   

Also CentOS does have extended repositories beyond those RHEL has so you may 
find something newer there.   

CentOS by the way is not "supported" so if you're using CentOS vs RHEL worrying 
about "supported" shouldn't be an issue for you.   (RHEL is "supported" if you 
pay for the subscriptions.)


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas
Sent: Tuesday, July 28, 2015 7:58 AM
To: bind-users@lists.isc.org
Subject: Re: How to properly update chroot-bind

>Am 28.07.2015 um 10:56 schrieb Matus UHLAR - fantomas:
>>>but you *never ever* should only update specific packages on a 
>>>RHEL/CentOS system because that is *not supported and tested* at all
>>
>>No? What are dependencies for, then?
>>Or don't yum/RPM support them in the way debian does?
>>(that is why it's quite easy to have mixed Debian... we have machine 
>>with mix of debian 5,6,7 and even 8... not that It's good idea)

On 28.07.15 11:22, Reindl Harald wrote:
>CentOS is a RHEL clone except that there are no updates for older point 
>releases
>
>it was multiple times statet by the maintainers on the mailing list 
>that you have to apply *all* errata updates nothing else is supported
>
>it's not a matter of dependencies, it's just a matter of what 
>combinations of packages are tested for regressions and the fact that 
>there are no updates for RHEL without a good reason
>
>how does dependencies help when there was a critical bug fixed in 
>package A which may hit your updated version of package B because the 
>combination of that versions never was tested
>
>feel free to ignore that but you are at your own if things behave 
>unexpected when the developers say "just only use 'yum upgrade'"
>which applies also for minor releases, when CentOS 6.7 is out there 
>will be no single update for CentOS 6.6 packages and hence "yum 
>upgrade" brings you to CentOS 6.7 in a few weeks which is from that 
>moment on the only supported CentOS 6.x

yes, this is a good explanation, I believe for the OP too.

"not supported" can of course mean "working without problems", however I agree 
there's no point in only updating BIND itself.

Still, the OP can stick with provided BIND 9.8 that is in CentOS6, update to 
CentOS 7 or compile his own BIND version (and provide support for
themselves)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS format error

[Lightner, Jeff]

http://www.vip.icann.org/DS?

The http:// and /DS wouldn't be part of DNS name itself so you can't dig for 
that.   You'd have to point a browser (or command line tool like wget or curl) 
to get that web page.

The vip IS part of the DNS name.  Did you try "dig www.vip.icann.org"?   It 
works for me.

Also nmap confirms port 80 is open for the above so http traffic should work 
assuming the web page is up.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Yang Yu
Sent: Tuesday, July 28, 2015 12:10 PM
To: bind-users@lists.isc.org
Subject: DNS format error

I spotted DNS format error in bind 9.9.5 log

queries
28-Jul-2015 23:19:27.198 client client_IP #50270 (www.icann.org):
query: www.icann.org IN  + (client_IP)
28-Jul-2015 23:19:29.872 client client_IP #46483 (www.icann.org):
query: www.icann.org IN A + (client_IP)


resolver
28-Jul-2015 23:19:35.621 DNS format error from 192.0.32.252#53 resolving 
www.vip.icann.org/DS: inval id response
28-Jul-2015 23:19:35.789 DNS format error from 192.0.36.252#53 resolving 
www.vip.icann.org/DS: inval id response
28-Jul-2015 23:19:36.022 DNS format error from 192.0.47.252#53 resolving 
www.vip.icann.org/DS: inval id response

I am unable to replicate this issue with dig www.icann.org. What could have 
bind received that resulted in DNS format error in this particular case?

Yang
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Multiple A and PTR and the "main" ones?

[Lightner, Jeff]

Actually some mail servers DO check not only that a PTR exists but also that it 
is not "generic".   

Every once in a while we get someone complaining because one of the big sites 
(Ebay?) refuses to accept their email due the "generic" (as defined by that 
site's policies) nature of our PTR.   We typically ignore that because we've 
never seen this complaint from other mail servers and no one has ever provided 
a business use for the one site that is complaining.

Other than that I've never seen any complaint about what the actual PTR is so I 
can't imagine why you'd need more than one for the same IP.Just pick the 
one that helps identify you for anyone that cares to look at IPs vs names.   

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald
Sent: Friday, September 11, 2015 8:50 AM
To: bind-users@lists.isc.org
Subject: Re: Multiple A and PTR and the "main" ones?



Am 11.09.2015 um 14:42 schrieb Marek Kozlowski:
> On 09/11/2015 02:36 PM, Reindl Harald wrote:
>> STAY ON LIST - the last time i had enough of repeating that a answer 
>> on a public ML is not a invitation for private support i got 
>> moderated...
>
> Oups! Sorry! :-( Sorry! Sorry!
>
> I'm sending this with the whole "history" of our conversation.
>
>> it is my opinion backed by dealing with DNS and email for many years 
>> facing all problems left and right we never had because the strict 
>> policy here that one IP has only one PTR
>>
>> what "official bad practice" do you need when you can see the 
>> problems otherwise would not be possible at your own?
>
> In the sense: "`best current practice' says something opposite".
> BTW: Are we talking on multiple PTRs for mail servers only or multiple 
> PTRs in general?

well, in fact mailservers because for other services PTR's are not that 
important or verified at all - if they are not verified why bother about it?

but what would you gain by having multiple PTR records at all for whatever 
server? that's in fact the only relevant question


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: init script

[Lightner, Jeff]

Which Linux or UNIX distribution and version are you using?

As Omer suggests most of them include a bind package with prebuilt init scripts 
- you can download the BIND package then extract the init scripts from it.   
(deb is for Debian derived Linux distros, rpm for Redhat derived distros - 
might be a different package setup for UNIX or other Linux distros)


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Omer Faruk SEN
Sent: Tuesday, September 29, 2015 9:25 AM
To: Leandro
Cc: bind-users@lists.isc.org
Subject: Re: init script

Use rpm or deb packages that have perfect init scripts in it

Sent via mobile device, excuse typos.

29 Eyl 2015 tarihinde 16:07 saatinde, Leandro  şunları 
yazdı:

> Hy guys, about init script to control de bind daemon; After 
> successfully build bind 9.10, Im doing:
> "bind -c /etc/named.conf -u bind" to start the service.
> and
> "killalll bind" to stop it.
> Now I would like to set an init script so I can set it to start on boot and 
> use the "service named start/stop/status" fashion command.
> Where can I get the init script for bind 9.10 ?
> 
> Regards,
> Leandro.
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Why two lookups for a CNAME?

[Lightner, Jeff]

Because the purpose of DNS primarily is to equate a name with an IP as 
applications talk to IPs not to names.   When you have a CNAME you’re equating 
one name with another name.   That other name then has to be looked up so the 
application knows what IP access.

This saves time if you have multiple CNAMES to the same A record in that when 
you update DNS you only have to update that one A record.  You don’t have to 
use CNAMES to go to same IP – you could make each record an A record pointing 
to the same IP.   You’d then have to be sure you updated all the A records 
using that IP if you decided to change it to something else later (e.g. if you 
changed ISPs).

Obviously there is a small performance cost in CNAMES which is why you don’t 
want to have a CNAME to  another CNAME because that results in 3 lookups.   For 
most applications the single CNAME isn’t an issue but on occasion it is so you 
go the A record route instead.


From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Steve Arntzen
Sent: Wednesday, October 21, 2015 4:33 PM
To: bind-users
Subject: Why two lookups for a CNAME?


I'm sure there's a good, simple reason for this, I just can't seem to find the 
answer searching on the Internet.



Why does named perform a lookup for the A record when its IP is returned with 
the CNAME in the first answer?



Using dig, I find play.google.com is a CNAME for play.l.google.com.



When asked to resolve it, named will first look for play.google.com.  The 
result will include the CNAME and the IP of the A record.



Named then makes a second request to resolve the A record.



Thanks in advance,



Steve.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Cloud DNS providers for secondary DNS

[Lightner, Jeff]

The OP mentioned notifying Registrars.   He'll also need to notify whoever his 
ISP is if he has arpa zones for reverse lookups and they are delegating to his 
name servers.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Levine
Sent: Tuesday, December 29, 2015 9:40 PM
To: bind-users@lists.isc.org
Subject: Re: Cloud DNS providers for secondary DNS

>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz:
>> You could use dyndns for that, but it is not free.
>
>do the provide anycast?

Yes, of course.  Dyn is one of the largest DNS providers in the world.

Their basic secondary service is $40/yr.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind9 on VMWare

[Lightner, Jeff]

We chose to do BIND on physical for our externally authoritative servers.  

We use Windows DNS for internal.   

One thing you should do if you're doing virtual is be sure you don't have your 
guests running on the same node of a cluster.   If that node fails your DNS is 
going down.   Ideally if you have multiple VMWare clusters you'd put your 
guests on separate clusters.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: PCS, Corosync, Pacemaker, and Bind

[Lightner, Jeff]

You might want to try "ip a" vs ifconfig.   RHEL7 uses Network Manager and in 
the past I've found some things don't show up in ifconfig output when doing 
alias/virtual interfaces.  

Usually even when other products (e.g. Oracle RAC/GRID) create virtual 
interfaces they still show up as valid interfaces at host level.   I've not 
tried PCS/Corosync.

You might also look at arp output to see if it shows any traffic on a specific 
MAC.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Phil Mayers
Sent: Wednesday, March 16, 2016 5:14 AM
To: bind-users@lists.isc.org
Subject: Re: PCS, Corosync, Pacemaker, and Bind

On 15/03/16 23:06, Mike Bernhardt wrote:

> So, I'm hoping that either
> 1) There is a way to tell BIND to use an IP address that is not on an 
> interface, or

I don't think there is.

I can think of all kinds of horrible workarounds - iptables SNAT, shell script 
doing a config-change & rndc reconfig on pcs failover.

But in general I'd agree with what Tony Finch said - give some thought to why 
you're caring about these source IPs.

TBH having used pcs/corosync I'm really curious what your use-case is. 
It seems massive overkill for having highly-available DNS.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: about NS server authorize

[Lightner, Jeff]

As others said this isn't really a BIND issue.

EPP key is what some Registrars call the authorization code for domain 
registration transfers.   

Did you recently attempt to transfer this zone from one Registrar to another?   
Did you get confirmation that the transfer (not just the request for transfer) 
completed?   Before you requested the transfer did you unlock the domain?   If 
you don't unlock before transferring many Registrars will not only refuse the 
transfer but will block new transfer attempts for 30 days.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of /dev/rob0
Sent: Monday, March 21, 2016 9:59 AM
To: bind-users@lists.isc.org
Subject: Re: about NS server authorize

On Mon, Mar 21, 2016 at 07:44:51PM +0800, supp...@cloudwebdns.com wrote:
> Hi,
> 
> ns5.cloudwebdns.com
> ns6.cloudwebdns.com
> 
> For these two nameservers (they are the native BIND 9), we can use 
> them to resolve the other domains like .com/.net/.org/.info etc.
> 
> But when we try to setup a .me domain to be resolved by them, from the 
> registrar's control panel, it gets failed, saying name server not 
> authorized.
> 
> This is may be something wrong around EPP and host object.

I don't know what this means.  It is not a BIND question in any case.

> Can you help setup the host object with these two nameservers into 
> .me's registry?

No, Matus was right.  It sounds like you need to go to the .me registry for 
support.  If they have not "authorized" your servers to be authoritative for 
.me zones, only they can help you.
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

[Lightner, Jeff]

Since there are BIND packages (9.9.4) for RHEL7/CentOS7 available from default 
repositories you could download those packages and extract the systemd files 
from them and examine what they've done.

With systemd the methodology isn't that BIND notifies other things that it is 
up.  It is that other things, if dependent upon BIND, have in their systemd 
files a requirement that BIND be up before they start. 

That is different than Sys V init in which things started one after the other.  
 The idea is a systemd boot is much faster as it doesn't make things wait 
because of order but rather only where there are dependencies.

Also as an FYI Carl Byington regularly post new builds he has done of BIND 
updates for RHEL/CentOS.  
The most recent email he sent was for BIND 9.10 and has a link to:
http://www.five-ten-sg.com/mapper/bind

I haven't used that myself but it probably also contains systemd examples you 
could extract.

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tony Finch
Sent: Wednesday, March 23, 2016 8:36 AM
To: Reindl Harald
Cc: bind-users@lists.isc.org
Subject: Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Reindl Harald  wrote:
>
> > The problem that I alluded to above is that if you have services 
> > that depend on the DNS, there should be a mechanism for the DNS 
> > server to say when it is ready and that it's OK to start services 
> > that need DNS. I don't know the right way to specify that to 
> > systemd: maybe it needs a socket unit file as well?
>
> or just don't use "-f" and Type=forking
>
> https://www.freedesktop.org/software/systemd/man/systemd.service.html
>
> If set to forking, it is expected that the process configured with 
> ExecStart= will call fork() as part of its start-up. The parent 
> process is expected to exit when start-up is complete and all communication 
> channels are set up.

BIND does not do that - it forks too early. It's a bit tiresome.

log_daemon_msg "Starting name server" "BIND"
start-stop-daemon --start --oknodo --pidfile $PIDFILE \
--name named --user named --group named \
--startas $TOP/bin/named \
-- -t $TOP -u named -c /etc/named.conf
i=$(( $? ? 100 : 0 ))
while   [ $i -lt 100 ] &&
! rndc status >/dev/null 2>&1
do  sleep 0.1
i=$((i+1))
done
chmod g+r $RUN/session.key
rndc status >/dev/null 2>&1
log_end_msg $?

Tony.
--
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode 
Fair Isle, Faeroes: South or southwest 5 or 6, occasionally 7 later. Moderate 
or rough, occasionally very rough. Rain or showers. Moderate or good, 
occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

[Lightner, Jeff]

It doesn't.   The systemd script either succeeds or fails.   Any script that is 
dependent on it succeeding won't start.   

Again it is a change.  

In init you'd see a start had failed (or was hung).  

In systemd it simply sends the instruction to start everything that is supposed 
to start.   The upside of this approach is that the rest of your startup 
succeeds as it run asynchronously unless you've included a dependency for the 
thing that failed.It also means a hung script doesn't stop your boot in its 
tracks like it did in init.   You can login and troubleshoot things.

The downside is you don't get the pretty display showing OK or FAILED for each 
script during boot because boot completing is NOT dependent on ALL scripts 
succeeding.

If it is important to you that certain things be up you need to set up 
monitoring.  We do that with Nagios here.

-Original Message-
From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony Finch
Sent: Wednesday, March 23, 2016 9:52 AM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Lightner, Jeff  wrote:
>
> With systemd the methodology isn't that BIND notifies other things 
> that it is up.  It is that other things, if dependent upon BIND, have 
> in their systemd files a requirement that BIND be up before they start.

Yes, but how does systemd know when BIND is up?

(The Red Hat and five-ten-sg RPMs don't seem to have an answer.)

Tony.
--
f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h punycode 
Dogger, Fisher, German Bight, Humber: Northwest backing southwest 3 or 4, 
increasing 5 at times. Slight, occasionally moderate. Fog patches, rain at 
times. Moderate or good, occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

[Lightner, Jeff]

The RedHat/CentOS version starts with an upstream version from ISC.   At the 
time they first get it they optimize to fit within the other packages they’ve 
setup on the specific major release (e.g. RHEL5 had BIND 9.3.6,  RHEL7 has BIND 
9.9.4).   After that they put their own extended versioning on the package 
(e.g. RHEL5 might have bind-9.3.6-25.P1.el5_11.5 and RHEL7 might have 
bind-9.9.4-18.el7_1.1.x86_64 – everything after the dash is the extended 
versioning) .  Through the life of the major release they will never change 
base upstream version but will update their extended versioning as they back 
port security and bug fixes into the base they used.   They may also add 
enhancements from upstream but aren’t required to do so.

They MAY offer a “technology preview” of a later upstream version that they’ve 
created but aren’t required to do so.(i.e. They’ll continue to provide 
fixes to the original base but may also provide packages for a newer upstream 
that one can download and use – I’ve seen them do this exactly once for the 
BIND version on RHEL5.)

RedHat lifecycle is quite long (RHEL5 had full support for 10 years) but 
eventually all good things come to an end and in last phase support (as RHEL5 
is currently in) they may not do updates.  (e.g. They’ve already announced they 
won’t update openssl in RHEL5 to add TLSv1.1 and higher support as they see 
that as a “feature” rather than a “bug”)

Also as an FYI in addition to the BIND they offer specialty packages such as 
BIND-CHROOT that lets you run your software in a chroot’ed environment.

You can get the source RPMs from RHEL as well to change compile options for 
anything you’d like that they may not have chosen in their compile.

From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sean Son
Sent: Thursday, March 24, 2016 6:23 PM
To: Tony Finch
Cc: bind-us...@isc.org
Subject: Re: Regarding compiling BIND 9.10.3-p4 on a SystemD Distro

Thank you for the replies everyone. Are there any major differences between the 
BIND package that Red Hat/CentOS provides vs the BIND package provided by the 
ISC website?

Thanks

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Multiple AD domains

[Jeff Sadowski]

On the samba mailing list they described setting up the DC as the NS and
forward to another machine for more rules.
This will work fine for one domain. Now lets say I have 2 domains.

If I setup forwarders like so on 192.168.1.1

zone "domainA" IN { type forward; forward only; forwarders { 192.168.2.1;
}; };
zone "domainB" IN { type forward; forward only; forwarders { 192.168.3.1;
}; };

It will cache entries for each domain and if a computer gets a different
address for dhcp it will update on the domain's DNS but the dns on
192.168.1.1 will have a cached entry untill it expires.

192.168.2.1 and 192.168.3.1 are setup to forward all other zones than their
domain names to 192.168.1.1

if I have DNS server set for all machines in domainA to 192.168.2.1 all
machines on domainA see any DNS changes to domainA imediately machines on
domainB are cached and can take time to clear out.
And
if I have DNS server set for all machines in domainB to 192.168.3.1 all
machines on domainB see any DNS changes to domainB imediately machines on
domainA are cached and can take time to clear out.

What is the best way to resolve this issue?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple AD domains

[Jeff Sadowski]

should I setup 192.168.1.1 as slaves to these two domains would that fix it?

On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski 
wrote:

> On the samba mailing list they described setting up the DC as the NS and
> forward to another machine for more rules.
> This will work fine for one domain. Now lets say I have 2 domains.
>
> If I setup forwarders like so on 192.168.1.1
>
> zone "domainA" IN { type forward; forward only; forwarders { 192.168.2.1;
> }; };
> zone "domainB" IN { type forward; forward only; forwarders { 192.168.3.1;
> }; };
>
> It will cache entries for each domain and if a computer gets a different
> address for dhcp it will update on the domain's DNS but the dns on
> 192.168.1.1 will have a cached entry untill it expires.
>
> 192.168.2.1 and 192.168.3.1 are setup to forward all other zones than
> their domain names to 192.168.1.1
>
> if I have DNS server set for all machines in domainA to 192.168.2.1 all
> machines on domainA see any DNS changes to domainA imediately machines on
> domainB are cached and can take time to clear out.
> And
> if I have DNS server set for all machines in domainB to 192.168.3.1 all
> machines on domainB see any DNS changes to domainB imediately machines on
> domainA are cached and can take time to clear out.
>
> What is the best way to resolve this issue?
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple AD domains

[Jeff Sadowski]

I'm going to try slaves like so

If I setup slave zones like so on 192.168.1.1

zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
"db.domainA"; };
zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
"db.domainB"; };

and in 192.168.2.1 and 192.168.3.1
in options

notify yes;
also-notify { 192.168.1.252; };
allow-transfer { 192.168.1.252; };


On Wed, Jul 27, 2016 at 1:11 PM,  wrote:

> > From: Jeff Sadowski 
>
> > On the samba mailing list they described setting up the DC as the NS
> > and forward to another machine for more rules.
> > This will work fine for one domain. Now lets say I have 2 domains.
> >
> > If I setup forwarders like so on 192.168.1.1
> >
> > zone "domainA" IN { type forward; forward only; forwarders { 192.
> > 168.2.1; }; };
> > zone "domainB" IN { type forward; forward only; forwarders { 192.
> > 168.3.1; }; };
> >
> > It will cache entries for each domain and if a computer gets a
> > different address for dhcp it will update on the domain's DNS but
> > the dns on 192.168.1.1 will have a cached entry untill it expires.
> >
> > 192.168.2.1 and 192.168.3.1 are setup to forward all other zones
> > than their domain names to 192.168.1.1
>
> Your Domain Controllers should be the DNS servers for any computer in that
> domain.  Forward any other queries to a recursive server (192.169.1.1?)
> which may or may not be authoritative for other domains.
>
> > if I have DNS server set for all machines in domainA to 192.168.2.1
> > all machines on domainA see any DNS changes to domainA imediately
> > machines on domainB are cached and can take time to clear out.
> > And
> > if I have DNS server set for all machines in domainB to 192.168.3.1
> > all machines on domainB see any DNS changes to domainB imediately
> > machines on domainA are cached and can take time to clear out.
>
>  Yep, thats how it works.
>
> > What is the best way to resolve this issue?
>
> Short TTLs in your domain controller DNS.
>
> --
>
>
> * Confidentiality Notice: This electronic message and any attachments may
> contain confidential or privileged information, and is intended only for
> the individual or entity identified above as the addressee. If you are not
> the addressee (or the employee or agent responsible to deliver it to the
> addressee), or if this message has been addressed to you in error, you are
> hereby notified that you may not copy, forward, disclose or use any part of
> this message or any attachments. Please notify the sender immediately by
> return e-mail or telephone and delete this message from your system.*
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple AD domains

[Jeff Sadowski]

I'm going to try slaves like so

If I setup slave zones like so on 192.168.1.1

zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
"db.domainA"; };
zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
"db.domainB"; };

and in 192.168.2.1 and 192.168.3.1
in options

notify yes;
also-notify { 192.168.1.1; };
allow-transfer { 192.168.1.1; };

On Wed, Jul 27, 2016 at 1:20 PM, Jeff Sadowski 
wrote:

> I'm going to try slaves like so
>
> If I setup slave zones like so on 192.168.1.1
>
> zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
> "db.domainA"; };
> zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
> "db.domainB"; };
>
> and in 192.168.2.1 and 192.168.3.1
> in options
>
> notify yes;
> also-notify { 192.168.1.252; };
> allow-transfer { 192.168.1.252; };
>
>
> On Wed, Jul 27, 2016 at 1:11 PM,  wrote:
>
>> > From: Jeff Sadowski 
>>
>> > On the samba mailing list they described setting up the DC as the NS
>> > and forward to another machine for more rules.
>> > This will work fine for one domain. Now lets say I have 2 domains.
>> >
>> > If I setup forwarders like so on 192.168.1.1
>> >
>> > zone "domainA" IN { type forward; forward only; forwarders { 192.
>> > 168.2.1; }; };
>> > zone "domainB" IN { type forward; forward only; forwarders { 192.
>> > 168.3.1; }; };
>> >
>> > It will cache entries for each domain and if a computer gets a
>> > different address for dhcp it will update on the domain's DNS but
>> > the dns on 192.168.1.1 will have a cached entry untill it expires.
>> >
>> > 192.168.2.1 and 192.168.3.1 are setup to forward all other zones
>> > than their domain names to 192.168.1.1
>>
>> Your Domain Controllers should be the DNS servers for any computer in
>> that domain.  Forward any other queries to a recursive server
>> (192.169.1.1?) which may or may not be authoritative for other domains.
>>
>> > if I have DNS server set for all machines in domainA to 192.168.2.1
>> > all machines on domainA see any DNS changes to domainA imediately
>> > machines on domainB are cached and can take time to clear out.
>> > And
>> > if I have DNS server set for all machines in domainB to 192.168.3.1
>> > all machines on domainB see any DNS changes to domainB imediately
>> > machines on domainA are cached and can take time to clear out.
>>
>>  Yep, thats how it works.
>>
>> > What is the best way to resolve this issue?
>>
>> Short TTLs in your domain controller DNS.
>>
>> --
>>
>>
>> * Confidentiality Notice: This electronic message and any attachments may
>> contain confidential or privileged information, and is intended only for
>> the individual or entity identified above as the addressee. If you are not
>> the addressee (or the employee or agent responsible to deliver it to the
>> addressee), or if this message has been addressed to you in error, you are
>> hereby notified that you may not copy, forward, disclose or use any part of
>> this message or any attachments. Please notify the sender immediately by
>> return e-mail or telephone and delete this message from your system.*
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multiple AD domains

[Jeff Sadowski]

Correct on the gist. All answers where extremely helpful. I am curious
on Vinícius
Ferrão query I would like it to be more secure. I'll have to read more on
using GSS-TSIG with Kerberos. I seem to recall this is setup by the samba
install of AD but I'll have to look at it more closely as now I want to
setup a slave DNS to the AD's DNS. I too will probably have the same issue
as Vinícius Ferrão.
Is the only good option for now to leave my server mostly open with
accepting from an ip which can be spoofed (I'm just doing this on a
computer that is unlikely to get hacked with a spoof) but I would like
something that I could take to business security. The only domains I
have vulnerable are just a few test ones that I can rebuild in a heartbeat.

On Thu, Jul 28, 2016 at 1:40 PM, Darcy Kevin (FCA)  wrote:

> Yes, I did misread the original post; thanks for clarifying.
>
>
>
> But, the gist of the question seemed to be about mitigating the effects of
> caching, for dynamically-changing data. At a high level, whether the zones
> are AD zones or not, whether the “master” is BIND or Microsoft DNS, doesn’t
> have a whole lot of bearing on that challenge. As should be obvious from
> what I proposed, I prefer the slaving+NOTIFY approach over setting up
> fragile forwarding arrangements.
>
>
>
> The other sledgehammer approach, of course, is to set the TTLs really low,
> but that can have a disastrous effect on performance/capacity, according to
> how frequently the dynamically-changing names are being queried. Of course,
> no amount of named.conf tweaking will help to mitigate the effects of
> caching that occurs on the clients themselves (e.g. “nscd” on some *nix
> platforms, Windows resolver cache for Windows). The only standards-based
> solution for that is to lower the TTLs. (Non-standards-based solutions
> include ugly stuff like running a script on every client to flush the cache
> every minute, ugh). But, as always, lowering TTLs, should be done, if at
> all, with one’s eyes open to the performance/capacity impact.
>
>
>
>
> - Kevin
>
>
>
>
>
>
>
> [image: FCA_Pantone_email]
>
> *--*
>
> Kevin Darcy
> NAFTA Information Security Projects
>
>
>
> FCA US LLC
>
> 1075 W Entrance Dr,
>
> Auburn Hills, MI 48326
>
> USA
>
>
>
> Telephone: +1 (248) 838-6601
> Mobile: +1 (810) 397-0103
>
> Email: kevin.da...@fcagroup.com
>
>
>
> *From:* Chris Buxton [mailto:cli...@buxtonfamily.us]
> *Sent:* Thursday, July 28, 2016 12:52 PM
> *To:* Darcy Kevin (FCA)
> *Cc:* bind-users@lists.isc.org
>
> *Subject:* Re: Multiple AD domains
>
>
>
> The OP's question was about setting up BIND, not MS DNS, related to using
> Samba, not Windows, as the domain controller.
>
>
>
> Regards,
>
> Chris
>
> Sent from my iPhone
>
>
> On Jul 27, 2016, at 12:36 PM, Darcy Kevin (FCA) 
> wrote:
>
> My preference? Have all your clients use BIND to resolve DNS (this gives
> access to more advanced features like sortlisting, good query logging,
> blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up
> the BIND instances as slaves for the AD zones, and have the AD folks add
> the BIND instances to the apex NS records so that the DCs will trigger fast
> replication to BIND via the NOTIFY extension to the protocol.
>
>
>
> I’d never let a regular PC client use Microsoft DNS for resolving DNS.
> Perish the thought!
>
>
>
> Note that this approach, if implemented simply, doesn’t scale to large
> numbers of BIND instances (because you don’t want to add dozens or hundreds
> of apex NS records to the zone). Beyond a certain threshold, you’d want to
> set up a multi-level slaving/NOTIFY hierarchy on the BIND side…
>
>
>
>
> - Kevin
>
>
>
>
>
>
>
> 
>
> *--*
>
> Kevin Darcy
> NAFTA Information Security Projects
>
>
>
> FCA US LLC
>
> 1075 W Entrance Dr,
>
> Auburn Hills, MI 48326
>
> USA
>
>
>
> Telephone: +1 (248) 838-6601
> Mobile: +1 (810) 397-0103
>
> Email: kevin.da...@fcagroup.com
>
>
>
> *From:* bind-users [mailto:bind-users-boun...@lists.isc.org
> ] *On Behalf Of *Jeff Sadowski
> *Sent:* Wednesday, July 27, 2016 3:00 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: Multiple AD domains
>
>
>
> should I setup 192.168.1.1 as slaves to these two domains would that fix
> it?
>
>
>
> On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski 
> wrote:
>
> On the samba mailing list they described setting up the DC as the NS

Re: 9.16 on older platforms

[Jeff Wieland]

James Brown wrote:

On 20 Mar 2020, at 6:53 am, Rick Dicaire  wrote:

Hi folks, I have found that new dependencies for 9.16 prevent it being able to 
build on Slackware linux 14.2 (no ply or libuv).
(Yes I'm aware I can do the additional steps of downloading, compiling, 
installing the deps, but that's not the point)

It got me thinking, are there other platforms where 9.16 will no longer build 
due to those missing  deps?

macOS 10.12.6 Sierra.

Had to install autotools, edit autogen.sh from libuv source + other things.

James.


Solaris 10 -- libuv missing, and libuv needs other packages.
I haven't had the time to get it all working yet.

--
Jeff Wieland, UNIX/Network Systems Administrator
Purdue University IT Infrastructure Services UNIX Platforms

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Problem building BIND 9.11.23 on SPARC Solaris 10 w/ isc_atomic_xadd

[Jeff Wieland]

Compiling with Solaris Studio 12.4 on Solaris 10 for SPARC, I'm
getting the following error messages:

libtool: compile:  /opt/solarisstudio12.4/bin/cc -m32 -std=c99 -mt 
-I/opt/src/sys/bind/sun4u/bind-9.11.23 -I../.. -I./include 
-I../dns/include -I/opt/src/sys/bind/sun4u/bind-9.11.23/lib/dns/include 
-I../../lib/dns/include 
-I/opt/src/sys/bind/sun4u/bind-9.11.23/lib/isc/include -I../../lib/isc 
-I../../lib/isc/include -I../../lib/isc/unix/include 
-I../../lib/isc/pthreads/include -I../../lib/isc/noatomic/include 
-I../../lib/irs/include -I../../lib/irs/include 
-I/opt/openssl-1.1/include -D_REENTRANT -DOPENSSL -DVERSION=\"9.11.23\" 
-DSYSCONFDIR=\"/etc\" -D_XPG4_2 -D__EXTENSIONS__ -m32 -fast 
-xtarget=ultra -xarch=sparcvis -xO4 -I/usr/include/libxml2 -KPIC -c 
resolve.c  -KPIC -DPIC -o .libs/resolve.o
/bin/bash /opt/src/sys/bind/sun4u/bind-9.11.23/libtool --mode=link 
--tag=CC  /opt/solarisstudio12.4/bin/cc -m32 -std=c99 -mt -m32 -fast 
-xtarget=ultra -xarch=sparcvis -xO4 -I/usr/include/libxml2    -KPIC -s 
-o resolve \
resolve.lo ../irs/libirs.la ../dns/libdns.la   -lgss -lkrb5 
-L/opt/openssl-1.1/lib -R/opt/openssl-1.1/lib -R/opt/openssl-1.1/lib 
-lcrypto ../isccfg/libisccfg.la ../isc/libisc.la -lnsl -lsocket -lscf 
-lz -lrt -lpthread  -lxml2
libtool: link: /opt/solarisstudio12.4/bin/cc -m32 -std=c99 -mt -m32 
-fast -xtarget=ultra -xarch=sparcvis -xO4 -I/usr/include/libxml2 -KPIC 
-s -o .libs/resolve .libs/resolve.o ../irs/.libs/libirs.so 
../dns/.libs/libdns.so -L/opt/openssl-1.1/lib 
../isccfg/.libs/libisccfg.so 
/opt/src/sys/bind/sun4u/bind-9.11.23/lib/dns/.libs/libdns.so 
/opt/src/sys/bind/sun4u/bind-9.11.23/lib/isc/.libs/libisc.so -lgss 
-lkrb5 ../isc/.libs/libisc.so -lcrypto -lnsl -lsocket -lscf -lz -lrt 
-lpthread -lxml2 -mt -R/opt/bind-9.11.23-sun4u/lib -R/opt/openssl-1.1/lib
ld: warning: file 
/opt/src/sys/bind/sun4u/bind-9.11.23/lib/dns/.libs/libdns.so: linked to 
../dns/.libs/libdns.so: attempted multiple inclusion of file
ld: warning: file ../isc/.libs/libisc.so: linked to 
/opt/src/sys/bind/sun4u/bind-9.11.23/lib/isc/.libs/libisc.so: attempted 
multiple inclusion of file

Undefined   first referenced
 symbol in file
isc_atomic_xadd ../dns/.libs/libdns.so
ld: fatal: symbol referencing errors. No output written to .libs/resolve
gmake[2]: *** [resolve] Error 2
gmake[2]: Leaving directory 
`/opt/src/sys/bind/sun4u/bind-9.11.23/lib/samples'

gmake[1]: *** [subdirs] Error 1
gmake[1]: Leaving directory `/opt/src/sys/bind/sun4u/bind-9.11.23/lib'
gmake: *** [subdirs] Error 1

We build BIND 9.11.22 with the same configuration.
We had this same problem with BIND 9.11.14, which was fixed with a patch.

--
Jeff Wieland, UNIX Systems Administrator
Purdue University IT Infrastructure Services UNIX Platforms

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users