Your message
To:
Subject: bind-users Digest V6 #270
Sent: Wed Oct 13 04:05:53 2004


did not reach the following recipient(s):
vitaliy@home.grytsyuk.com on Wed Oct 13 04:05:53 2004

The e-mail account does not exist at the organization this message
was sent to. Check the e-mail address, or contact the recipient
directly to find out the correct address.



-- Attached file included as plaintext by Ecartis --

i>?Reporting-MTA: dns; s1.home.grytsyuk.com

Final-Recipient: RFC822; vitaliy@home.grytsyuk.com
Action: failed
Status: 5.1.1
X-Supplementary-Info: s1.home.grytsyuk.com
X-Display-Name: vitaliy@home.grytsyuk.com




-- Attached file included as plaintext by Ecartis --

i>?Thread-Topic: bind-users Digest V6 #270
Received: from mail pickup service by s1.home.grytsyuk.com with Microsoft SMTPSVC; Wed, 13 Oct 2004 04:05:45 -0400
X-Apparently-To: v_grytsyuk@yahoo.com via 66.218.79.92; Wed, 13 Oct 2004 00:52:27 -0700
X-Originating-IP: [204.152.184.167]
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Return-Path:
Received: from 204.152.184.167 (EHLO sf1.isc.org) (204.152.184.167) by mta422.mail.scd.yahoo.com with SMTP; Wed, 13 Oct 2004 00:52:21 -0700
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
Received: from rc3.isc.org (rc3.isc.org [IPv6:2001:4f8:3:bb::25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sf1.isc.org (Postfix) with ESMTP id 96E7F28532; Wed, 13 Oct 2004 07:52:08 +0000 (UTC) (envelope-from bind-users-bounce@isc.org)
Received: from rc3.isc.org (rc3.isc.org [204.152.187.25]) by rc3.isc.org (Postfix) with ESMTP id 8282C5C8F2; Wed, 13 Oct 2004 07:51:15 +0000 (UTC) (envelope-from bind-users-bounce@isc.org)
Received: with ECARTIS (v1.0.0; list bind-users); Wed, 13 Oct 2004 07:50:01 +0000 (UTC)
Date: Wed, 13 Oct 2004 07:50:01 +0000 (UTC)
From: "BIND Users Mailing List"
To: "bind-users digest users"
Subject: bind-users Digest V6 #270
Precedence: bulk
List-unsubscribe:
List-Id:
X-List-ID:
Message-ID: <20041013075115.8282C5C8F2@rc3.isc.org>
X-GFI-P2E: S1
X-OriginalArrivalTime: 13 Oct 2004 08:05:45.0667 (UTC) FILETIME=[71425930:01C4B0FB]

bind-users Digest Tue, 12 Oct 2004 Volume: 06 Issue: 270

In This Issue:
Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Refused notify from non-master messages
bind9 performance cannot ramp up cpus
dig +dnssec option
Re: dig +dnssec option
RE: installing bind
Re: bind9 performance cannot ramp up cpus
nameservers sharing IP
DNS Failover
Re: nameservers sharing IP
Re: DNS Failover
loopback IPs
Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Re: loopback IPs
different view for recursive & non-recursive clients
Fwd: Re: named error: expected prefix length near '4'
Going crazy! -- "Sending Notifies" not working on Redhat Ent
RE: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS

----------------------------------------------------------------------

Date: Tue, 12 Oct 2004 11:44:56 +0400
From: Ladislav Vobr
Subject: Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input

thanks for your time and help, mark. Does the nameserver have to be edns
aware to do successful zone transfers with bind 9.3.0? Do I have to
list all non-ends master servers in my named.conf to be able to do
zone-transfer successfully.

Ladislav

Mark Andrews wrote:
>>12-Oct-2004 10:12:07.323 zone emirsal.com/IN: refresh: failure trying
>>master 213.42.49.107#53 (source 0.0.0.0#0): unexpected end of input
>>
>>
>>I am slave for this zone but I am unable to do a zone transfer succesfully.
>>
>>dig axfr emirsal.com @213.42.49.107 is fine
>>dig soa emirsal.com @213.42.49.107 is fine
>>
>>and 9.2.3 bind can do the zone transfer sucesfully.
>>
>>could it be 9.3.0 only problem?
>>
>>could it be I am out of file descriptors/sockets for named?
>>
>>Ladislav

>
>
> When all else fails tcpdump is your friend.
>
> dig +dnssec soa emirsal.com @213.42.49.107
>
> Note the header says there is a additional record but
> there isn't one in the reply.
>
> Disable edns to this server.
>
> 17:04:29.779770 192.168.191.236.1965 > 213.42.49.107.53: 22363+ [1au] SOA? emirsal.com. (40)
> 4500 0044 6a1b 0000 4011 8963 c0a8 bfec
> d52a 316b 07ad 0035 0030 cd7b 575b 0100
> 0001 0000 0000 0001 0765 6d69 7273 616c
> 0363 6f6d 0000 0600 0100 0029 0800 0000
> 8000 0000
> 17:04:30.855358 213.42.49.107.53 > 192.168.191.236.1965: 22363* 1/0/1 SOA (106)
> 4500 0086 8747 0000 6911 42f5 d52a 316b
> c0a8 bfec 0035 07ad 0072 a5da 575b 8580
> 0001 0001 0000 0001 0765 6d69 7273 616c
> 0363 6f6d 0000 0600 01c0 0c00 0600 0100
> 000e 1000 4109 6375 7374 6f6d 646e 730a
> 6478 6263 7573 746f 6d73 0367 6f76 0261
> 6500 0d61 646d 696e 6973 7472 6174 6f72
> c033 0000 0002 0000 0384 0000 0258 0001
> 5180 0000 0e10
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org



------------------------------

From: Mark Andrews
Subject: Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Date: Tue, 12 Oct 2004 18:05:40 +1000


> thanks for your time and help, mark. Does the nameserver have to be edns
> aware to do successful zone transfers with bind 9.3.0?


no.

> Do I have to
> list all non-ends master servers in my named.conf to be able to do
> zone-transfer successfully.


No. The server in question is broken. It is sending malformed
answers.

> Ladislav
>
> Mark Andrews wrote:
> >>12-Oct-2004 10:12:07.323 zone emirsal.com/IN: refresh: failure trying
> >>master 213.42.49.107#53 (source 0.0.0.0#0): unexpected end of input
> >>
> >>
> >>I am slave for this zone but I am unable to do a zone transfer succesfully.
> >>
> >>dig axfr emirsal.com @213.42.49.107 is fine
> >>dig soa emirsal.com @213.42.49.107 is fine
> >>
> >>and 9.2.3 bind can do the zone transfer sucesfully.
> >>
> >>could it be 9.3.0 only problem?
> >>
> >>could it be I am out of file descriptors/sockets for named?
> >>
> >>Ladislav

> >
> >
> > When all else fails tcpdump is your friend.
> >
> > dig +dnssec soa emirsal.com @213.42.49.107
> >
> > Note the header says there is a additional record but
> > there isn't one in the reply.
> >
> > Disable edns to this server.
> >
> > 17:04:29.779770 192.168.191.236.1965 > 213.42.49.107.53: 22363+ [1au] SOA?

> emirsal.com. (40)
> > 4500 0044 6a1b 0000 4011 8963 c0a8 bfec
> > d52a 316b 07ad 0035 0030 cd7b 575b 0100
> > 0001 0000 0000 0001 0765 6d69 7273 616c
> > 0363 6f6d 0000 0600 0100 0029 0800 0000
> > 8000 0000
> > 17:04:30.855358 213.42.49.107.53 > 192.168.191.236.1965: 22363* 1/0/1 SOA

> (106)
> > 4500 0086 8747 0000 6911 42f5 d52a 316b
> > c0a8 bfec 0035 07ad 0072 a5da 575b 8580
> > 0001 0001 0000 0001 0765 6d69 7273 616c
> > 0363 6f6d 0000 0600 01c0 0c00 0600 0100
> > 000e 1000 4109 6375 7374 6f6d 646e 730a
> > 6478 6263 7573 746f 6d73 0367 6f76 0261
> > 6500 0d61 646d 696e 6973 7472 6174 6f72
> > c033 0000 0002 0000 0384 0000 0258 0001
> > 5180 0000 0e10
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

------------------------------

Date: Tue, 12 Oct 2004 14:00:33 +0400
From: Ladislav Vobr
Subject: Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input

:-) well whatever it is, it is quite popular here :-) I will investigate
it more, but seems to me they were fine with 9.2.3.

Ladislav

Mark Andrews wrote:
>>thanks for your time and help, mark. Does the nameserver have to be edns
>>aware to do successful zone transfers with bind 9.3.0?

>
>
> no.
>
>
>> Do I have to
>>list all non-ends master servers in my named.conf to be able to do
>>zone-transfer successfully.

>
>
> No. The server in question is broken. It is sending malformed
> answers.
>
>
>>Ladislav
>>
>>Mark Andrews wrote:
>>
>>>>12-Oct-2004 10:12:07.323 zone emirsal.com/IN: refresh: failure trying
>>>>master 213.42.49.107#53 (source 0.0.0.0#0): unexpected end of input
>>>>
>>>>
>>>>I am slave for this zone but I am unable to do a zone transfer succesfully.
>>>>
>>>>dig axfr emirsal.com @213.42.49.107 is fine
>>>>dig soa emirsal.com @213.42.49.107 is fine
>>>>
>>>>and 9.2.3 bind can do the zone transfer sucesfully.
>>>>
>>>>could it be 9.3.0 only problem?
>>>>
>>>>could it be I am out of file descriptors/sockets for named?
>>>>
>>>>Ladislav
>>>
>>>
>>> When all else fails tcpdump is your friend.
>>>
>>> dig +dnssec soa emirsal.com @213.42.49.107
>>>
>>> Note the header says there is a additional record but
>>> there isn't one in the reply.
>>>
>>> Disable edns to this server.
>>>
>>>17:04:29.779770 192.168.191.236.1965 > 213.42.49.107.53: 22363+ [1au] SOA?

>>
>> emirsal.com. (40)
>>
>>> 4500 0044 6a1b 0000 4011 8963 c0a8 bfec
>>> d52a 316b 07ad 0035 0030 cd7b 575b 0100
>>> 0001 0000 0000 0001 0765 6d69 7273 616c
>>> 0363 6f6d 0000 0600 0100 0029 0800 0000
>>> 8000 0000
>>>17:04:30.855358 213.42.49.107.53 > 192.168.191.236.1965: 22363* 1/0/1 SOA

>>
>>(106)
>>
>>> 4500 0086 8747 0000 6911 42f5 d52a 316b
>>> c0a8 bfec 0035 07ad 0072 a5da 575b 8580
>>> 0001 0001 0000 0001 0765 6d69 7273 616c
>>> 0363 6f6d 0000 0600 01c0 0c00 0600 0100
>>> 000e 1000 4109 6375 7374 6f6d 646e 730a
>>> 6478 6263 7573 746f 6d73 0367 6f76 0261
>>> 6500 0d61 646d 696e 6973 7472 6174 6f72
>>> c033 0000 0002 0000 0384 0000 0258 0001
>>> 5180 0000 0e10
>>>
>>>--
>>>Mark Andrews, ISC
>>>1 Seymour St., Dundas Valley, NSW 2117, Australia
>>>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

>>

> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
>



------------------------------

Date: Tue, 12 Oct 2004 08:30:21 -0500 (CDT)
From: Barry Finkel
Subject: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS

Mokwena Motseto wrote:

>> Do you know of any problems I might encounter if I migrate to Microsoft
>> DNS I don't what version it is, or if it has versions at all


phn@icke-reklam.ipsec.nu replied:

> You won't get support from this forum :-)


Sorry to disappoint Peter, but there have been discussions of the
interaction between MS W2k (or W2k+3) DNS Server and BIND in the
on this list (and on its now-defunct sister list bind9-users@isc.org).
Check the list archives. Discussions of BIND interoperability with
other DNS software is not off-topic for this list.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994


------------------------------

From: "Smith, William E. (Bill), Jr."
Subject: Refused notify from non-master messages
Date: Tue, 12 Oct 2004 10:15:01 -0400

Since upgrading a test server to 9.3.0, I have begun seeing the following
messages logged on my server that involve the same host.
general.log:12-Oct-2004 09:08:24.031 general: info: zone
_msdcs.jhuapl.edu/IN/internet: refused notify from non-master:
128.244.47.217#60673
general.log:12-Oct-2004 09:15:05.566 general: info: zone
244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
128.244.47.217#60673
general.log:12-Oct-2004 09:33:47.530 general: info: zone
244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
128.244.47.217#60673
general.log:12-Oct-2004 09:52:54.630 general: info: zone
244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
128.244.47.217#60673
notify.log:12-Oct-2004 09:08:24.031 info: client 128.244.47.217#60673: view
internet: received notify for zone '_msdcs.jhuapl.edu'
notify.log:12-Oct-2004 09:15:05.565 info: client 128.244.47.217#60673: view
internet: received notify for zone '244.128.in-addr.arpa'
notify.log:12-Oct-2004 09:33:47.530 info: client 128.244.47.217#60673: view
internet: received notify for zone '244.128.in-addr.arpa'
notify.log:12-Oct-2004 09:52:54.630 info: client 128.244.47.217#60673: view
internet: received notify for zone '244.128.in-addr.arpa'

The host 128.244.47.217 is a DNS also running BIND but it is configured to
perform its zone transfers from other servers. I reviewed the named.conf
for this server and saw no references to my test server at all. Thus, I'm a
little confused as to why this host is attempting to send notifies to my
server when my test server is not configured as its master. It's only an
informational message so it's obviously not too serious but I would still
like to get a better understanding of exactly what is going on here and if
there is anything I can do to stop the logging of these messages.

Thanks,

Bill Smith

ISS Systems Server Group
Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Road
Laurel, MD 20723
Phone: 443-778-5523
Web: http://www.jhuapl.edu







------------------------------

Subject: bind9 performance cannot ramp up cpus
Date: Tue, 12 Oct 2004 22:49:02 +0800
From: "yan, tommy (CSG-MKG-BJ)"

Hi,

This is a simple bind performance test case.

I'm using a 6 cpu hp Itanium hpux server (as bind server)for testing
bind performance, but can only ramp up to 4 cpus,and thus does not
generate fairly good performance.

I use bind9.2.0, hpux11.23, and queryperf, which is the perf test tool
from isc. queryperf input file arround 60000 lines, and named data only
has 10 records(so this is a simple test).

named.conf, nsswitch.conf, resolv.conf are also very simple, I'm sure
they point to right dns and resolve using dns first.=20

It is interesting that each queryperf client(with 50 or more concurrent
thread) can only take up 1MB network throughput, I add more clinet, and
get better performance. Clients are servers with dedicated LAN
connecting to bind server. The test result as below:

num. of client query per second
1 7000
3 15000
5 25000

monitering with glance, named wait event is stream and lan, system call
mainly on messege send/recieve, while system tables are not full at all.
I've checked that dns service use udp socket for communication, and
guest maybe the bottomneck resides on network. So I tunned some socket
cache/connection parameters, but does not improve much.

So, does anyone have any suggestions?=20
Thx.

=20
=20

------------------------------

Date: Tue, 12 Oct 2004 10:22:58 -0500
From: Jeff Stevens
Subject: dig +dnssec option

It is not obvious to me that DNSSEC needs EDNS as there is no mention of
EDNS in the DNSSEC RFC2535. Is there some reason the EDNS feature gets used
by calling out the +dnssec option?
--
Jeffrey Stevens

------------------------------

Subject: Re: dig +dnssec option
Date: Tue, 12 Oct 2004 17:02:04 +0100
From: Jim Reid

>>>>> "Jeff" == Jeff Stevens writes:


Jeff> It is not obvious to me that DNSSEC needs EDNS as there is
Jeff> no mention of EDNS in the DNSSEC RFC2535. Is there some
Jeff> reason the EDNS feature gets used by calling out the +dnssec
Jeff> option?

The +dnssec option to dig tells it to set the DO (DNSSEC OK) bit which
is in the EDNS0 OPT header. The DO bit is used to tell a server that
the client is DNSSEC-aware and, by implication, is willing to receive
DNSSEC RRtypes. RFC3225 -- Indicating Resolver Support of DNSSEC --
documents this.

DNSSEC-signed responses are *much* bigger than conventional DNS
replies because of the extra (and large) RR types that get returned:
RRSIGs, NSECs, DNSKEYs. These records and their associated data mean
the 512 byte limit on "normal" UDP replies is easily exceeded. So
rather than send truncated responses which result in retried queries
over TCP, it's best to use EDNS0. Clients can then tell the server
that they're able and willing to accept UDP replies bigger than 512
bytes. This is a Big Win for everyone. Most, if not all, clients that
are DNSSEC-aware will support EDNS0 anyway.

------------------------------

Subject: RE: installing bind
From: David Botham
Date: Tue, 12 Oct 2004 12:06:38 -0400

bind-users-bounce@isc.org wrote on 10/10/2004 03:37:15 AM:
> "Simon Dodd"
>
> > Jacob,
> > If you're going to also be administering the box as well as installing
> > it, the best advice you're going to get is to invest in a copy of "DNS
> > & BIND" by Albitz & Lie (O'Reilly , ISBN 0-596-00158-4). This book is
> > widely regarded as the Bible for DNS in general and BIND in
> > particular, and it covers everything you're likely to want or need to
> > know about getting BIND, installing it, configuring it and maintaining
> > it when it's running.
> >

>


[clipped rant that does not help anyone]

>
> So I look in there and find RESOLV.CONF.... hmmmm hold on a second
> there is a RESOLV.CONF in the install directory too...
> Which one is used, why and where does it say so???


You put resolv.conf in the location where your OS is going to use it.
However, NT does not use resolv.conf. I am not sure if the NT port of
BIND requires it though.

>
> Am I alone about being confused here or is the information simply
> intentionally confusing to prevent learning?
>
> Could someone PLEASE make a list of the files installed and where they
> really go, and preferably make a simple example with two or three

domains
> in it? That would really truly help emensly and reduce the need for us
> newbies having to sit and scratch our heads asking the same questions a
> gazillion times.


I am not sure statements like this one, and others I have clipped from
this message, are going to do much to advance your position in this forum
or help you solve your problems.

Do not blame the people here for the complexities in the domain name
system and the software implementations that make it work.

People on this list are volunteers and provide help as a gimmy, you might
find more help if you treat those about to help you with a little respect.
We all faught the same battles you are facing and have broke the code
over the years. Settle down and take your time... knowledge will
follow....



Dave...


>
> Thanks for reading this.
> Techie
>




------------------------------

From: Rick Jones
Subject: Re: bind9 performance cannot ramp up cpus
Date: Tue, 12 Oct 2004 17:41:13 GMT

"yan, tommy (CSG-MKG-BJ)" wrote:
> I'm using a 6 cpu hp Itanium hpux server (as bind server)for testing
> bind performance, but can only ramp up to 4 cpus,and thus does not
> generate fairly good performance.


which system are you using?

> I use bind9.2.0, hpux11.23, and queryperf, which is the perf test


I think that isc.org is up to a 9.3.something.

> tool from isc. queryperf input file arround 60000 lines, and named
> data only has 10 records(so this is a simple test).


> named.conf, nsswitch.conf, resolv.conf are also very simple, I'm
> sure they point to right dns and resolve using dns first.


> It is interesting that each queryperf client(with 50 or more
> concurrent thread) can only take up 1MB network throughput, I add
> more clinet, and get better performance.


Well, if there are a fixed number of threads and those threads will
only have so many queries outstanding at a time... (I don't know if
queryperf is synchronous or async wrt its generation of queries)

> Clients are servers with
> dedicated LAN connecting to bind server. The test result as below:


> num. of client query per second
> 1 7000
> 3 15000
> 5 25000


> monitering with glance, named wait event is stream and lan, system
> call mainly on messege send/recieve, while system tables are not
> full at all. I've checked that dns service use udp socket for
> communication, and guest maybe the bottomneck resides on network. So
> I tunned some socket cache/connection parameters, but does not
> improve much.


What do you mean by socket cache? Anyhow, what sort of NIC are you
using in the 6-CPU server? Please be specific about model - take the
data from ioscan -fk | grep lan - don't just say 'Gigabit'

If you go to the 'a' screen of glance and look at per-CPU utilization
what do you see? Consider both user, kernel and interrupt time.

If you go to the process system calls page of glance "L" (IIRC) what
other system calls do you see besides the send/recv? (go ahead and
cut/paste the screen).

What happens if you add IP addresses to the server and spread the
queries across those IPs? Just adding IPs, not adding NICs.

rick jones
ftp://ftp.cup.hp.com/dist/networking/briefs/
--
oxymoron n, commuter in a gas-guzzling luxury SUV with an American flag
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to raj in cup.hp.com but NOT BOTH...

------------------------------

From: smilesinblues@hotpop.com (Jaunty Edward)
Subject: nameservers sharing IP
Date: 12 Oct 2004 03:13:15 -0700

Hi,
i wanted to ask if there is a way by which Nameservers can share a IP,
I have seen many hosting companies giving nameservers for a low
ammount How can they do this if there is a limit of IPs in the world,
I am sure one day we will be left with no IPs,
So it will be nice if any one can tell me can nameservers share IPs
and if yes then is there anyway to find it out who is sharing what.


Thanks
Regards
Jaunty Edward

------------------------------

Date: Tue, 12 Oct 2004 11:01:45 +0200
From: Anthony Wilkins
Subject: DNS Failover

Hi, is there anybody who can help me in finding a solution to a problem
I have?

My web server is sometime temporarily down and I want people to go to my
remote site where I have a backup web server. Can I change DNS on the
Internet fast enough for incoming requests to be handled by my redundant
web server? Normally I dont want traffic to go to the remote site.

Thanks, Anthony W.

------------------------------

Date: Tue, 12 Oct 2004 11:27:52 -0700
From: Steve Friedl
Subject: Re: nameservers sharing IP

On Tue, Oct 12, 2004 at 03:13:15AM -0700, Jaunty Edward wrote:
> i wanted to ask if there is a way by which Nameservers can share a IP,
> I have seen many hosting companies giving nameservers for a low
> ammount How can they do this if there is a limit of IPs in the world,
> I am sure one day we will be left with no IPs,
> So it will be nice if any one can tell me can nameservers share IPs
> and if yes then is there anyway to find it out who is sharing what.


Well, only one nameserver *program* can run on a single IP, but one
nameserver can host as many domains as you like: hosting companies simply
add your zones into their existing servers.

Steve

--
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@unixwiz.net

------------------------------

Date: Tue, 12 Oct 2004 14:46:36 -0400
From: Greg Maccarone
Subject: Re: DNS Failover

On Tue, 12 Oct 2004 11:01:45 +0200, Anthony Wilkins
wrote:
> Hi, is there anybody who can help me in finding a solution to a problem
> I have?
>
> My web server is sometime temporarily down and I want people to go to my
> remote site where I have a backup web server. Can I change DNS on the
> Internet fast enough for incoming requests to be handled by my redundant
> web server? Normally I don't want traffic to go to the remote site.
>
> Thanks, Anthony W.
>
>


A way this could be achieved with DNS is to have a low TTL on the host
entry that could be changing because of the outage. Then in most
cases it would take no longer than the specified TTL for the changes
to be seen throughout the rest of the world.

my $.02.

--
Greg Maccarone
gmaccarone@gmail.com

------------------------------

Date: Tue, 12 Oct 2004 11:53:29 -0700 (PDT)
From: Larry Adamiec
Subject: loopback IPs

I just installed BIND 9.3.0 on a Sun Sparc Solaris 9
machine. When running the make test, I was instructed
to run a shell script to install some loopback IPs
(see below). Now that the I have BIND configured and
installed, are these IPs still needed. Can I safely
delete them?

Thanks in advance.

Larry Adamiec
Chicago-Kent College of Law

lo0:1:
flags=1000849 mtu
8232 index 1 inet 10.53.0.1 netmask ff000000

lo0:2:
flags=1000849 mtu
8232 index 1 inet 10.53.0.2 netmask ff000000

lo0:3:
flags=1000849 mtu
8232 index 1 inet 10.53.0.3 netmask ff000000

lo0:4:
flags=1000849 mtu
8232 index 1 inet 10.53.0.4 netmask ff000000

lo0:5:
flags=1000849 mtu
8232 index 1 inet 10.53.0.5 netmask ff000000

lo0:6:
flags=1000849 mtu
8232 index 1 inet 10.53.0.6 netmask ff000000





_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

------------------------------

From: phn@icke-reklam.ipsec.nu
Subject: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Date: Tue, 12 Oct 2004 20:11:37 +0000 (UTC)

Barry Finkel wrote:
> Mokwena Motseto wrote:


>>> Do you know of any problems I might encounter if I migrate to Microsoft
>>> DNS I don't what version it is, or if it has versions at all


> phn@icke-reklam.ipsec.nu replied:


>> You won't get support from this forum :-)


> Sorry to disappoint Peter, but there have been discussions of the
> interaction between MS W2k (or W2k+3) DNS Server and BIND in the
> on this list (and on its now-defunct sister list bind9-users@isc.org).


I know. Note the smiley above.

The very deep knowledge and discussions with "developers" are bind-specific. For
deeper knowledge of other software there is other places where authoritative
information is available.




--
Peter Hekanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

------------------------------

From: phn@icke-reklam.ipsec.nu
Subject: Re: loopback IPs
Date: Tue, 12 Oct 2004 20:17:32 +0000 (UTC)

Larry Adamiec wrote:
> I just installed BIND 9.3.0 on a Sun Sparc Solaris 9
> machine. When running the make test, I was instructed
> to run a shell script to install some loopback IPs
> (see below). Now that the I have BIND configured and
> installed, are these IPs still needed. Can I safely
> delete them?


Yes. ( they should have been removed by the test script)

Do you have the possibility to share the binaries with us ?

--
Peter Hekanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

------------------------------

Date: Tue, 12 Oct 2004 09:57:30 +0400
From: Ladislav Vobr
Subject: different view for recursive & non-recursive clients

I have a situation, when I would like to have different answer for
recursive and non-recursive clients, it basically simplify the user
migration.

Is there anyway this could be achieved ? It would help me to show the
how-to-migrate page to the end users (recursive clients), while keeping
the real answer for the non-recursive clients (caching name servers).

Ladislav



------------------------------

Date: Tue, 12 Oct 2004 22:06:49 -0500
From: Flash
Subject: Fwd: Re: named error: expected prefix length near '4'

When using dig ns/soa +norec command, information for the
respective is returned and cached in the my-nets view.

Benu

; <<>> DiG 9.2.3 <<>> soa rescue911design.com @192.168.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46695
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rescue911design.com. IN SOA

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:33:02 2004
;; MSG SIZE rcvd: 37


; <<>> DiG 9.2.3 <<>> soa rescue911design.com @127.0.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.2.3 <<>> soa rescue911design.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22504
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rescue911design.com. IN SOA

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:33:53 2004
;; MSG SIZE rcvd: 37


; <<>> DiG 9.2.3 <<>> soa benu.widge.net @192.168.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55643
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;benu.widge.net. IN SOA

;; Query time: 20 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:34:06 2004
;; MSG SIZE rcvd: 32


; <<>> DiG 9.2.3 <<>> soa benu.widge.net @127.0.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.2.3 <<>> soa blkdiamonds.lan
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;blkdiamonds.lan. IN SOA

;; ANSWER SECTION:
blkdiamonds.lan. 259200 IN SOA ns1.blkdiamonds.lan.
root.blkdiamonds.lan. 200410103 28800 7200 2419200 86400

;; AUTHORITY SECTION:
blkdiamonds.lan. 259200 IN NS ns1.blkdiamonds.lan.

;; ADDITIONAL SECTION:
ns1.blkdiamonds.lan. 259200 IN A 192.168.2.2

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:35:08 2004
;; MSG SIZE rcvd: 108


; <<>> DiG 9.2.3 <<>> ns blkdiamonds.lan
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;blkdiamonds.lan. IN NS

;; ANSWER SECTION:
blkdiamonds.lan. 259200 IN NS ns1.blkdiamonds.lan.

;; ADDITIONAL SECTION:
ns1.blkdiamonds.lan. 259200 IN A 192.168.2.2

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:35:20 2004
;; MSG SIZE rcvd: 67

Host www.sendate.gov not found: 2(SERVFAIL)

; <<>> DiG 9.2.3 <<>> ns sendate.gov +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64062
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;sendate.gov. IN NS

;; AUTHORITY SECTION:
gov. 102904 IN NS B.GOV.ZONEEDIT.COM.
gov. 102904 IN NS C.GOV.ZONEEDIT.COM.
gov. 102904 IN NS D.GOV.ZONEEDIT.COM.
gov. 102904 IN NS E.GOV.ZONEEDIT.COM.
gov. 102904 IN NS F.GOV.ZONEEDIT.COM.
gov. 102904 IN NS G.GOV.ZONEEDIT.COM.
gov. 102904 IN NS A.GOV.ZONEEDIT.COM.

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:45:32 2004
;; MSG SIZE rcvd: 157



Barry Margolin wrote on 10/11/2004, 6:31 PM:

> Could you provide some example queries that fail?
>
> If you try to look up something in rescue911design.com or benu.widge.net
> from your homelan, it won't use the data from the zone files, it should
> forward to the ISP nameservers. This is because you only list these
> zones in the external-nets view.





------------------------------

Date: Tue, 12 Oct 2004 23:45:56 -0700 (PDT)
From: raiden@wonko.inow.com
Subject: Going crazy! -- "Sending Notifies" not working on Redhat Enterprise

Hello,

Ok, I think I've pulled out most of my hair over the last few hours.

I have used Bind 9.2.1 with various flavors of Redhat for a while, and
have had no problems. However, I am having problems with zone
transfers and the default installation of Bind 9.2.4rc6 in RHEL v3,
and I believe that it has to do with notifies not occurring. (When I
say default installation, it is the installation that comes with RHEL
Workstation, and is not "supported" by Redhat.)

I have two servers, one the master, the second the slave. When the
slave starts up, if none of the zones have been downloaded from the
master, it successfully downloads them. Both DNS servers seem to be
fully operational. That's the good part.

The bad part is, when I restart the master server, it says in the
messages log that it is sending notifies, but none seem to be being
sent. (There are no errors in the logs.) I have udp and tcp port 53
open for all traffic on both servers, but I have also tried this with
the firewalls disabled.

I have sniffed traffic on both machines, and I do not see any
notification traffic at all (I believe it should be tcp traffic over
port 53, but I don't see any traffic what-so-ever when it claims it's
"sending notifies").

However, when the refresh timeout is reached, the slave server DOES
poll the master server, and DOES succesfully download the new zone
file.

Has anyone else experienced such a problem?

Below are my named.custom configuration files (that are read by
named.conf as per RHEL's configuration file setup):

## master -- 64.71.162.42
options {
query-source address * port 53;
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-transfer { 64.71.162.46; };
};


logging {
category lame-servers { null; };
};

zone "myvemma.com" IN {
type master;
file "db.myvemma.com";
};

zone "subnet40.162.71.64.in-addr.arpa" {
type master;
file "db.64.71.162.40";
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
};

zone "." {
type hint;
file "db.cache";
};


## slave -- 64.71.162.46
options {
query-source address * port 53;
directory "/var/named";
pid-file "/var/run/named/named.pid";
};

logging {
category lame-servers { null; };
};

zone "myvemma.com" IN {
type slave;
file "slaves/bak.myvemma.com";
masters { 64.71.162.42; };
};

zone "subnet40.162.71.64.in-addr.arpa"{
type slave;
file "slaves/bak.64.71.162.40";
masters { 64.71.162.42; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
};

zone "." {
type hint;
file "db.cache";
};

## zone file on master
$TTL 3h
myvemma.com. IN SOA ns1.myvemma.com. support.myvemma.com. (
2004101101 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

myvemma.com. IN NS ns1.myvemma.com.
myvemma.com. IN NS ns2.myvemma.com.

;
; host addresses
;
localhost.myvemma.com. IN A 127.0.0.1
web01.myvemma.com. IN A 64.71.162.46
web02.myvemma.com. IN A 64.71.162.42
myvemma.com. IN A 64.71.162.46

myvemma.com. IN MX 0 myvemma.com.

www.myvemma.com. IN CNAME myvemma.com.
ns1.myvemma.com. IN CNAME web01.myvemma.com.
ns2.myvemma.com. IN CNAME web02.myvemma.com.


Any assistance with this is much, much appreciated!

Thank you,
-Raiden Johnson

------------------------------

Subject: RE: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Date: Wed, 13 Oct 2004 09:02:08 +0200
From: "Mokwena Motseto"

Hi

Sorry for the misunderstanding

I was not looking for support, I was just asking from people, who have
been in the same situation that I am in now

What influenced their decision to choose what ever they chose to go with


-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
Behalf Of phn@icke-reklam.ipsec.nu
Sent: 11 October 2004 21:21
To: comp-protocols-dns-bind@isc.org
Subject: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS

Mokwena Motseto wrote:
> Hi


> We are currently running BIND 4.9 and we are under pressure to migrate


> at least to version 8 or 9


> But there is a possibility of moving to a microsoft DNS on windows=20
> 2003


> Our ISP's who host secondary zones for our domains are running BIND=20
> ver
> 9


> What I want you guys to help me out with is the following


> Do you know of any problems I might encounter if I migrate to BIND ver


> =3D

9
> (latest)


There is migration note(s) in the bind-9 distribution kit. Download and
read this.

Most stuff is about rfc-conformance, bind-4 might accept things that is
against standards that bind-9 will complain about. It's no argument=3D20
against bind-9 , it's an argument for correcting faulty configs.

Why don't you download buikl and start up on a testmachine until you
feel familiar with the software.

> Do you know of any problems I might encounter if I migrate to=20
> Microsoft DNS I don't what version it is, or if it has versions at all


You won't get support from this forum :-)



> Mokwena Motseto



--=3D20
Peter H=3DE5kanson =3D20
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam
out=3D ,
remove "icke-reklam" if you feel for mailing me. Thanx.


------------------------------

End of bind-users Digest V6 #270
********************************