Your message
To:
Subject: bind-users Digest V6 #271
Sent: Thu Oct 14 04:05:56 2004


did not reach the following recipient(s):
vitaliy@home.grytsyuk.com on Thu Oct 14 04:05:56 2004

The e-mail account does not exist at the organization this message
was sent to. Check the e-mail address, or contact the recipient
directly to find out the correct address.



-- Attached file included as plaintext by Ecartis --

i>?Reporting-MTA: dns; s1.home.grytsyuk.com

Final-Recipient: RFC822; vitaliy@home.grytsyuk.com
Action: failed
Status: 5.1.1
X-Supplementary-Info: s1.home.grytsyuk.com
X-Display-Name: vitaliy@home.grytsyuk.com




-- Attached file included as plaintext by Ecartis --

i>?Thread-Topic: bind-users Digest V6 #271
Received: from mail pickup service by s1.home.grytsyuk.com with Microsoft SMTPSVC; Thu, 14 Oct 2004 04:05:45 -0400
X-Apparently-To: v_grytsyuk@yahoo.com via 66.218.79.90; Thu, 14 Oct 2004 00:52:32 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
X-Originating-IP: [204.152.184.167]
Content-Transfer-Encoding: 8bit
Return-Path:
Received: from 204.152.184.167 (EHLO sf1.isc.org) (204.152.184.167) by mta396.mail.scd.yahoo.com with SMTP; Thu, 14 Oct 2004 00:52:32 -0700
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
Received: from rc3.isc.org (rc3.isc.org [IPv6:2001:4f8:3:bb::25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sf1.isc.org (Postfix) with ESMTP id 6F53C28522; Thu, 14 Oct 2004 07:52:17 +0000 (UTC) (envelope-from bind-users-bounce@isc.org)
Received: from rc3.isc.org (rc3.isc.org [204.152.187.25]) by rc3.isc.org (Postfix) with ESMTP id 877875C8FF; Thu, 14 Oct 2004 07:51:25 +0000 (UTC) (envelope-from bind-users-bounce@isc.org)
Received: with ECARTIS (v1.0.0; list bind-users); Thu, 14 Oct 2004 07:50:00 +0000 (UTC)
Date: Thu, 14 Oct 2004 07:50:00 +0000 (UTC)
From: "BIND Users Mailing List"
To: "bind-users digest users"
Subject: bind-users Digest V6 #271
Precedence: bulk
List-unsubscribe:
List-Id:
X-List-ID:
Message-ID: <20041014075125.877875C8FF@rc3.isc.org>
X-GFI-P2E: S1
X-OriginalArrivalTime: 14 Oct 2004 08:05:45.0714 (UTC) FILETIME=[9BB34520:01C4B1C4]

bind-users Digest Wed, 13 Oct 2004 Volume: 06 Issue: 271

In This Issue:
Migration from BIND 4.9 to 9.2 or Microsoft DNS
Re: Going crazy! -- "Sending Notifies" not working on Redhat
Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Re: Going crazy! -- "Sending Notifies" not working on Redhat
Re: named error: expected prefix length near '4'
Re: Refused notify from non-master messages
Re: Bind9 + PPP problem
Re: allow-query and version.bind
RE: Refused notify from non-master messages
Re: allow-query and version.bind
Re: allow-query and version.bind
Re: Going crazy! -- "Sending Notifies" not working on Redhat
Re: Going crazy! -- "Sending Notifies" not working on Redhat
Looking for stats
Undeliverable: bind-users Digest V6 #270
RE: installing bind
Going crazy! -- "Sending Notifies" not working on Redhat Ent
RE: installing bind
Re: nameservers sharing IP
my secondary ns won't answer external queries
Re: my secondary ns won't answer external queries
Re: nameservers sharing IP
Re: my secondary ns won't answer external queries
Re: my secondary ns won't answer external queries

----------------------------------------------------------------------

Subject: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Date: Wed, 13 Oct 2004 14:25:51 +0200
From: "Mokwena Motseto"

Hi

We are currently running BIND 4.9 and we are under pressure to migrate
at least to version 8 or 9

But there is a possibility of moving to a microsoft DNS on windows 2003

Our ISP's who host secondary zones for our domains are running BIND ver
9

What I want you guys to help me out with is the following

Do you know of any problems I might encounter if I migrate to BIND ver 9
(latest)

Do you know of any problems I might encounter if I migrate to Microsoft
DNS I don't what version it is, or if it has versions at all



Mokwena Motseto

------------------------------

From: Ronan Flood
Subject: Re: Going crazy! -- "Sending Notifies" not working on Redhat Enterpris
Date: 13 Oct 2004 12:41:58 GMT

raiden@wonko.inow.com wrote:

> I have used Bind 9.2.1 with various flavors of Redhat for a while, and
> have had no problems. However, I am having problems with zone
> transfers and the default installation of Bind 9.2.4rc6 in RHEL v3,
> and I believe that it has to do with notifies not occurring. (When I
> say default installation, it is the installation that comes with RHEL
> Workstation, and is not "supported" by Redhat.)
>
> I have two servers, one the master, the second the slave. When the
> slave starts up, if none of the zones have been downloaded from the
> master, it successfully downloads them. Both DNS servers seem to be
> fully operational. That's the good part.
>
> The bad part is, when I restart the master server, it says in the
> messages log that it is sending notifies, but none seem to be being
> sent. (There are no errors in the logs.) I have udp and tcp port 53
> open for all traffic on both servers, but I have also tried this with
> the firewalls disabled.
>
> I have sniffed traffic on both machines, and I do not see any
> notification traffic at all (I believe it should be tcp traffic over
> port 53, but I don't see any traffic what-so-ever when it claims it's
> "sending notifies").


Notifies are sent over UDP.

> However, when the refresh timeout is reached, the slave server DOES
> poll the master server, and DOES succesfully download the new zone
> file.
>
> Has anyone else experienced such a problem?
>
> Below are my named.custom configuration files (that are read by
> named.conf as per RHEL's configuration file setup):
>
> ## master -- 64.71.162.42
> options {
> query-source address * port 53;
> directory "/var/named";
> pid-file "/var/run/named/named.pid";
> allow-transfer { 64.71.162.46; };
> };
>
>
> logging {
> category lame-servers { null; };
> };
>
> zone "myvemma.com" IN {
> type master;
> file "db.myvemma.com";
> };
>
> zone "subnet40.162.71.64.in-addr.arpa" {
> type master;
> file "db.64.71.162.40";
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "db.127.0.0";
> allow-update { none; };
> };
>
> zone "." {
> type hint;
> file "db.cache";
> };
>
>
> ## slave -- 64.71.162.46
> options {
> query-source address * port 53;
> directory "/var/named";
> pid-file "/var/run/named/named.pid";
> };
>
> logging {
> category lame-servers { null; };
> };
>
> zone "myvemma.com" IN {
> type slave;
> file "slaves/bak.myvemma.com";
> masters { 64.71.162.42; };
> };
>
> zone "subnet40.162.71.64.in-addr.arpa"{
> type slave;
> file "slaves/bak.64.71.162.40";
> masters { 64.71.162.42; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "db.127.0.0";
> allow-update { none; };
> };
>
> zone "." {
> type hint;
> file "db.cache";
> };
>
> ## zone file on master
> $TTL 3h
> myvemma.com. IN SOA ns1.myvemma.com. support.myvemma.com. (
> 2004101101 ; serial
> 3h ; refresh after 3 hours
> 1h ; retry after 1 hour
> 1w ; expire after 1 week
> 1h ) ; negative caching TTL of 1 hour
>
> myvemma.com. IN NS ns1.myvemma.com.
> myvemma.com. IN NS ns2.myvemma.com.


> web01.myvemma.com. IN A 64.71.162.46
> web02.myvemma.com. IN A 64.71.162.42


> ns1.myvemma.com. IN CNAME web01.myvemma.com.
> ns2.myvemma.com. IN CNAME web02.myvemma.com.


Possibly having your NS records as CNAMEs (which you should not have)
is not doing you any favours ...

Could you rewrite this as:

ns1.myvemma.com. IN A 64.71.162.46
ns2.myvemma.com. IN A 64.71.162.42

web01.myvemma.com. IN CNAME ns1.myvemma.com.
web02.myvemma.com. IN CNAME ns2.myvemma.com.

and see if that helps? Are the NS records for zone
subnet40.162.71.64.in-addr.arpa also ns1/ns2.myvemma.com?

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

------------------------------

Date: Wed, 13 Oct 2004 07:56:11 -0500 (CDT)
From: Barry Finkel
Subject: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS

"Mokwena Motseto" wrote:

>Hi
>
>Sorry for the misunderstanding
>
>I was not looking for support, I was just asking from people, who have
>been in the same situation that I am in now
>
>What influenced their decision to choose what ever they chose to go
>with


My feeling from reading postings on this list for a number of years
is that most people who are currently using BIND will stick with BIND.
In general, there is a mistrust of MS code. There were
interoperability problems with BIND and MS W2k DNS a few years ago, but
I have experienced no major problems since August 2002, when MS
resolved my last major problem. I use MS W2k+3 DNS mainly for the
AD-related zones, where I want the AD-integrated security of the DDNS.
I do have one forward zone and its five reverse zones on the MS DNS
Server, all under the control of a MS DHCP Server.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994


------------------------------

From: Ronan Flood
Subject: Re: Going crazy! -- "Sending Notifies" not working on Redhat Enterpris
Date: 13 Oct 2004 13:11:08 GMT


raiden@wonko.inow.com wrote:

Sorry, just noticed something else ...

> ## master -- 64.71.162.42


> allow-transfer { 64.71.162.46; };


> ## zone file on master
> $TTL 3h
> myvemma.com. IN SOA ns1.myvemma.com. support.myvemma.com. (


> myvemma.com. IN NS ns1.myvemma.com.
> myvemma.com. IN NS ns2.myvemma.com.


> web01.myvemma.com. IN A 64.71.162.46
> web02.myvemma.com. IN A 64.71.162.42


> ns1.myvemma.com. IN CNAME web01.myvemma.com.
> ns2.myvemma.com. IN CNAME web02.myvemma.com.


When deciding which servers to notify, the master will ignore the
server mentioned in the SOA as the primary server. In your case,
that would be ns1 which (indirectly) has address 64.71.162.46, which
appears to be your slave! Have you got the addresses for ns1/ns2
the wrong way around?

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

------------------------------

From: Ronan Flood
Subject: Re: named error: expected prefix length near '4'
Date: 13 Oct 2004 13:27:21 GMT

On 11 Oct 2004 12:11:08 -0700, flashl@bigfoot.com (Benu) wrote:

> All files passed named-checkconf, and named-checkzone, there are no
> complaints in /var/log/messages or audit_log. My configuration files
> are:
>
> --/etc/named.conf
> // generated by named-bootconf.pl
> acl my-nets {
> 192.168.2.0/24;
> 127.0.0.1/24;
> localhost;
> };
> acl xfer {
> none;
> };
> acl external-ns {
> 68.105.161.20; //Cable NS1
> 68.1.18.25; //Cable NS2
> };
> acl bogus-net3 {
> 208.0.0.0/4;
> 200.0.0.0/5;
> 196.0.0.0/6;
> 194.0.0.0/7;
> 193.0.0.0/8;
> };
> acl bogus-net2 {
> 0.0.0.0/3;
> 16.0.0.0/3;
> 64.0.0.0/3;
> 96.0.0.0/3;
> 128.0.0.0/3;
> 160.0.0.0/3;
> };


Where did you get the interesting list of address blocks in bogus-net2
and bogus-net3? I'm currently sitting within 128.86/16 (and therefore
within 128/3), and it most certainly isn't bogus.

Also, 64.0.0.0/3 will include 68.105.161.20 and 68.1.18.25, your
"external-ns" machines which are also your forwarders, so you
appear to be blackholing them!

> acl bogus-net1 {
> 0.0.0.0/8;
> 1.0.0.0/8;
> 2.0.0.0/8;
> 192.0.2.0/24;
> 224.0.0.0/3;
> 10.0.0.0/8;
> 172.16.0.0/16;
> };
>
> logging {
> [snip]
> };
>
> options {
> blackhole {
> bogus-net1;
> bogus-net2;
> bogus-net3;
> };
> directory "/var/named/";
> cleaning-interval 30;
> allow-query { "my-nets"; "external-ns"; };
> allow-recursion { "my-nets"; };
> forward first;
> forwarders {
> 68.105.161.20; //Cable NS1
> 68.1.18.25; //Cable NS2
> };


--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

------------------------------

From: Ronan Flood
Subject: Re: Refused notify from non-master messages
Date: 13 Oct 2004 13:47:08 GMT

On Tue, 12 Oct 2004 10:15:01 -0400,
"Smith, William E. (Bill), Jr." wrote:

> Since upgrading a test server to 9.3.0, I have begun seeing the following
> messages logged on my server that involve the same host.
> general.log:12-Oct-2004 09:08:24.031 general: info: zone
> _msdcs.jhuapl.edu/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:15:05.566 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:33:47.530 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:52:54.630 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> notify.log:12-Oct-2004 09:08:24.031 info: client 128.244.47.217#60673: view
> internet: received notify for zone '_msdcs.jhuapl.edu'
> notify.log:12-Oct-2004 09:15:05.565 info: client 128.244.47.217#60673: view
> internet: received notify for zone '244.128.in-addr.arpa'
> notify.log:12-Oct-2004 09:33:47.530 info: client 128.244.47.217#60673: view
> internet: received notify for zone '244.128.in-addr.arpa'
> notify.log:12-Oct-2004 09:52:54.630 info: client 128.244.47.217#60673: view
> internet: received notify for zone '244.128.in-addr.arpa'
>
> The host 128.244.47.217 is a DNS also running BIND but it is configured to
> perform its zone transfers from other servers. I reviewed the named.conf
> for this server and saw no references to my test server at all. Thus, I'm a
> little confused as to why this host is attempting to send notifies to my
> server when my test server is not configured as its master. It's only an
> informational message so it's obviously not too serious but I would still
> like to get a better understanding of exactly what is going on here and if
> there is anything I can do to stop the logging of these messages.


Is your test server listed as a nameserver for the zones _msdcs.jhuapl.edu
and 244.128.in-addr.arpa? Notifies go out to all the nameservers for the
zone, except the primary in the SOA, unless modified by named.conf settings.

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

------------------------------

From: Ronan Flood
Subject: Re: Bind9 + PPP problem
Date: 13 Oct 2004 14:01:41 GMT

On Sat, 9 Oct 2004 20:30:11 +0200,
"P.B." wrote:

> I've just set up my linux box as PPP DialUp Server and can connect and do
> everything except resolve names. The Linux server is also running Bind for
> several years now - without problems.
>
> There are several interfaces in this server (eth, wlan, ppp0(~ISP) - and
> when serving dialup clients, also ppp1). The installed DNS works properly
> for ALL installed interfaces, EXCEPT for ppp1.
>
>
> I've tried the following:
>
> 1) Iptables entries are the same for wlan (where DNS works). Also tried
> dropping iptables: no change.
> 2) Checked connection by connecting by IP (instead of by name)
> 3) used tcpdump to see what's happening: DNS request coming in from
> ppp-client, but no answer.
> 4) bind's logs: (turned everything on for debugging): Request from
> ppp-client does not show up in the logs,
> but all other requests do.
> 5) Changed named.conf to bind to interface ppp1's IP, too.
> 6) Setup pppd to give the ppp-client an external DNS: works properly - So
> that's why I assume it's my DNS having problems.


Have you tried setting the interface-interval in named.conf to something
short? For example

options {
...
interface-interval 1;
...
}

should make named scan for interfaces once every minute rather than
its default once per hour. If ppp1 is only up when someone dials
in, that might be necessary.

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

------------------------------

From: Ronan Flood
Subject: Re: allow-query and version.bind
Date: 13 Oct 2004 14:04:33 GMT

On Sun, 10 Oct 2004 10:00:56 GMT, "Marco d'Itri" wrote:

> I restrict access to my server:
>
> options {
> directory "/var/cache/bind";
>
> allow-query { friends; };
> allow-recursion { friends; };
> ....
> }
>
> zone "bofh.it" {
> type master;
> allow-query { any; };
> ....
> }
>
> But now access to the bind chaos pseudo-zone is not allowed:
>
> $host -c chaos -t txt VERSION.BIND ns.bofh.it
> VERSION.BIND TXT record in class CH query refused
> $
>
> How can I work around this? I do not want to restrict access to it.


Create an actual zone for version.bind. (or bind.) with an
"allow-query { any; }" on it?

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

------------------------------

From: "Smith, William E. (Bill), Jr."
Subject: RE: Refused notify from non-master messages
Date: Wed, 13 Oct 2004 10:09:08 -0400

Yes, my test server is listed as a name server for these and other zones
with the relevant NS records in place so that would seem to explain the
behavior. I presume this is an added feature with 9.3 to notify admins of
this behavior since I hadn't seen this prior to now. I will request the
admin of this other server turn notifies off or at least limit them to what
is needed.

Thanks,

Bill

-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On Behalf
Of Ronan Flood
Sent: Wednesday, October 13, 2004 9:47 AM
To: comp-protocols-dns-bind@isc.org
Subject: Re: Refused notify from non-master messages

On Tue, 12 Oct 2004 10:15:01 -0400,
"Smith, William E. (Bill), Jr." wrote:

> Since upgrading a test server to 9.3.0, I have begun seeing the
> following messages logged on my server that involve the same host.
> general.log:12-Oct-2004 09:08:24.031 general: info: zone
> _msdcs.jhuapl.edu/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:15:05.566 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:33:47.530 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:52:54.630 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> notify.log:12-Oct-2004 09:08:24.031 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '_msdcs.jhuapl.edu'
> notify.log:12-Oct-2004 09:15:05.565 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '244.128.in-addr.arpa'
> notify.log:12-Oct-2004 09:33:47.530 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '244.128.in-addr.arpa'
> notify.log:12-Oct-2004 09:52:54.630 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '244.128.in-addr.arpa'
>
> The host 128.244.47.217 is a DNS also running BIND but it is
> configured to perform its zone transfers from other servers. I
> reviewed the named.conf for this server and saw no references to my
> test server at all. Thus, I'm a little confused as to why this host
> is attempting to send notifies to my server when my test server is not
> configured as its master. It's only an informational message so it's
> obviously not too serious but I would still like to get a better
> understanding of exactly what is going on here and if there is anything I

can do to stop the logging of these messages.

Is your test server listed as a nameserver for the zones _msdcs.jhuapl.edu
and 244.128.in-addr.arpa? Notifies go out to all the nameservers for the
zone, except the primary in the SOA, unless modified by named.conf settings.

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)


-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On Behalf
Of Ronan Flood
Sent: Wednesday, October 13, 2004 9:47 AM
To: comp-protocols-dns-bind@isc.org
Subject: Re: Refused notify from non-master messages

On Tue, 12 Oct 2004 10:15:01 -0400,
"Smith, William E. (Bill), Jr." wrote:

> Since upgrading a test server to 9.3.0, I have begun seeing the
> following messages logged on my server that involve the same host.
> general.log:12-Oct-2004 09:08:24.031 general: info: zone
> _msdcs.jhuapl.edu/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:15:05.566 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:33:47.530 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> general.log:12-Oct-2004 09:52:54.630 general: info: zone
> 244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
> 128.244.47.217#60673
> notify.log:12-Oct-2004 09:08:24.031 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '_msdcs.jhuapl.edu'
> notify.log:12-Oct-2004 09:15:05.565 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '244.128.in-addr.arpa'
> notify.log:12-Oct-2004 09:33:47.530 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '244.128.in-addr.arpa'
> notify.log:12-Oct-2004 09:52:54.630 info: client 128.244.47.217#60673:
> view
> internet: received notify for zone '244.128.in-addr.arpa'
>
> The host 128.244.47.217 is a DNS also running BIND but it is
> configured to perform its zone transfers from other servers. I
> reviewed the named.conf for this server and saw no references to my
> test server at all. Thus, I'm a little confused as to why this host
> is attempting to send notifies to my server when my test server is not
> configured as its master. It's only an informational message so it's
> obviously not too serious but I would still like to get a better
> understanding of exactly what is going on here and if there is anything I

can do to stop the logging of these messages.

Is your test server listed as a nameserver for the zones _msdcs.jhuapl.edu
and 244.128.in-addr.arpa? Notifies go out to all the nameservers for the
zone, except the primary in the SOA, unless modified by named.conf settings.

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)


------------------------------

Date: Wed, 13 Oct 2004 16:52:49 +0200
From: MARTINEZ Christophe SCR
Subject: Re: allow-query and version.bind


>On Sun, 10 Oct 2004 10:00:56 GMT, "Marco d'Itri" wrote:
>
>
>
>>I restrict access to my server:
>>
>>options {
>> directory "/var/cache/bind";
>>
>> allow-query { friends; };
>> allow-recursion { friends; };
>>....
>>}
>>
>>zone "bofh.it" {
>> type master;
>> allow-query { any; };
>>....
>>}
>>
>>But now access to the bind chaos pseudo-zone is not allowed:
>>
>>$host -c chaos -t txt VERSION.BIND ns.bofh.it
>>VERSION.BIND TXT record in class CH query refused
>>$
>>
>>How can I work around this? I do not want to restrict access to it.
>>
>>

>
>Create an actual zone for version.bind. (or bind.) with an
>"allow-query { any; }" on it?
>
>
>

Are you locally on ns.bofh.it ?
If so try to allow 127.0.0.1 to request your server.

------------------------------

Date: Wed, 13 Oct 2004 16:55:52 +0200
From: MARTINEZ Christophe SCR
Subject: Re: allow-query and version.bind


>On Sun, 10 Oct 2004 10:00:56 GMT, "Marco d'Itri" wrote:
>
>
>
>>I restrict access to my server:
>>
>>options {
>> directory "/var/cache/bind";
>>
>> allow-query { friends; };
>> allow-recursion { friends; };
>>....
>>}
>>
>>zone "bofh.it" {
>> type master;
>> allow-query { any; };
>>....
>>}
>>
>>But now access to the bind chaos pseudo-zone is not allowed:
>>
>>$host -c chaos -t txt VERSION.BIND ns.bofh.it
>>VERSION.BIND TXT record in class CH query refused
>>$
>>
>>How can I work around this? I do not want to restrict access to it.
>>
>>

>
>Create an actual zone for version.bind. (or bind.) with an
>"allow-query { any; }" on it?
>
>
>

Are you locally on ns.bofh.it ?
If so try to allow 127.0.0.1 to request your server.


------------------------------

Date: Wed, 13 Oct 2004 09:35:03 -0700 (PDT)
From: raiden@wonko.inow.com
Subject: Re: Going crazy! -- "Sending Notifies" not working on Redhat Enterpris

Hello Ronan,

You are absolutely correct that I had the wrong ns in the SOA. However,
this did not fix the problem. (I also had another zone, which looks
pretty much exactly like this, except I didn't have the slave ns in the
SOA, and it also is not working.)

Thank you,
-Raiden Johnson


On Wed, 13 Oct 2004, Ronan Flood wrote:

>
> raiden@wonko.inow.com wrote:
>
> Sorry, just noticed something else ...
>
> > ## master -- 64.71.162.42

>
> > allow-transfer { 64.71.162.46; };

>
> > ## zone file on master
> > $TTL 3h
> > myvemma.com. IN SOA ns1.myvemma.com. support.myvemma.com. (

>
> > myvemma.com. IN NS ns1.myvemma.com.
> > myvemma.com. IN NS ns2.myvemma.com.

>
> > web01.myvemma.com. IN A 64.71.162.46
> > web02.myvemma.com. IN A 64.71.162.42

>
> > ns1.myvemma.com. IN CNAME web01.myvemma.com.
> > ns2.myvemma.com. IN CNAME web02.myvemma.com.

>
> When deciding which servers to notify, the master will ignore the
> server mentioned in the SOA as the primary server. In your case,
> that would be ns1 which (indirectly) has address 64.71.162.46, which
> appears to be your slave! Have you got the addresses for ns1/ns2
> the wrong way around?
>
> --
> Ronan Flood
> working for but not speaking for
> Network Services, University of London Computer Centre
> (which means: don't bother ULCC if I've said something you don't like)
>


------------------------------

Date: Wed, 13 Oct 2004 09:38:07 -0700 (PDT)
From: raiden@wonko.inow.com
Subject: Re: Going crazy! -- "Sending Notifies" not working on Redhat Enterpris

> Possibly having your NS records as CNAMEs (which you should not have)
> is not doing you any favours ...
>
> Could you rewrite this as:
>
> ns1.myvemma.com. IN A 64.71.162.46
> ns2.myvemma.com. IN A 64.71.162.42
>
> web01.myvemma.com. IN CNAME ns1.myvemma.com.
> web02.myvemma.com. IN CNAME ns2.myvemma.com.
>
> and see if that helps? Are the NS records for zone
> subnet40.162.71.64.in-addr.arpa also ns1/ns2.myvemma.com?
>


This did it!!! Ronan, you are my hero! =P

But seriously, why should this have mattered? Why would this version of
BIND (past versions seemed to have no problem) not send notifies to slave
NS if they are defined by CNAME instead of A records?

(I shouldn't press my luck here, since it's all working, but I'd still
like to know. =P)

Thank you!
-Raiden Johnson


------------------------------

From: GamerGoal@gmail.com (Peter S.)
Subject: Looking for stats
Date: 13 Oct 2004 08:52:28 -0700

Hi,

I'm looking for the following stats:

1) Domain name resolving
2) Domain name not resolving

I need to put together this info for a paper i'm working on. So I
would like your help in possbily finding this information.

Where would this info reside?

At the ISP dns? or root dns? for the domain name lookups a user
inputs?
(example: if a user types apple.com, is that information going to
reside on the ISP side which caches it, and the ISP can provide how
many times apple.com was accecced from their DNS cahce?. How about on
the root server, similar method?)

And is this data public domain or proprietary?

Finally, if this is not the right group, which one is?

I highly appreciate any help and suggestions you might provide.

Peter.

------------------------------

From: "System Administrator"
Subject: Undeliverable: bind-users Digest V6 #270
Date: 13 Oct 2004 04:05:54 -0400

Your message
To:
Subject: bind-users Digest V6 #270
Sent: Wed Oct 13 04:05:53 2004


did not reach the following recipient(s):
vitaliy@home.grytsyuk.com on Wed Oct 13 04:05:53 2004

The e-mail account does not exist at the organization this message
was sent to. Check the e-mail address, or contact the recipient
directly to find out the correct address.



-- Attached file included as plaintext by Ecartis --

i>?Reporting-MTA: dns; s1.home.grytsyuk.com

Final-Recipient: RFC822; vitaliy@home.grytsyuk.com
Action: failed
Status: 5.1.1
X-Supplementary-Info: s1.home.grytsyuk.com
X-Display-Name: vitaliy@home.grytsyuk.com




-- Attached file included as plaintext by Ecartis --

i>?Thread-Topic: bind-users Digest V6 #270
Received: from mail pickup service by s1.home.grytsyuk.com with Microsoft SMTPSVC; Wed, 13 Oct 2004 04:05:45 -0400
X-Apparently-To: v_grytsyuk@yahoo.com via 66.218.79.92; Wed, 13 Oct 2004 00:52:27 -0700
X-Originating-IP: [204.152.184.167]
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Return-Path:
Received: from 204.152.184.167 (EHLO sf1.isc.org) (204.152.184.167) by mta422.mail.scd.yahoo.com with SMTP; Wed, 13 Oct 2004 00:52:21 -0700
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
Received: from rc3.isc.org (rc3.isc.org [IPv6:2001:4f8:3:bb::25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by sf1.isc.org (Postfix) with ESMTP id 96E7F28532; Wed, 13 Oct 2004 07:52:08 +0000 (UTC) (envelope-from bind-users-bounce@isc.org)
Received: from rc3.isc.org (rc3.isc.org [204.152.187.25]) by rc3.isc.org (Postfix) with ESMTP id 8282C5C8F2; Wed, 13 Oct 2004 07:51:15 +0000 (UTC) (envelope-from bind-users-bounce@isc.org)
Received: with ECARTIS (v1.0.0; list bind-users); Wed, 13 Oct 2004 07:50:01 +0000 (UTC)
Date: Wed, 13 Oct 2004 07:50:01 +0000 (UTC)
From: "BIND Users Mailing List"
To: "bind-users digest users"
Subject: bind-users Digest V6 #270
Precedence: bulk
List-unsubscribe:
List-Id:
X-List-ID:
Message-ID: <20041013075115.8282C5C8F2@rc3.isc.org>
X-GFI-P2E: S1
X-OriginalArrivalTime: 13 Oct 2004 08:05:45.0667 (UTC) FILETIME=[71425930:01C4B0FB]

bind-users Digest Tue, 12 Oct 2004 Volume: 06 Issue: 270

In This Issue:
Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Refused notify from non-master messages
bind9 performance cannot ramp up cpus
dig +dnssec option
Re: dig +dnssec option
RE: installing bind
Re: bind9 performance cannot ramp up cpus
nameservers sharing IP
DNS Failover
Re: nameservers sharing IP
Re: DNS Failover
loopback IPs
Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Re: loopback IPs
different view for recursive & non-recursive clients
Fwd: Re: named error: expected prefix length near '4'
Going crazy! -- "Sending Notifies" not working on Redhat Ent
RE: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS

----------------------------------------------------------------------

Date: Tue, 12 Oct 2004 11:44:56 +0400
From: Ladislav Vobr
Subject: Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input

thanks for your time and help, mark. Does the nameserver have to be edns
aware to do successful zone transfers with bind 9.3.0? Do I have to
list all non-ends master servers in my named.conf to be able to do
zone-transfer successfully.

Ladislav

Mark Andrews wrote:
>>12-Oct-2004 10:12:07.323 zone emirsal.com/IN: refresh: failure trying
>>master 213.42.49.107#53 (source 0.0.0.0#0): unexpected end of input
>>
>>
>>I am slave for this zone but I am unable to do a zone transfer succesfully.
>>
>>dig axfr emirsal.com @213.42.49.107 is fine
>>dig soa emirsal.com @213.42.49.107 is fine
>>
>>and 9.2.3 bind can do the zone transfer sucesfully.
>>
>>could it be 9.3.0 only problem?
>>
>>could it be I am out of file descriptors/sockets for named?
>>
>>Ladislav

>
>
> When all else fails tcpdump is your friend.
>
> dig +dnssec soa emirsal.com @213.42.49.107
>
> Note the header says there is a additional record but
> there isn't one in the reply.
>
> Disable edns to this server.
>
> 17:04:29.779770 192.168.191.236.1965 > 213.42.49.107.53: 22363+ [1au] SOA? emirsal.com. (40)
> 4500 0044 6a1b 0000 4011 8963 c0a8 bfec
> d52a 316b 07ad 0035 0030 cd7b 575b 0100
> 0001 0000 0000 0001 0765 6d69 7273 616c
> 0363 6f6d 0000 0600 0100 0029 0800 0000
> 8000 0000
> 17:04:30.855358 213.42.49.107.53 > 192.168.191.236.1965: 22363* 1/0/1 SOA (106)
> 4500 0086 8747 0000 6911 42f5 d52a 316b
> c0a8 bfec 0035 07ad 0072 a5da 575b 8580
> 0001 0001 0000 0001 0765 6d69 7273 616c
> 0363 6f6d 0000 0600 01c0 0c00 0600 0100
> 000e 1000 4109 6375 7374 6f6d 646e 730a
> 6478 6263 7573 746f 6d73 0367 6f76 0261
> 6500 0d61 646d 696e 6973 7472 6174 6f72
> c033 0000 0002 0000 0384 0000 0258 0001
> 5180 0000 0e10
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org



------------------------------

From: Mark Andrews
Subject: Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input
Date: Tue, 12 Oct 2004 18:05:40 +1000


> thanks for your time and help, mark. Does the nameserver have to be edns
> aware to do successful zone transfers with bind 9.3.0?


no.

> Do I have to
> list all non-ends master servers in my named.conf to be able to do
> zone-transfer successfully.


No. The server in question is broken. It is sending malformed
answers.

> Ladislav
>
> Mark Andrews wrote:
> >>12-Oct-2004 10:12:07.323 zone emirsal.com/IN: refresh: failure trying
> >>master 213.42.49.107#53 (source 0.0.0.0#0): unexpected end of input
> >>
> >>
> >>I am slave for this zone but I am unable to do a zone transfer succesfully.
> >>
> >>dig axfr emirsal.com @213.42.49.107 is fine
> >>dig soa emirsal.com @213.42.49.107 is fine
> >>
> >>and 9.2.3 bind can do the zone transfer sucesfully.
> >>
> >>could it be 9.3.0 only problem?
> >>
> >>could it be I am out of file descriptors/sockets for named?
> >>
> >>Ladislav

> >
> >
> > When all else fails tcpdump is your friend.
> >
> > dig +dnssec soa emirsal.com @213.42.49.107
> >
> > Note the header says there is a additional record but
> > there isn't one in the reply.
> >
> > Disable edns to this server.
> >
> > 17:04:29.779770 192.168.191.236.1965 > 213.42.49.107.53: 22363+ [1au] SOA?

> emirsal.com. (40)
> > 4500 0044 6a1b 0000 4011 8963 c0a8 bfec
> > d52a 316b 07ad 0035 0030 cd7b 575b 0100
> > 0001 0000 0000 0001 0765 6d69 7273 616c
> > 0363 6f6d 0000 0600 0100 0029 0800 0000
> > 8000 0000
> > 17:04:30.855358 213.42.49.107.53 > 192.168.191.236.1965: 22363* 1/0/1 SOA

> (106)
> > 4500 0086 8747 0000 6911 42f5 d52a 316b
> > c0a8 bfec 0035 07ad 0072 a5da 575b 8580
> > 0001 0001 0000 0001 0765 6d69 7273 616c
> > 0363 6f6d 0000 0600 01c0 0c00 0600 0100
> > 000e 1000 4109 6375 7374 6f6d 646e 730a
> > 6478 6263 7573 746f 6d73 0367 6f76 0261
> > 6500 0d61 646d 696e 6973 7472 6174 6f72
> > c033 0000 0002 0000 0384 0000 0258 0001
> > 5180 0000 0e10
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

------------------------------

Date: Tue, 12 Oct 2004 14:00:33 +0400
From: Ladislav Vobr
Subject: Re: 9.3.0 - (source 0.0.0.0#0): unexpected end of input

:-) well whatever it is, it is quite popular here :-) I will investigate
it more, but seems to me they were fine with 9.2.3.

Ladislav

Mark Andrews wrote:
>>thanks for your time and help, mark. Does the nameserver have to be edns
>>aware to do successful zone transfers with bind 9.3.0?

>
>
> no.
>
>
>> Do I have to
>>list all non-ends master servers in my named.conf to be able to do
>>zone-transfer successfully.

>
>
> No. The server in question is broken. It is sending malformed
> answers.
>
>
>>Ladislav
>>
>>Mark Andrews wrote:
>>
>>>>12-Oct-2004 10:12:07.323 zone emirsal.com/IN: refresh: failure trying
>>>>master 213.42.49.107#53 (source 0.0.0.0#0): unexpected end of input
>>>>
>>>>
>>>>I am slave for this zone but I am unable to do a zone transfer succesfully.
>>>>
>>>>dig axfr emirsal.com @213.42.49.107 is fine
>>>>dig soa emirsal.com @213.42.49.107 is fine
>>>>
>>>>and 9.2.3 bind can do the zone transfer sucesfully.
>>>>
>>>>could it be 9.3.0 only problem?
>>>>
>>>>could it be I am out of file descriptors/sockets for named?
>>>>
>>>>Ladislav
>>>
>>>
>>> When all else fails tcpdump is your friend.
>>>
>>> dig +dnssec soa emirsal.com @213.42.49.107
>>>
>>> Note the header says there is a additional record but
>>> there isn't one in the reply.
>>>
>>> Disable edns to this server.
>>>
>>>17:04:29.779770 192.168.191.236.1965 > 213.42.49.107.53: 22363+ [1au] SOA?

>>
>> emirsal.com. (40)
>>
>>> 4500 0044 6a1b 0000 4011 8963 c0a8 bfec
>>> d52a 316b 07ad 0035 0030 cd7b 575b 0100
>>> 0001 0000 0000 0001 0765 6d69 7273 616c
>>> 0363 6f6d 0000 0600 0100 0029 0800 0000
>>> 8000 0000
>>>17:04:30.855358 213.42.49.107.53 > 192.168.191.236.1965: 22363* 1/0/1 SOA

>>
>>(106)
>>
>>> 4500 0086 8747 0000 6911 42f5 d52a 316b
>>> c0a8 bfec 0035 07ad 0072 a5da 575b 8580
>>> 0001 0001 0000 0001 0765 6d69 7273 616c
>>> 0363 6f6d 0000 0600 01c0 0c00 0600 0100
>>> 000e 1000 4109 6375 7374 6f6d 646e 730a
>>> 6478 6263 7573 746f 6d73 0367 6f76 0261
>>> 6500 0d61 646d 696e 6973 7472 6174 6f72
>>> c033 0000 0002 0000 0384 0000 0258 0001
>>> 5180 0000 0e10
>>>
>>>--
>>>Mark Andrews, ISC
>>>1 Seymour St., Dundas Valley, NSW 2117, Australia
>>>PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

>>

> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
>



------------------------------

Date: Tue, 12 Oct 2004 08:30:21 -0500 (CDT)
From: Barry Finkel
Subject: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS

Mokwena Motseto wrote:

>> Do you know of any problems I might encounter if I migrate to Microsoft
>> DNS I don't what version it is, or if it has versions at all


phn@icke-reklam.ipsec.nu replied:

> You won't get support from this forum :-)


Sorry to disappoint Peter, but there have been discussions of the
interaction between MS W2k (or W2k+3) DNS Server and BIND in the
on this list (and on its now-defunct sister list bind9-users@isc.org).
Check the list archives. Discussions of BIND interoperability with
other DNS software is not off-topic for this list.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory Phone: +1 (630) 252-7277
9700 South Cass Avenue Facsimile:+1 (630) 252-4601
Building 222, Room D209 Internet: BSFinkel@anl.gov
Argonne, IL 60439-4828 IBMMAIL: I1004994


------------------------------

From: "Smith, William E. (Bill), Jr."
Subject: Refused notify from non-master messages
Date: Tue, 12 Oct 2004 10:15:01 -0400

Since upgrading a test server to 9.3.0, I have begun seeing the following
messages logged on my server that involve the same host.
general.log:12-Oct-2004 09:08:24.031 general: info: zone
_msdcs.jhuapl.edu/IN/internet: refused notify from non-master:
128.244.47.217#60673
general.log:12-Oct-2004 09:15:05.566 general: info: zone
244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
128.244.47.217#60673
general.log:12-Oct-2004 09:33:47.530 general: info: zone
244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
128.244.47.217#60673
general.log:12-Oct-2004 09:52:54.630 general: info: zone
244.128.IN-ADDR.ARPA/IN/internet: refused notify from non-master:
128.244.47.217#60673
notify.log:12-Oct-2004 09:08:24.031 info: client 128.244.47.217#60673: view
internet: received notify for zone '_msdcs.jhuapl.edu'
notify.log:12-Oct-2004 09:15:05.565 info: client 128.244.47.217#60673: view
internet: received notify for zone '244.128.in-addr.arpa'
notify.log:12-Oct-2004 09:33:47.530 info: client 128.244.47.217#60673: view
internet: received notify for zone '244.128.in-addr.arpa'
notify.log:12-Oct-2004 09:52:54.630 info: client 128.244.47.217#60673: view
internet: received notify for zone '244.128.in-addr.arpa'

The host 128.244.47.217 is a DNS also running BIND but it is configured to
perform its zone transfers from other servers. I reviewed the named.conf
for this server and saw no references to my test server at all. Thus, I'm a
little confused as to why this host is attempting to send notifies to my
server when my test server is not configured as its master. It's only an
informational message so it's obviously not too serious but I would still
like to get a better understanding of exactly what is going on here and if
there is anything I can do to stop the logging of these messages.

Thanks,

Bill Smith

ISS Systems Server Group
Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Road
Laurel, MD 20723
Phone: 443-778-5523
Web: http://www.jhuapl.edu







------------------------------

Subject: bind9 performance cannot ramp up cpus
Date: Tue, 12 Oct 2004 22:49:02 +0800
From: "yan, tommy (CSG-MKG-BJ)"

Hi,

This is a simple bind performance test case.

I'm using a 6 cpu hp Itanium hpux server (as bind server)for testing
bind performance, but can only ramp up to 4 cpus,and thus does not
generate fairly good performance.

I use bind9.2.0, hpux11.23, and queryperf, which is the perf test tool
from isc. queryperf input file arround 60000 lines, and named data only
has 10 records(so this is a simple test).

named.conf, nsswitch.conf, resolv.conf are also very simple, I'm sure
they point to right dns and resolve using dns first.=20

It is interesting that each queryperf client(with 50 or more concurrent
thread) can only take up 1MB network throughput, I add more clinet, and
get better performance. Clients are servers with dedicated LAN
connecting to bind server. The test result as below:

num. of client query per second
1 7000
3 15000
5 25000

monitering with glance, named wait event is stream and lan, system call
mainly on messege send/recieve, while system tables are not full at all.
I've checked that dns service use udp socket for communication, and
guest maybe the bottomneck resides on network. So I tunned some socket
cache/connection parameters, but does not improve much.

So, does anyone have any suggestions?=20
Thx.

=20
=20

------------------------------

Date: Tue, 12 Oct 2004 10:22:58 -0500
From: Jeff Stevens
Subject: dig +dnssec option

It is not obvious to me that DNSSEC needs EDNS as there is no mention of
EDNS in the DNSSEC RFC2535. Is there some reason the EDNS feature gets used
by calling out the +dnssec option?
--
Jeffrey Stevens

------------------------------

Subject: Re: dig +dnssec option
Date: Tue, 12 Oct 2004 17:02:04 +0100
From: Jim Reid

>>>>> "Jeff" == Jeff Stevens writes:


Jeff> It is not obvious to me that DNSSEC needs EDNS as there is
Jeff> no mention of EDNS in the DNSSEC RFC2535. Is there some
Jeff> reason the EDNS feature gets used by calling out the +dnssec
Jeff> option?

The +dnssec option to dig tells it to set the DO (DNSSEC OK) bit which
is in the EDNS0 OPT header. The DO bit is used to tell a server that
the client is DNSSEC-aware and, by implication, is willing to receive
DNSSEC RRtypes. RFC3225 -- Indicating Resolver Support of DNSSEC --
documents this.

DNSSEC-signed responses are *much* bigger than conventional DNS
replies because of the extra (and large) RR types that get returned:
RRSIGs, NSECs, DNSKEYs. These records and their associated data mean
the 512 byte limit on "normal" UDP replies is easily exceeded. So
rather than send truncated responses which result in retried queries
over TCP, it's best to use EDNS0. Clients can then tell the server
that they're able and willing to accept UDP replies bigger than 512
bytes. This is a Big Win for everyone. Most, if not all, clients that
are DNSSEC-aware will support EDNS0 anyway.

------------------------------

Subject: RE: installing bind
From: David Botham
Date: Tue, 12 Oct 2004 12:06:38 -0400

bind-users-bounce@isc.org wrote on 10/10/2004 03:37:15 AM:
> "Simon Dodd"
>
> > Jacob,
> > If you're going to also be administering the box as well as installing
> > it, the best advice you're going to get is to invest in a copy of "DNS
> > & BIND" by Albitz & Lie (O'Reilly , ISBN 0-596-00158-4). This book is
> > widely regarded as the Bible for DNS in general and BIND in
> > particular, and it covers everything you're likely to want or need to
> > know about getting BIND, installing it, configuring it and maintaining
> > it when it's running.
> >

>


[clipped rant that does not help anyone]

>
> So I look in there and find RESOLV.CONF.... hmmmm hold on a second
> there is a RESOLV.CONF in the install directory too...
> Which one is used, why and where does it say so???


You put resolv.conf in the location where your OS is going to use it.
However, NT does not use resolv.conf. I am not sure if the NT port of
BIND requires it though.

>
> Am I alone about being confused here or is the information simply
> intentionally confusing to prevent learning?
>
> Could someone PLEASE make a list of the files installed and where they
> really go, and preferably make a simple example with two or three

domains
> in it? That would really truly help emensly and reduce the need for us
> newbies having to sit and scratch our heads asking the same questions a
> gazillion times.


I am not sure statements like this one, and others I have clipped from
this message, are going to do much to advance your position in this forum
or help you solve your problems.

Do not blame the people here for the complexities in the domain name
system and the software implementations that make it work.

People on this list are volunteers and provide help as a gimmy, you might
find more help if you treat those about to help you with a little respect.
We all faught the same battles you are facing and have broke the code
over the years. Settle down and take your time... knowledge will
follow....



Dave...


>
> Thanks for reading this.
> Techie
>




------------------------------

From: Rick Jones
Subject: Re: bind9 performance cannot ramp up cpus
Date: Tue, 12 Oct 2004 17:41:13 GMT

"yan, tommy (CSG-MKG-BJ)" wrote:
> I'm using a 6 cpu hp Itanium hpux server (as bind server)for testing
> bind performance, but can only ramp up to 4 cpus,and thus does not
> generate fairly good performance.


which system are you using?

> I use bind9.2.0, hpux11.23, and queryperf, which is the perf test


I think that isc.org is up to a 9.3.something.

> tool from isc. queryperf input file arround 60000 lines, and named
> data only has 10 records(so this is a simple test).


> named.conf, nsswitch.conf, resolv.conf are also very simple, I'm
> sure they point to right dns and resolve using dns first.


> It is interesting that each queryperf client(with 50 or more
> concurrent thread) can only take up 1MB network throughput, I add
> more clinet, and get better performance.


Well, if there are a fixed number of threads and those threads will
only have so many queries outstanding at a time... (I don't know if
queryperf is synchronous or async wrt its generation of queries)

> Clients are servers with
> dedicated LAN connecting to bind server. The test result as below:


> num. of client query per second
> 1 7000
> 3 15000
> 5 25000


> monitering with glance, named wait event is stream and lan, system
> call mainly on messege send/recieve, while system tables are not
> full at all. I've checked that dns service use udp socket for
> communication, and guest maybe the bottomneck resides on network. So
> I tunned some socket cache/connection parameters, but does not
> improve much.


What do you mean by socket cache? Anyhow, what sort of NIC are you
using in the 6-CPU server? Please be specific about model - take the
data from ioscan -fk | grep lan - don't just say 'Gigabit'

If you go to the 'a' screen of glance and look at per-CPU utilization
what do you see? Consider both user, kernel and interrupt time.

If you go to the process system calls page of glance "L" (IIRC) what
other system calls do you see besides the send/recv? (go ahead and
cut/paste the screen).

What happens if you add IP addresses to the server and spread the
queries across those IPs? Just adding IPs, not adding NICs.

rick jones
ftp://ftp.cup.hp.com/dist/networking/briefs/
--
oxymoron n, commuter in a gas-guzzling luxury SUV with an American flag
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to raj in cup.hp.com but NOT BOTH...

------------------------------

From: smilesinblues@hotpop.com (Jaunty Edward)
Subject: nameservers sharing IP
Date: 12 Oct 2004 03:13:15 -0700

Hi,
i wanted to ask if there is a way by which Nameservers can share a IP,
I have seen many hosting companies giving nameservers for a low
ammount How can they do this if there is a limit of IPs in the world,
I am sure one day we will be left with no IPs,
So it will be nice if any one can tell me can nameservers share IPs
and if yes then is there anyway to find it out who is sharing what.


Thanks
Regards
Jaunty Edward

------------------------------

Date: Tue, 12 Oct 2004 11:01:45 +0200
From: Anthony Wilkins
Subject: DNS Failover

Hi, is there anybody who can help me in finding a solution to a problem
I have?

My web server is sometime temporarily down and I want people to go to my
remote site where I have a backup web server. Can I change DNS on the
Internet fast enough for incoming requests to be handled by my redundant
web server? Normally I dont want traffic to go to the remote site.

Thanks, Anthony W.

------------------------------

Date: Tue, 12 Oct 2004 11:27:52 -0700
From: Steve Friedl
Subject: Re: nameservers sharing IP

On Tue, Oct 12, 2004 at 03:13:15AM -0700, Jaunty Edward wrote:
> i wanted to ask if there is a way by which Nameservers can share a IP,
> I have seen many hosting companies giving nameservers for a low
> ammount How can they do this if there is a limit of IPs in the world,
> I am sure one day we will be left with no IPs,
> So it will be nice if any one can tell me can nameservers share IPs
> and if yes then is there anyway to find it out who is sharing what.


Well, only one nameserver *program* can run on a single IP, but one
nameserver can host as many domains as you like: hosting companies simply
add your zones into their existing servers.

Steve

--
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@unixwiz.net

------------------------------

Date: Tue, 12 Oct 2004 14:46:36 -0400
From: Greg Maccarone
Subject: Re: DNS Failover

On Tue, 12 Oct 2004 11:01:45 +0200, Anthony Wilkins
wrote:
> Hi, is there anybody who can help me in finding a solution to a problem
> I have?
>
> My web server is sometime temporarily down and I want people to go to my
> remote site where I have a backup web server. Can I change DNS on the
> Internet fast enough for incoming requests to be handled by my redundant
> web server? Normally I don't want traffic to go to the remote site.
>
> Thanks, Anthony W.
>
>


A way this could be achieved with DNS is to have a low TTL on the host
entry that could be changing because of the outage. Then in most
cases it would take no longer than the specified TTL for the changes
to be seen throughout the rest of the world.

my $.02.

--
Greg Maccarone
gmaccarone@gmail.com

------------------------------

Date: Tue, 12 Oct 2004 11:53:29 -0700 (PDT)
From: Larry Adamiec
Subject: loopback IPs

I just installed BIND 9.3.0 on a Sun Sparc Solaris 9
machine. When running the make test, I was instructed
to run a shell script to install some loopback IPs
(see below). Now that the I have BIND configured and
installed, are these IPs still needed. Can I safely
delete them?

Thanks in advance.

Larry Adamiec
Chicago-Kent College of Law

lo0:1:
flags=1000849 mtu
8232 index 1 inet 10.53.0.1 netmask ff000000

lo0:2:
flags=1000849 mtu
8232 index 1 inet 10.53.0.2 netmask ff000000

lo0:3:
flags=1000849 mtu
8232 index 1 inet 10.53.0.3 netmask ff000000

lo0:4:
flags=1000849 mtu
8232 index 1 inet 10.53.0.4 netmask ff000000

lo0:5:
flags=1000849 mtu
8232 index 1 inet 10.53.0.5 netmask ff000000

lo0:6:
flags=1000849 mtu
8232 index 1 inet 10.53.0.6 netmask ff000000





_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

------------------------------

From: phn@icke-reklam.ipsec.nu
Subject: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Date: Tue, 12 Oct 2004 20:11:37 +0000 (UTC)

Barry Finkel wrote:
> Mokwena Motseto wrote:


>>> Do you know of any problems I might encounter if I migrate to Microsoft
>>> DNS I don't what version it is, or if it has versions at all


> phn@icke-reklam.ipsec.nu replied:


>> You won't get support from this forum :-)


> Sorry to disappoint Peter, but there have been discussions of the
> interaction between MS W2k (or W2k+3) DNS Server and BIND in the
> on this list (and on its now-defunct sister list bind9-users@isc.org).


I know. Note the smiley above.

The very deep knowledge and discussions with "developers" are bind-specific. For
deeper knowledge of other software there is other places where authoritative
information is available.




--
Peter Hekanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

------------------------------

From: phn@icke-reklam.ipsec.nu
Subject: Re: loopback IPs
Date: Tue, 12 Oct 2004 20:17:32 +0000 (UTC)

Larry Adamiec wrote:
> I just installed BIND 9.3.0 on a Sun Sparc Solaris 9
> machine. When running the make test, I was instructed
> to run a shell script to install some loopback IPs
> (see below). Now that the I have BIND configured and
> installed, are these IPs still needed. Can I safely
> delete them?


Yes. ( they should have been removed by the test script)

Do you have the possibility to share the binaries with us ?

--
Peter Hekanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

------------------------------

Date: Tue, 12 Oct 2004 09:57:30 +0400
From: Ladislav Vobr
Subject: different view for recursive & non-recursive clients

I have a situation, when I would like to have different answer for
recursive and non-recursive clients, it basically simplify the user
migration.

Is there anyway this could be achieved ? It would help me to show the
how-to-migrate page to the end users (recursive clients), while keeping
the real answer for the non-recursive clients (caching name servers).

Ladislav



------------------------------

Date: Tue, 12 Oct 2004 22:06:49 -0500
From: Flash
Subject: Fwd: Re: named error: expected prefix length near '4'

When using dig ns/soa +norec command, information for the
respective is returned and cached in the my-nets view.

Benu

; <<>> DiG 9.2.3 <<>> soa rescue911design.com @192.168.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46695
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rescue911design.com. IN SOA

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:33:02 2004
;; MSG SIZE rcvd: 37


; <<>> DiG 9.2.3 <<>> soa rescue911design.com @127.0.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.2.3 <<>> soa rescue911design.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22504
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rescue911design.com. IN SOA

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:33:53 2004
;; MSG SIZE rcvd: 37


; <<>> DiG 9.2.3 <<>> soa benu.widge.net @192.168.2.2
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55643
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;benu.widge.net. IN SOA

;; Query time: 20 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:34:06 2004
;; MSG SIZE rcvd: 32


; <<>> DiG 9.2.3 <<>> soa benu.widge.net @127.0.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.2.3 <<>> soa blkdiamonds.lan
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;blkdiamonds.lan. IN SOA

;; ANSWER SECTION:
blkdiamonds.lan. 259200 IN SOA ns1.blkdiamonds.lan.
root.blkdiamonds.lan. 200410103 28800 7200 2419200 86400

;; AUTHORITY SECTION:
blkdiamonds.lan. 259200 IN NS ns1.blkdiamonds.lan.

;; ADDITIONAL SECTION:
ns1.blkdiamonds.lan. 259200 IN A 192.168.2.2

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:35:08 2004
;; MSG SIZE rcvd: 108


; <<>> DiG 9.2.3 <<>> ns blkdiamonds.lan
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59448
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;blkdiamonds.lan. IN NS

;; ANSWER SECTION:
blkdiamonds.lan. 259200 IN NS ns1.blkdiamonds.lan.

;; ADDITIONAL SECTION:
ns1.blkdiamonds.lan. 259200 IN A 192.168.2.2

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:35:20 2004
;; MSG SIZE rcvd: 67

Host www.sendate.gov not found: 2(SERVFAIL)

; <<>> DiG 9.2.3 <<>> ns sendate.gov +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64062
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;sendate.gov. IN NS

;; AUTHORITY SECTION:
gov. 102904 IN NS B.GOV.ZONEEDIT.COM.
gov. 102904 IN NS C.GOV.ZONEEDIT.COM.
gov. 102904 IN NS D.GOV.ZONEEDIT.COM.
gov. 102904 IN NS E.GOV.ZONEEDIT.COM.
gov. 102904 IN NS F.GOV.ZONEEDIT.COM.
gov. 102904 IN NS G.GOV.ZONEEDIT.COM.
gov. 102904 IN NS A.GOV.ZONEEDIT.COM.

;; Query time: 2 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Tue Oct 12 07:45:32 2004
;; MSG SIZE rcvd: 157



Barry Margolin wrote on 10/11/2004, 6:31 PM:

> Could you provide some example queries that fail?
>
> If you try to look up something in rescue911design.com or benu.widge.net
> from your homelan, it won't use the data from the zone files, it should
> forward to the ISP nameservers. This is because you only list these
> zones in the external-nets view.





------------------------------

Date: Tue, 12 Oct 2004 23:45:56 -0700 (PDT)
From: raiden@wonko.inow.com
Subject: Going crazy! -- "Sending Notifies" not working on Redhat Enterprise

Hello,

Ok, I think I've pulled out most of my hair over the last few hours.

I have used Bind 9.2.1 with various flavors of Redhat for a while, and
have had no problems. However, I am having problems with zone
transfers and the default installation of Bind 9.2.4rc6 in RHEL v3,
and I believe that it has to do with notifies not occurring. (When I
say default installation, it is the installation that comes with RHEL
Workstation, and is not "supported" by Redhat.)

I have two servers, one the master, the second the slave. When the
slave starts up, if none of the zones have been downloaded from the
master, it successfully downloads them. Both DNS servers seem to be
fully operational. That's the good part.

The bad part is, when I restart the master server, it says in the
messages log that it is sending notifies, but none seem to be being
sent. (There are no errors in the logs.) I have udp and tcp port 53
open for all traffic on both servers, but I have also tried this with
the firewalls disabled.

I have sniffed traffic on both machines, and I do not see any
notification traffic at all (I believe it should be tcp traffic over
port 53, but I don't see any traffic what-so-ever when it claims it's
"sending notifies").

However, when the refresh timeout is reached, the slave server DOES
poll the master server, and DOES succesfully download the new zone
file.

Has anyone else experienced such a problem?

Below are my named.custom configuration files (that are read by
named.conf as per RHEL's configuration file setup):

## master -- 64.71.162.42
options {
query-source address * port 53;
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-transfer { 64.71.162.46; };
};


logging {
category lame-servers { null; };
};

zone "myvemma.com" IN {
type master;
file "db.myvemma.com";
};

zone "subnet40.162.71.64.in-addr.arpa" {
type master;
file "db.64.71.162.40";
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
};

zone "." {
type hint;
file "db.cache";
};


## slave -- 64.71.162.46
options {
query-source address * port 53;
directory "/var/named";
pid-file "/var/run/named/named.pid";
};

logging {
category lame-servers { null; };
};

zone "myvemma.com" IN {
type slave;
file "slaves/bak.myvemma.com";
masters { 64.71.162.42; };
};

zone "subnet40.162.71.64.in-addr.arpa"{
type slave;
file "slaves/bak.64.71.162.40";
masters { 64.71.162.42; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
};

zone "." {
type hint;
file "db.cache";
};

## zone file on master
$TTL 3h
myvemma.com. IN SOA ns1.myvemma.com. support.myvemma.com. (
2004101101 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

myvemma.com. IN NS ns1.myvemma.com.
myvemma.com. IN NS ns2.myvemma.com.

;
; host addresses
;
localhost.myvemma.com. IN A 127.0.0.1
web01.myvemma.com. IN A 64.71.162.46
web02.myvemma.com. IN A 64.71.162.42
myvemma.com. IN A 64.71.162.46

myvemma.com. IN MX 0 myvemma.com.

www.myvemma.com. IN CNAME myvemma.com.
ns1.myvemma.com. IN CNAME web01.myvemma.com.
ns2.myvemma.com. IN CNAME web02.myvemma.com.


Any assistance with this is much, much appreciated!

Thank you,
-Raiden Johnson

------------------------------

Subject: RE: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS
Date: Wed, 13 Oct 2004 09:02:08 +0200
From: "Mokwena Motseto"

Hi

Sorry for the misunderstanding

I was not looking for support, I was just asking from people, who have
been in the same situation that I am in now

What influenced their decision to choose what ever they chose to go with


-----Original Message-----
From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On
Behalf Of phn@icke-reklam.ipsec.nu
Sent: 11 October 2004 21:21
To: comp-protocols-dns-bind@isc.org
Subject: Re: Migration from BIND 4.9 to 9.2 or Microsoft DNS

Mokwena Motseto wrote:
> Hi


> We are currently running BIND 4.9 and we are under pressure to migrate


> at least to version 8 or 9


> But there is a possibility of moving to a microsoft DNS on windows=20
> 2003


> Our ISP's who host secondary zones for our domains are running BIND=20
> ver
> 9


> What I want you guys to help me out with is the following


> Do you know of any problems I might encounter if I migrate to BIND ver


> =3D

9
> (latest)


There is migration note(s) in the bind-9 distribution kit. Download and
read this.

Most stuff is about rfc-conformance, bind-4 might accept things that is
against standards that bind-9 will complain about. It's no argument=3D20
against bind-9 , it's an argument for correcting faulty configs.

Why don't you download buikl and start up on a testmachine until you
feel familiar with the software.

> Do you know of any problems I might encounter if I migrate to=20
> Microsoft DNS I don't what version it is, or if it has versions at all


You won't get support from this forum :-)



> Mokwena Motseto



--=3D20
Peter H=3DE5kanson =3D20
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam
out=3D ,
remove "icke-reklam" if you feel for mailing me. Thanx.


------------------------------

End of bind-users Digest V6 #270
********************************



------------------------------

Subject: RE: installing bind
From: Techie
Date: Wed, 13 Oct 2004 05:26:37 GMT

> Do not blame the people here for the complexities in the domain name


Never intended to blame anyone here for it.
Nor do I think I did.

> We all faught the same battles you are facing and have broke the code
> over the years. Settle down and take your time... knowledge will
> follow....
> Dave...


Yup and now it works

------------------------------

From: raiden@ocliw.com (Raiden)
Subject: Going crazy! -- "Sending Notifies" not working on Redhat Enterprise v3
Date: 12 Oct 2004 23:43:46 -0700

Hello,

Ok, I think I've pulled out most of my hair over the last few hours.

I have used Bind 9.2.1 with various flavors of Redhat for a while, and
have had no problems. However, I am having problems with zone
transfers and the default installation of Bind 9.2.4rc6 in RHEL v3,
and I believe that it has to do with notifies not occurring. (When I
say default installation, it is the installation that comes with RHEL
Workstation, and is not "supported" by Redhat.)

I have two servers, one the master, the second the slave. When the
slave starts up, if none of the zones have been downloaded from the
master, it successfully downloads them. Both DNS servers seem to be
fully operational. That's the good part.

The bad part is, when I restart the master server, it says in the
messages log that it is sending notifies, but none seem to be being
sent. (There are no errors in the logs.) I have udp and tcp port 53
open for all traffic on both servers, but I have also tried this with
the firewalls disabled.

I have sniffed traffic on both machines, and I do not see any
notification traffic at all (I believe it should be tcp traffic over
port 53, but I don't see any traffic what-so-ever when it claims it's
"sending notifies").

However, when the refresh timeout is reached, the slave server DOES
poll the master server, and DOES succesfully download the new zone
file.

Has anyone else experienced such a problem?

Below are my named.custom configuration files (that are read by
named.conf as per RHEL's configuration file setup):

## master -- 64.71.162.42
options {
query-source address * port 53;
directory "/var/named";
pid-file "/var/run/named/named.pid";
allow-transfer { 64.71.162.46; };
};


logging {
category lame-servers { null; };
};

zone "myvemma.com" IN {
type master;
file "db.myvemma.com";
};

zone "subnet40.162.71.64.in-addr.arpa" {
type master;
file "db.64.71.162.40";
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
};

zone "." {
type hint;
file "db.cache";
};


## slave -- 64.71.162.46
options {
query-source address * port 53;
directory "/var/named";
pid-file "/var/run/named/named.pid";
};

logging {
category lame-servers { null; };
};

zone "myvemma.com" IN {
type slave;
file "slaves/bak.myvemma.com";
masters { 64.71.162.42; };
};

zone "subnet40.162.71.64.in-addr.arpa"{
type slave;
file "slaves/bak.64.71.162.40";
masters { 64.71.162.42; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
allow-update { none; };
};

zone "." {
type hint;
file "db.cache";
};

## zone file on master
$TTL 3h
myvemma.com. IN SOA ns1.myvemma.com. support.myvemma.com. (
2004101101 ; serial
3h ; refresh after 3 hours
1h ; retry after 1 hour
1w ; expire after 1 week
1h ) ; negative caching TTL of 1 hour

myvemma.com. IN NS ns1.myvemma.com.
myvemma.com. IN NS ns2.myvemma.com.

;
; host addresses
;
localhost.myvemma.com. IN A 127.0.0.1
web01.myvemma.com. IN A 64.71.162.46
web02.myvemma.com. IN A 64.71.162.42
myvemma.com. IN A 64.71.162.46

myvemma.com. IN MX 0 myvemma.com.

www.myvemma.com. IN CNAME myvemma.com.
ns1.myvemma.com. IN CNAME web01.myvemma.com.
ns2.myvemma.com. IN CNAME web02.myvemma.com.


Any assistance with this is much, much appreciated!

Thank you,
-Raiden Johnson

------------------------------

Subject: RE: installing bind
From: Techie
Date: Wed, 13 Oct 2004 05:23:28 GMT

Vinny Abello wrote in

Thanks for taking your time to respond to this nag post.
After trying to get it to run for like 14 hours straight I finally got
everything to work. And amzingly now it works fine with the 4.x.x.
version.

As you said, I would not be using 4.x if 9 or 8 had installed at all.

I found one big error when using Windows for this though.

If you change the IP settings of your Win 2000 box, it keeps a note of
the previous IP in a TCP/IP stack info section in the registry.

Since this is the first value for anything related to the local IP bind
will by default snag this IP number instead of your new one and thereby
not start or work at all.

I manually went through the registry and removed every occurance of this
old IP number. In fact four locations of it.

Then BIND 4 worked.

Now I figured out how 4 works... and as you say below here, once I
figured that out, I can surely figure out 8 and 9 as well.

ONE tiny matter though. As you say, everything is well documented in the
books but it's not designed for someone completely new to DNS and BIND at
all.

I would therefor recommend, even though the data is old, as a good
starting point to install 4 on a dummy box, get alot of information from

Dr. DNS at http://www.acmebw.com/askmrdns/archive.php

and even so, on the very old site http://www.telemark.net/
~randallg/ntdns.htm

These two pages have exactly what I needed to get started.

> them. You'll probably have to make a named.conf file to start with.
> It's all pretty well documented in my opinion. I knew nothing about
> BIND 8 or 9 and went from 4 a long time ago without any problems
> following the documentation and the newer DNS and BIND books. They're
> very helpful.


------------------------------

From: smilesinblues@hotpop.com (Jaunty Edward)
Subject: Re: nameservers sharing IP
Date: 12 Oct 2004 21:22:03 -0700

Hi Steve,
thanks for the info, but adding zones in the server does not create a
new nameserver it only asssigns a nameserver to the new domain. But if
I try to create a new nameserver I need to have have 2 IPs. which is
not so cheap but other companies are giving it for so cheap that i
feel there is some fix to this.

Regards
Jaunty Edward

------------------------------

Date: Wed, 13 Oct 2004 15:11:53 -0400
From: Chip Mefford
Subject: my secondary ns won't answer external queries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The server is running bind 9.3.0
Due to my cluelessness, it is having to
be a master in some places where it should be a slave as
my dmz isn't really settled down yet.

That said,

It works fine for internal clients, but
refuses queries externally.

it is ns2.avwashington.com
at 199.227.4.38, here is the
named.conf (truncated for space, hence
the and so on comment)

One can connect to port 53 with telnet, so it
isn't a firewall issue, (I think), perhaps
it is something else.

If anyone spots anything obvious, please let me know.

Thanks kindly

- --chipper


//src /etc/named.conf ver 3.0 20031205
//generated out of cmefford@avwashington.com leaking brain


acl secondaries {
~ 127.0.0.1/32;
~ 199.227.4.32/27;
};

acl internal-clients {
~ 127.0.0.1/32;
~ 192.168.0.0/24;
~ 199.227.4.32/27;
};

acl "bogus" { 224.254.254.254; };


logging {
~ channel named_syslog {
~ syslog daemon;
~ severity info;
~ };
~ channel bind_stuff {
~ file "/var/log/named";
~ severity debug;
~ };

~ category default { named_syslog; };
~ category statistics { named_syslog; bind_stuff; };
~ category queries { bind_stuff; };
};

options {
~ directory "/var/named";
~ /*
~ * If there is a firewall between you and nameservers you want
~ * to talk to, you might need to uncomment the query-source
~ * directive below. Previous versions of BIND always asked
~ * questions using port 53, but BIND 8.1 uses an unprivileged
~ * port by default.
~ */
~ // query-source address * port 53;
~ blackhole { "bogus"; };
~ allow-transfer { secondaries; };

~ pid-file "/var/run/named/named.pid";
};


view "internal" {
~ match-clients { internal-clients; };
~ recursion yes;

~ zone "0.168.192.in-addr.arpa" IN {
~ type slave;
~ file "internal/slave/db.192.168.0";
~ masters {
~ 199.227.4.60; };
~ };

~ zone "avwashington.com" IN {
~ type master;
~ file "internal/master/internal.avwashington.com";
~ allow-update { none; };
~ };

~ zone "4.227.199.in-addr.arpa" IN {
~ type master;
~ file "external/master/4.227.199.in-addr.arpa";
~ allow-update { none; };
~ };

//And so on,
};


view "external" {
~ match-clients { !internal_clients; any; };
~ recursion no;

~ zone "." IN {
~ type hint;
~ file "named.ca";
~ };

~ zone "localhost" IN {
~ type master;
~ file "localhost.zone";
~ allow-update { none; };
~ };

~ zone "0.0.127.in-addr.arpa" IN {
~ type master;
~ file "named.local";
~ allow-update { none; };
~ };

~ zone "avwashington.com" IN {
~ type master;
~ file "external/master/avwashington.com";
~ allow-update { none; };
~ };

~ zone "4.227.199.in-addr.arpa" IN {
~ type master;
~ file "external/master/4.227.199.in-addr.arpa";
~ allow-update { none; };
~ };
//and so on
};

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBbX3ja44x14FCa6ARAipqAKCPTWA1pAORo0oo7T2tR6 s6WpCx2gCdHHlK
Ejg6q3KiIi8O8nHNqdWxjyM=
=O1IK
-----END PGP SIGNATURE-----

------------------------------

From: Ronan Flood
Subject: Re: my secondary ns won't answer external queries
Date: 13 Oct 2004 19:37:10 GMT

Chip Mefford wrote:

> One can connect to port 53 with telnet, so it
> isn't a firewall issue, (I think), perhaps
> it is something else.


Telnet uses TCP and I can query your server over TCP, but not UDP.
You need to allow access to port 53 over UDP as well as TCP.

--
Ronan Flood
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)

------------------------------

Subject: Re: nameservers sharing IP
From: David Botham
Date: Wed, 13 Oct 2004 15:57:09 -0400

bind-users-bounce@isc.org wrote on 10/13/2004 12:22:03 AM:
> Hi Steve,
> thanks for the info, but adding zones in the server does not create a
> new nameserver it only asssigns a nameserver to the new domain. But if


I think it depends on how you difine a "nameserver". If you what to have
the same name server referred to by different names like this:

ns1.foo1.com
ns2.foo2.com
ns3.foo3.com

where all three domain names have the same IP, this is quite straight
forward.


However, if you what one instance of an operating system to laod and run
two seperate copies of name server software and have both of them use the
same IP address, well, that is practically impossible. From and IP Stack
perspective, it is very difficult to have 2 processes bind to the same IP
addess.


Which are you attempting to accomplish?


Dave...


> I try to create a new nameserver I need to have have 2 IPs. which is
> not so cheap but other companies are giving it for so cheap that i
> feel there is some fix to this.
>
> Regards
> Jaunty Edward
>




------------------------------

Subject: Re: my secondary ns won't answer external queries
From: David Botham
Date: Wed, 13 Oct 2004 16:03:39 -0400

bind-users-bounce@isc.org wrote on 10/13/2004 03:11:53 PM:
[clip..]

> One can connect to port 53 with telnet, so it
> isn't a firewall issue, (I think), perhaps
> it is something else.


Allow both TCP and UDP over port 53 for proper operation of DNS.

>


[clip internal view...]

>
> view "external" {
> ~ match-clients { !internal_clients; any; };


The "!internal_clients" acl is redundant. Views are "order" sensitive.
That is to say, the internal view is matched first and therefore
"internal_clients" would never be considered in this view. You can safely
remove this acl entry.

> ~ recursion no;


Depending on what type of queries you expect to be honored in the external
view the above line could be your problem. The above line will limit
legal queries in the external zone to data for which the external view is
authoritative. If you are "external" and query for say "www.ibm.com" you
will have a problem.


Also, is there anything in your log files?


Dave...

[clip...]


------------------------------

Date: Wed, 13 Oct 2004 16:31:51 -0400
From: Chip Mefford
Subject: Re: my secondary ns won't answer external queries

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ronan Flood wrote:
| Chip Mefford wrote:
|
|
|>One can connect to port 53 with telnet, so it
|>isn't a firewall issue, (I think), perhaps
|>it is something else.
|
|
| Telnet uses TCP and I can query your server over TCP, but not UDP.
| You need to allow access to port 53 over UDP as well as TCP.

(doh!)

Well, yeah, that does make a big difference.

Thanks so very much.

(and you too David Botham)
- --me



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBbZC2a44x14FCa6ARAtvxAJ95tLTPZMd0k3YPwRhUZR +v+3PRlQCbBdZC
Gk7K6w5S1fnyYbA8rBOk6HM=
=GP8V
-----END PGP SIGNATURE-----

------------------------------

End of bind-users Digest V6 #271
********************************