bind-users Digest, Vol 1902, Issue 2
Xuan Hung
hungnx15 at viettel.com.vn
Fri Aug 1 02:56:53 UTC 2014
Dear Partner !
I think this problem of me, need have version new of Bind.
I think resolver of Bind.9.9.5 have problem when response for customer.
If recusive client of My DNS increase to 4000 then resolver response servfail.
Thanks./.
============%%-
Nguyễn Xuân Hùng
0084-966581518
P.ISP– TT CNTT – VTNet.
-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of bind-users-request at lists.isc.org
Sent: Friday, August 01, 2014 2:51 AM
To: bind-users at lists.isc.org
Subject: bind-users Digest, Vol 1902, Issue 2
Send bind-users mailing list submissions to
bind-users at lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-request at lists.isc.org
You can reach the person managing the list at
bind-users-owner at lists.isc.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..."
Today's Topics:
1. rndc (was: Re: Reload BIND ...) (/dev/rob0)
2. Re: rndc (Reindl Harald)
3. Re: rndc (Kevin Darcy)
4. Re: rndc (/dev/rob0)
5. Re: rndc (Reindl Harald)
6. Re: rndc (and now nsupdate too) (/dev/rob0)
7. Re: rndc (and now nsupdate too) (Reindl Harald)
8. Re: rndc (and now nsupdate too) (Kevin Darcy)
----------------------------------------------------------------------
Message: 1
Date: Thu, 31 Jul 2014 10:41:30 -0500
From: /dev/rob0 <rob0 at gmx.co.uk>
To: bind-users at lists.isc.org
Subject: rndc (was: Re: Reload BIND ...)
Message-ID: <20140731154130.GG23739 at harrier.slackbuilds.org>
Content-Type: text/plain; charset=us-ascii
On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
> i am doing reloads of named with "killall -HUP named" just because i
> disabled rndc completly for security reasons and configurations are
> generated with own software only needs named to reload
Hmm, rndc is securable. You don't have to open it to the Internet; typically you'd just bind it on 127.0.0.1. Then your rndc key will further secure it against system users. Your OS can probably give extra protective layers by firewalling it, such as this Linux
example:
iptables -vA OUTPUT -p tcp --dport 953 -m owner \
\! --gid-owner wheel -j REJECT
(This forces root and other wheel members to "chgrp wheel" before they can use rndc, as an extra inconvenience.)
Another option is to use a UNIX domain socket, which, of course avoids the network altogether.[1]
You're losing a lot of new features without rndc. This is a "throwing out the baby with the bathwater" sort of solution. Sure, this is what you are familiar with and what works for you, but to disable rndc isn't good advice for readers of this list. ISC is moving on.
See Bv9ARM.ch06.html#controls_statement_definition_and_usage and rndc-confgen(8).
[1] Unfortunately it is not clear to me how to access the socket
with rndc. The one time I tried it, I gave up and stuck with
that with which I am familiar. ISC moved on, but if the
documentation did, I don't see it. :)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
------------------------------
Message: 2
Date: Thu, 31 Jul 2014 17:56:08 +0200
From: Reindl Harald <h.reindl at thelounge.net>
To: bind-users at lists.isc.org
Subject: Re: rndc
Message-ID: <53DA6718.30907 at thelounge.net>
Content-Type: text/plain; charset="windows-1252"
Am 31.07.2014 um 17:41 schrieb /dev/rob0:
> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>> i am doing reloads of named with "killall -HUP named" just because
>> i disabled rndc completly for security reasons and configurations
>> are generated with own software only needs named to reload
>
> Hmm, rndc is securable. You don't have to open it to the Internet;
> typically you'd just bind it on 127.0.0.1. Then your rndc key will
> further secure it against system users. Your OS can probably give
> extra protective layers by firewalling it, such as this Linux
> example:
>
> iptables -vA OUTPUT -p tcp --dport 953 -m owner \
> \! --gid-owner wheel -j REJECT
>
> (This forces root and other wheel members to "chgrp wheel" before
> they can use rndc, as an extra inconvenience.)
>
> Another option is to use a UNIX domain socket, which, of course
> avoids the network altogether.[1]
>
> You're losing a lot of new features without rndc. This is a
> "throwing out the baby with the bathwater" sort of solution. Sure,
> this is what you are familiar with and what works for you, but to
> disable rndc isn't good advice for readers of this list. ISC is
> moving on
don't get me wrong but if someone creates *any* bind configuration
and zone-files with self developed software there are no features
rndc could provide and so disable something you don't use is the
way to go instead make is secure with other switches
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140731/45b1c349/attachment-0001.bin>
------------------------------
Message: 3
Date: Thu, 31 Jul 2014 12:11:40 -0400
From: Kevin Darcy <kcd at chrysler.com>
To: bind-users at lists.isc.org
Subject: Re: rndc
Message-ID: <53DA6ABC.4060106 at chrysler.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 7/31/2014 11:56 AM, Reindl Harald wrote:
>
> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
>> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>>> i am doing reloads of named with "killall -HUP named" just because
>>> i disabled rndc completly for security reasons and configurations
>>> are generated with own software only needs named to reload
>> Hmm, rndc is securable. You don't have to open it to the Internet;
>> typically you'd just bind it on 127.0.0.1. Then your rndc key will
>> further secure it against system users. Your OS can probably give
>> extra protective layers by firewalling it, such as this Linux
>> example:
>>
>> iptables -vA OUTPUT -p tcp --dport 953 -m owner \
>> \! --gid-owner wheel -j REJECT
>>
>> (This forces root and other wheel members to "chgrp wheel" before
>> they can use rndc, as an extra inconvenience.)
>>
>> Another option is to use a UNIX domain socket, which, of course
>> avoids the network altogether.[1]
>>
>> You're losing a lot of new features without rndc. This is a
>> "throwing out the baby with the bathwater" sort of solution. Sure,
>> this is what you are familiar with and what works for you, but to
>> disable rndc isn't good advice for readers of this list. ISC is
>> moving on
> don't get me wrong but if someone creates *any* bind configuration
> and zone-files with self developed software there are no features
> rndc could provide and so disable something you don't use is the
> way to go instead make is secure with other switches
This thread started with "I need a way to force named to re-scan for
interfaces". Since that *is* a "feature[] that rndc could provide" it
seems like enabling rndc in a secure way is a good fit for the
requirement that was raised.
kill -HUP is way more disruptive than necessary for a mere interface
scan. It's overkill.
- Kevin
------------------------------
Message: 4
Date: Thu, 31 Jul 2014 13:51:29 -0500
From: /dev/rob0 <rob0 at gmx.co.uk>
To: bind-users at lists.isc.org
Subject: Re: rndc
Message-ID: <20140731185129.GH23739 at harrier.slackbuilds.org>
Content-Type: text/plain; charset=us-ascii
On Thu, Jul 31, 2014 at 12:11:40PM -0400, Kevin Darcy wrote:
> kill -HUP is way more disruptive than necessary for a mere
> interface scan. It's overkill.
Furthermore, on a server with lots of zones, it could cause a DoS
while zones are reloading, and named is unable to answer.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
------------------------------
Message: 5
Date: Thu, 31 Jul 2014 20:58:50 +0200
From: Reindl Harald <h.reindl at thelounge.net>
To: bind-users at lists.isc.org
Subject: Re: rndc
Message-ID: <53DA91EA.102 at thelounge.net>
Content-Type: text/plain; charset="windows-1252"
Am 31.07.2014 um 20:51 schrieb /dev/rob0:
> On Thu, Jul 31, 2014 at 12:11:40PM -0400, Kevin Darcy wrote:
>> kill -HUP is way more disruptive than necessary for a mere
>> interface scan. It's overkill.
>
> Furthermore, on a server with lots of zones, it could cause a DoS
> while zones are reloading, and named is unable to answer
agreed - loading of our currently 522 zones takes 1 second
and the maintaining cronjobs have 5 minutes difference on
slave and master
i did not pretend it's a perfect solution in every environment
but it is suiteable for many and so a valid opportunity
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140731/60bf99bf/attachment-0001.bin>
------------------------------
Message: 6
Date: Thu, 31 Jul 2014 14:08:48 -0500
From: /dev/rob0 <rob0 at gmx.co.uk>
To: bind-users at lists.isc.org
Subject: Re: rndc (and now nsupdate too)
Message-ID: <20140731190848.GI23739 at harrier.slackbuilds.org>
Content-Type: text/plain; charset=us-ascii
On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote:
> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
> > On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
> >> i am doing reloads of named with "killall -HUP named" just
> >> because i disabled rndc completly for security reasons and
> >> configurations are generated with own software only needs
> >> named to reload
> >
> > Hmm, rndc is securable. You don't have to open it to the
snip
> > You're losing a lot of new features without rndc. This is a
> > "throwing out the baby with the bathwater" sort of solution.
> > Sure, this is what you are familiar with and what works for
> > you, but to disable rndc isn't good advice for readers of
> > this list. ISC is moving on
>
> don't get me wrong but if someone creates *any* bind
> configuration and zone-files with self developed software
... that someone is almost surely doing it wrong. "Zone files"?
> there are no features rndc could provide and so disable
> something you don't use is the way to go instead make is
> secure with other switches
The proper tool to manage named configuration and operation, and
which in the best Unix ethic is well suited for automation, is
rndc(8).
The proper tool to manage zone data is nsupdate(8). Likewise well
suited for automation.
Unfortunately, it seems that no one with an adequate understanding of
BIND has written and released a good management frontend. Too many
of them are still wallowing around in zone file editing rather than
nsupdate and (as it seems from this thread) sending of signals rather
than rndc.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
------------------------------
Message: 7
Date: Thu, 31 Jul 2014 21:19:48 +0200
From: Reindl Harald <h.reindl at thelounge.net>
To: bind-users at lists.isc.org
Subject: Re: rndc (and now nsupdate too)
Message-ID: <53DA96D4.7060602 at thelounge.net>
Content-Type: text/plain; charset="windows-1252"
Am 31.07.2014 um 21:08 schrieb /dev/rob0:
> On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote:
>> don't get me wrong but if someone creates *any* bind
>> configuration and zone-files with self developed software
>
> ... that someone is almost surely doing it wrong. "Zone files"?
>
>> there are no features rndc could provide and so disable
>> something you don't use is the way to go instead make is
>> secure with other switches
>
> The proper tool to manage named configuration and operation, and
> which in the best Unix ethic is well suited for automation, is
> rndc(8).
>
> The proper tool to manage zone data is nsupdate(8). Likewise well
> suited for automation.
>
> Unfortunately, it seems that no one with an adequate understanding of
> BIND has written and released a good management frontend. Too many
> of them are still wallowing around in zone file editing rather than
> nsupdate and (as it seems from this thread) sending of signals rather
> than rndc
zone file *editing*?
sorry, no, i developed 2008 a interface to create all zone files based
on database records, write the complete zone content in a main table
with a textfiled and a second textfiled where translation for NAT/WAN
zones happens and so there is and never was a reason to *edit* a
zone file
it is created from scratch when changes in a zone happen and cronjobs
only pull zones with the "updated-field" set to 1
that infrastructure provides a stable API for mailserver and other
backends and at the end the realted zone is created from scratch
only the fact having a 1:1 NAT and only edit records once to feed
internal and external nameservers with one action and the fact you
can change global properties like TTL if not overriden per domain
and change A-records in any zone base on our own domain working
like a CNAME but still be an A record justifies that
6 years for some hundret domains as auth nameserver proves me right
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140731/3a22c622/attachment-0001.bin>
------------------------------
Message: 8
Date: Thu, 31 Jul 2014 15:50:49 -0400
From: Kevin Darcy <kcd at chrysler.com>
To: bind-users at lists.isc.org
Subject: Re: rndc (and now nsupdate too)
Message-ID: <53DA9E19.3070604 at chrysler.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 7/31/2014 3:08 PM, /dev/rob0 wrote:
> On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote:
>> Am 31.07.2014 um 17:41 schrieb /dev/rob0:
>>> On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote:
>>>> i am doing reloads of named with "killall -HUP named" just
>>>> because i disabled rndc completly for security reasons and
>>>> configurations are generated with own software only needs
>>>> named to reload
>>> Hmm, rndc is securable. You don't have to open it to the
> snip
>>> You're losing a lot of new features without rndc. This is a
>>> "throwing out the baby with the bathwater" sort of solution.
>>> Sure, this is what you are familiar with and what works for
>>> you, but to disable rndc isn't good advice for readers of
>>> this list. ISC is moving on
>> don't get me wrong but if someone creates *any* bind
>> configuration and zone-files with self developed software
> ... that someone is almost surely doing it wrong. "Zone files"?
>
>> there are no features rndc could provide and so disable
>> something you don't use is the way to go instead make is
>> secure with other switches
> The proper tool to manage named configuration and operation, and
> which in the best Unix ethic is well suited for automation, is
> rndc(8).
>
> The proper tool to manage zone data is nsupdate(8). Likewise well
> suited for automation.
>
> Unfortunately, it seems that no one with an adequate understanding of
> BIND has written and released a good management frontend. Too many
> of them are still wallowing around in zone file editing rather than
> nsupdate and (as it seems from this thread) sending of signals rather
> than rndc.
Written? Yes. Released? Unfortunately not. It's intellectual property of
my employer.
Even with the nice GUI frontend of Infoblox, we still use our homegrown,
crudely-formatted web frontend for the vast majority of changes
(Infoblox being the backend of that frontend), since
a) our existing users are accustomed to it,
b) it's simple enough that even novices can get up to speed on it
quickly, without the possibility of causing major disruption,
c) the lack of significant eye-candy means it still runs well even in
slow and/or high-latency locations,
d) it has a more robust ACL system that I haven't seen rivaled in any
commercial product, and
e) other stuff I've added over the years, like automatic
external-to-internal sync'ing, and so forth
- Kevin
------------------------------
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
End of bind-users Digest, Vol 1902, Issue 2
*******************************************
More information about the bind-users
mailing list