self-signed or public signed certificates.
TSIG uses a pre-shared key
Regards
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
From: bind-users On Behalf Of Michael De
Roover
Sent: Saturday, March 8, 2025 7:36 AM
To: bind-users
> -Original Message-
> From: Petr Špaček
> Sent: Tuesday, March 4, 2025 6:11 PM
> To: Robert Wagner ; Klaus Darilion
>
> Cc: bind-us...@isc.org
> Subject: Re: XoT Testing: TLS peer certificate verification failed
>
> > I think I have solved the mistery: B
-certificate.crt -subj
"/CN=xot-test-primary.ops.nic.at" -addext
"subjectAltName=DNS:xot-test-primary.ops.nic.at,IP:193.46.106.51"
regards
Klaus
From: bind-users On Behalf Of Klaus Darilion
via bind-users
Sent: Tuesday, March 4, 2025 11:31 AM
To: Ondřej Surý
Cc: bind-us...@isc.
In my case it should not be SNI relevant, as the server only has 1 certificate
to present. Anyways, I will now test with a certificate that uses the IP
address in the Subject CN.
Regards
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
+tls-ca=ca.crt
+tls-hostname=xot-test-primary.ops.nic.at +tls-certfile=certificate.crt
+tls-keyfile=private.key
;; TLS peer certificate verification for 193.46.106.51#853 failed: hostname
mismatch
Regards
Klaus
From: Klaus Darilion
Sent: Thursday, February 27, 2025 5:11 PM
To: Greg Choules via
Hi! I want to test XoT between Bind9.20.6 primary and secondary.
On the primary I created a self-signed certificate with
CN=xot-test-primary.ops.nic.at and configured bind:
# Create a 10years valid self-signed certificate:
# openssl genpkey -algorithm RSA -out private.key -pkeyopt
rsa_keygen_
Darilion
Cc: Klaus Darilion via bind-users
Subject: Re: Sporadic Timeouts after upgrading to bind9.20
Hi Klaus,
we've identified an issue in the glue cache that have been causing drops in the
performance.
Can you test a development branch or do you need fix on top of 9.20?
Ondrej
--
Ondřej
Hello Evan and Petr!
Thanks for the details.
Klaus
> -Original Message-
> From: Evan Hunt
> Sent: Thursday, January 9, 2025 7:32 PM
> To: Klaus Darilion
> Cc: Greg Choules via bind-users
> Subject: Re: Binary zone file and journal compatibility between Bind9 version
Hello!
For testing I often up- and downgrade Bind versions, ie. Between 9.18, 9.20 and
9.21. I wonder how stable the binary zone file format and journal file format
is, and if there are changes in the binary format, if Bind would detect that
and behave properly.
I am concerned about zones that
I confirm that I hit the same crash, but had not time yet to fill a bug report
and provide details
Regards
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
From: Guillaume Bibaut
Sent: Wednesday, December 18, 2024 3:34 PM
To: Ondřej Surý
Hello!
Sometimes (serial quirks) it is necessary to force an AXFR. The "rndc retrieve"
only queues the request, so I have to "tail -f" the log file to see if the AXFR
was performed, which requires manual inspection.
I would like to have a possibility, to trigger the AXFR, and wait until the
AX
Hi Ondřej!
We run Ubuntu 24.04. Can you please update the dev-ppa too?
Thanks
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
From: Ondřej Surý
Sent: Monday, December 9, 2024 2:54 PM
To: Klaus Darilion
Cc: Klaus Darilion via bind
Hi Ondřej!
I can test also the development branch. I prefer deb packages (do you have
nightly builds?), but I can fallback to make&&make install
Regards
KLaus
From: Ondřej Surý
Sent: Thursday, December 5, 2024 8:36 PM
To: Klaus Darilion
Cc: Klaus Darilion via bind-users
Sub
Hi!
Sometimes it is hard to grep the logs for a certain zone, as sometimes the zone
name is within single quotation marks, sometimes not. For example:
zone at/IN: Transfer started.
transfer of 'at/IN' from ...
zone at/IN: transferred ...
transfer of 'at/IN' from ...
transfer of 'at/IN' from ...
z
ssage-
> From: Mark Andrews
> Sent: Thursday, November 21, 2024 12:26 AM
> To: Klaus Darilion
> Cc: bind-users@lists.isc.org
> Subject: Re: Bind is not using the first master for freshness checks
>
> If a notify comes in while refresh / transfer is in progress that is
rimary AA.BB.6.13#53 exceeded
So why is Bind using a master for refresh which is not the first in the list?
Thanks
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> > I always had the impression that dnssec-signzone is a stand-alone
> > utility and signing is done either with dnssec-signzone or with
> > Bind's dnssec-policy. Does it really work to use dnssec-signzone on a
> > zone and journal that is managed by named?
>
> No, it doesn't work like that. You
Hi Matthijs!
I always had the impression that dnssec-signzone is a stand-alone utility and
signing is done either with dnssec-signzone or with Bind's dnssec-policy. Does
it really work to use dnssec-signzone on a zone and journal that is managed by
named?
Regards
Klaus
--
Klaus Dar
Hi Petr!
> It can be said that the interface pushes people to follow RFC 9276, i.e.
> no salt and no extra iterations.
>
> It is an pointless exercise which only makes servers easier to DoS for
> no benefit.
I understand your decision to push people towards RFC 9276.
> Why do you need extra sal
Hello!
With "auto-dnssec maintain;" I was used to specify the NSEC3 salt with 'rndc
signing -nsec3param'. Today I used the "dnssec-policy" and I failed to specify
the salt manually. Are there any tricks/workarounds to manually specify the
NSEC3 salt?
I know that actually the salt should be "-"
As we still have several timeouts I downgraded our server to 9.18. If you know
another workaround or need someone to test new version please let me know.
Thanks
Klaus
From: Klaus Darilion
Sent: Saturday, September 7, 2024 12:36 AM
To: Klaus Darilion ; Ondřej Surý
Cc: Klaus Darilion via bind
Correcting myself: event with { reuseport no; }; and UV_THREADPOOL_SIZE=12
still timeouts happen, but the situation improved a lot.
Regards
Klaus
From: bind-users On Behalf Of Klaus Darilion
via bind-users
Sent: Saturday, September 7, 2024 12:21 AM
To: Ondřej Surý
Cc: Klaus Darilion via bind
From: Ondřej Surý
Sent: Friday, September 6, 2024 4:08 PM
To: Klaus Darilion
Cc: Petr Špaček ; bind-users@lists.isc.org; Klaus Darilion via
bind-users
Subject: Re: Sporadic Timeouts after upgrading to bind9.20
Are your running with options { reuseport no; }; ?
You might want to try that
From: Ondřej Surý
Sent: Friday, September 6, 2024 4:10 PM
To: Klaus Darilion
Cc: Klaus Darilion via bind-users
Subject: Re: Sporadic Timeouts after upgrading to bind9.20
Hmm, what is the churn in the zones? How often there’s IXFR and how large those
changes are?
Every 30 minutes. See logs
As there just was another IXFR, for the records, here is another trace with
debug symbols installed. Thanks
Klaus
PID 1605200 - process
TID 1605200:
#0 0x7b8ceb529ee0 epoll_pwait - /usr/lib/x86_64-linux-gnu/libc.so.6
#1 0x7b8cec52c9fa - 1 - /usr/lib/x86_64-linux-gnu/libuv.so.1.0.0
#
I just happened again. I have not yet installed the debug symbols.
I query the SOA every second with 1 second timeout. Here are the traces. I
happened a few times in a row.
Below are the traces.
I noticed the timeout happened during Bind9 starting an inbound IXFR:
Sep 06 07:20:55 named[1605200]
/lib/x86_64-linux-gnu/libuv.so.1.0.0
#3 0x7b8cec5177fe - 1 - /usr/lib/x86_64-linux-gnu/libuv.so.1.0.0
#4 0x7b8ceb49ca94 - 1 - /usr/lib/x86_64-linux-gnu/libc.so.6
#5 0x7b8ceb529c3c - 1 - /usr/lib/x86_64-linux-gnu/libc.so.6
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob
Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
From: Ondřej Surý
Sent: Wednesday, September 4, 2024 7:23 PM
To: Klaus Darilion
Cc: bind-users@lists.isc.org
Subject: Re: Sporadic Timeouts after upgrading to bind9.20
Klaus,
is that recursive or authoritative
qps we see
it more often.
Before I dig into the problem, are there any specific changes to 9.20 that I
should look at? Maybe some default value changes for socket buffers, thread
handling ...?
Thanks
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Jan
> Schaumann via bind-users
> Gesendet: Dienstag, 26. März 2024 14:44
> An: bind-users@lists.isc.org
> Betreff: Re: [OFF-TOPIC] Question about ClouDNS (and others') ALIAS records
>
> Karl Auer wrote:
> > I'm puzzled by the C
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Arsen
> STASIC
> Gesendet: Donnerstag, 21. März 2024 08:47
> An: Petr Špaček
> Cc: bind-users@lists.isc.org
> Betreff: Re: Crafting a NOTIFY message from the command line?
>
> * Petr Špaček [2024-03-20 09:32 (+0100)]:
> > On 1
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Carsten
...
> It would be nice to have a "dry-run" mode in BIND 9, where BIND 9 would
> report steps it would do because of "dnssec-policy", but will not execute the
> changes.
If this Bind9 is only a hidden primary, disable all
Hi all!
I also know a colleague which was hit by the same issue, causing problems to
their zone.
Migrating from auto-dnssec to dnssec-policy can lead to operational issues. For
example that problem with different algos should be mentioned in
https://kb.isc.org/docs/dnssec-key-and-signing-p
Hi Petr!
> > For example, there are 8 secondaries (Mumbai, LosAngeles, Melbourne,
> > Atlante, SaoPaulo...) to which the XFR took 2361 seconds.
> >
> > Are there some mechanisms in Bind that put multiple XFRs together into
> a
> > common stream? Or do you have any other ideas how it come that seve
several XFRs are
equally fast?
Thanks
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Austria
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support
There are several tools with different features and behavior. I would take
alook at dnsperf, kxdpgun and flamethrower
regards
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von
> sami.ra...@sofrecom.com
> Gesendet: Mittwoch, 21. Juni 2023 17:59
> An: bind-users@lists.isc.org
>
> > On 24. 3. 2023, at 14:36, Klaus Darilion via bind-users us...@lists.isc.org> wrote:
> >
> > Is there some rate liming in Bind?
>
> https://bind9.readthedocs.io/en/stable/reference.html#namedconf-
> statement-notify-rate
For the records: Increasing the n
>
> https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-notify-rate
Will that feature throttle Notifys or stop them completely for some minutes?
Thanks
Klaus
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the developmen
Hi!
root@cc-tld-sbg1:/var/log/tld-acct-by-customer# dpkg -l|grep bind9
ii bind9 1:9.18.6-1+ubuntu22.04.1+isc+1
amd64Internet Domain Name Server
Please help me debugging this issue: We have a TLD zone with ~3mio delegations
and updates every f
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Mark
> Andrews
> Gesendet: Donnerstag, 9. März 2023 21:04
> An: Jan-Piet Mens
> Cc: bind-users@lists.isc.org
> Betreff: Re: Correlation between NOTIFY-Source and AXFR-Source
>
> Named just uses the notify to trigger an early re
Hello!
I always was quite sure that Bind will request XFR from the Primary that sent
the NOTIFY.
config:
masters {
X.X.X.4;
X.X.X.20;
};
Bind Version 9.11.5.P4+dfsg-5.1+deb10u8
But I just saw this in the logs that the first NOTIFY is received from .20, but
AXFR is perf
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Bob
> Harold
> Gesendet: Freitag, 24. Februar 2023 19:26
> An: bind-users
> Betreff: DNS DDoS protection
>
> Before answering this question, can you tell me the proper place where I
> should be asking this question?
>
> "We ar
Yes it does. I guess all name servers offer a command to force a transfer of
the zone without checking the serial. The ones I use support that:
Bind: rndc retransfer
NSD: nsd-control force_transfer
PowerDNS: pdns_control retrieve
Knot: knotc zone-retransfer
regards
Klaus
> -Ursprünglich
I checked all options of rndc to get the list of zones configured/served by
bind - but I can't find any.
Is it really not possible to get this list from a running Bind process?
Thanks
Klaus
--
Klaus Darilion, Head of Operations
nic.at GmbH, Jakob-Haringer-Straße 8/V
5020 Salzburg, Au
> Can you propose log line?
>
> Should it be one line per algorithm? Or one line with all disabled? Or
> one one with all enabled? What log level? Log category? It it okay it
> will be almost always logging GOST? ...
I am not using Red Hat, but when debugging DNSSEC issues it would be helpful to
Von: Petr Špaček
> Gesendet: Donnerstag, 19. Mai 2022 12:22
> An: Klaus Darilion
> Cc: bind-users@lists.isc.org
> Betreff: Re: High memory consumption in bind 9.18.2
>
> On 18. 05. 22 22:39, Ondřej Surý wrote:
> > Hi Klarstein,
> >
> > Gathering the output of na
> differences are not small, for some configurations it can be even 2x or
> 3x more on 9.16 than it is on 9.18.
>
> If you encounter it again please get back to us so we can diagnose it.
>
> Thank you!
> Petr Špaček
>
>
> On 18. 05. 22 8:56, Klaus Darilion via bind-u
I remember we had similar issues with 9.18 (isc ppa packages) and hence wen't
back to 9.16. But I can not remember the details.
regards
Klaus
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Ondrej
> Surý
> Gesendet: Mittwoch, 18. Mai 2022 08:37
> An: Raman kumar
> Cc: bind
Hi Andrew!
DNSSEC is more costly: more Ressource Records to hold on disk, to hold in
memory and more queries and more IP traffic. If the DNSSEC signing is also done
by the DNS provider there would be additional ressources for the signing
service and risks when doing something wrong.
For a sing
As I have such a zone I will paste it here. But fore sure it is not complete as
it was created some time ago.
regards
Klaus
$ cat types.test
$TTL 60 ; 1 minute
@ IN SOA sec1.rcode0.net. rcodezero.ipcom.at. (
36 ; serial
IIRC, Bind needs the key as long as there are signatures in the zone generated
by this key. After key deactivation I waited the RRSIG lifetime before deleting
them.
regards
Klaus
Von: bind-users Im Auftrag von egoitz--- via
bind-users
Gesendet: Montag, 24. Jänner 2022 13:00
An: bind-users@lis
> On 10-08-2021 13:38, Klaus Darilion wrote:
> > Hi Matthijs!
> >
> >> We would like to encourage you to change your configurations to
> >> 'dnssec-policy'. See this KB article for migration help:
> >>
> >> https://kb.isc.org/docs/d
Hi Matthijs!
> We would like to encourage you to change your configurations to
> 'dnssec-policy'. See this KB article for migration help:
>
> https://kb.isc.org/docs/dnssec-key-and-signing-policy
Some comments to this KB article and dnssec-policy:
- The article should mention how to retrie
Do you think that we can get rid of CNAME too?
regards
Klaus
> -Ursprüngliche Nachricht-
> Von: Ondřej Surý
> Gesendet: Montag, 9. August 2021 19:19
> An: Klaus Darilion
> Cc: Mark Andrews ; bind-users@lists.isc.org
> Betreff: Re: Does BIND supports ANAME RR
>
Does every application that uses gethostbyname have a benefit of HTTPS/SVCB?
That is what I meant.
regards
Klaus
> -Ursprüngliche Nachricht-
> Von: Mark Andrews
> Gesendet: Montag, 9. August 2021 15:55
> An: Klaus Darilion
> Cc: Evan Hunt ; Gaurav Kansal ; bind-
> u
> On 09.08.21 13:55, Klaus Darilion via bind-users wrote:
> >But honestly SVCB will not solve the ANAME problem. I will take years
> > until all resolvers/client would support SVCB whereas ANAME would be
> > implemented in the authoritative name server
>
> resolving on
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Evan
> Hunt
> Gesendet: Samstag, 7. August 2021 20:21
> An: Gaurav Kansal
> Cc: bind-users@lists.isc.org
> Betreff: Re: Does BIND supports ANAME RR
>
> On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote:
> > I need t
Hello!
Bind version: 9.16.19-1+ubuntu18.04.1+isc+1
Recently I discovered these logs:
09:13:12 named[3234]: _default: sending trust-anchor-telemetry query
'_ta-/NULL'
09:13:12 named[3234]: validating ./NSEC: no valid signature found
09:13:12 named[3234]: validating ./SOA: no valid signatu
Nevertheless I think there is a bug. IIR the previous default was 100% (switch
to AXFR if IXFR would be grater than AXFR) and we also saw plenty of AXFR
although the IXFR difference was very small and far away from 100%
regards
Klaus
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auf
Hello!
On our servers where we use Bind 9.16, named needs approx. 29G RAM. On the
servers with Bind 9.11 named needs approx. 25G RAM.
Is this a known issue? Are there some config options to tune memory consumption?
Thank
Klaus
___
Please visit https:
on: bind-users Im Auftrag von Klaus
> Darilion
> Gesendet: Donnerstag, 11. März 2021 21:24
> An: bind-users@lists.isc.org
> Betreff: AXFR Problems sind Upgrade to 9.16.12
>
> Hello!
>
> Our setup: Customer Primary --> bind-1 --> bind-2 --> public secondaries
> (
I will - in the meantime: do you have older ppa packages somewhere on archive?
Thanks
Klaus
> -Ursprüngliche Nachricht-
> Von: Ondřej Surý
> Gesendet: Donnerstag, 11. März 2021 21:49
> An: Klaus Darilion
> Cc: bind-users@lists.isc.org
> Betreff: Re: AXFR Proble
I just wanted to add, that AXFR of all other hosted zones work fine (even
bigger ones). Only this single zone fails.
Thanks
Klaus
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Klaus
> Darilion
> Gesendet: Donnerstag, 11. März 2021 21:24
> An: bind-user
Hello!
Our setup: Customer Primary --> bind-1 --> bind-2 --> public secondaries
(NSD/bind)
Today we upgraded bind-1 and bind-2 from:
9.16.6-3+ubuntu18.04.1+isc+3 ---> 9.16.12-2+ubuntu18.04.1+isc+1
AXFR from customer to bind-1 still works. But since the upgrade, bind-2 can not
transfer the
Thanks - now it works.
Klaus
Von: Shumon Huque
Gesendet: Donnerstag, 9. Juli 2020 13:44
An: Daniel Stirnimann
Cc: Klaus Darilion ; bind-users@lists.isc.org
Betreff: Re: AW: How to prepublish additional DNSKEY
On Thu, Jul 9, 2020 at 6:44 AM Daniel Stirnimann
mailto:daniel.stirnim...@switch.ch
> > So, how is the correct process to add an additional DNSKEY (only the public
> key is known).
>
> I think you are looking for `dnssec-importkey`.
Indeed. I imported the key and got a .key and .private file. I put those files
in the same directory as the other keys, gave read permissions to bi
Hello all!
A signed zone shall be moved to another DNS provider. Hence I want to add the
public KSK of the gaining DNS provider as additional DNSKEY to the zone. My
setup ist:
Bind1 as hidden primary --> Bind2 as bump-in-the-wire signer -> public facing
secondaries
I tried to add the DNSKEY t
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Cathy
> Almond
> Gesendet: Dienstag, 9. Juni 2020 14:30
> An: bind-users@lists.isc.org
> Betreff: Re: NSEC3 salt change - temporary performance decline
...
>
> FYI this will be fixed in the June 2020 BIND releases (in 9.11.20,
>
> Am 15.04.20 um 10:08 schrieb Ondřej Surý:
> > you need to stop being rude to people on the bind-users mailing list,
> > personal attacks are not acceptable behaviour here. You should apologize
> > to Klaus.
>
> it's not a personal attack to clearly point out that discussions of
> distribution le
Thanks for answer!
So actually it is just a cosmetic change not addressing a real problem.
I will miss the bind9 service :-(
Klaus
> -Ursprüngliche Nachricht-
> Von: Ondřej Surý
> Gesendet: Mittwoch, 15. April 2020 10:15
> An: Klaus Darilion
> Cc: bind-users@lists.is
> -Ursprüngliche Nachricht-
> Von: bind-users Im Auftrag von Reindl
> Harald
> Gesendet: Mittwoch, 15. April 2020 09:17
> An: bind-users@lists.isc.org
> Betreff: Re: Debian/Ubuntu: Why was the service renamed from bind9 to
> named?
>
>
>
> Am 15.04.2
> > It would be great if you undo this change before release of 18.04
>
> you confuse the upstream project with your distribution
>
> bind9 was completly wrong in the debian world as well as apache2 for
> httpd, on sane distributions it's "httpt" and "named" all the years
> beause it's nonsense t
20 um 08:56 schrieb Reindl Harald:
> >
> >
> > Am 15.04.20 um 08:51 schrieb Klaus Darilion:
> >> Hello!
> >>
> >> What is the rationale of:
> >>
> >> bind9 (1:9.13.6-1) experimental; urgency=medium
> >> ...
> >> * Rename
Hello!
What is the rationale of:
bind9 (1:9.13.6-1) experimental; urgency=medium
...
* Rename the init scripts to named to match the name of the daemon
Since years, Debian and Ubuntu User, and plenty of scripts and automation
software (Puppet ...), know that the service is called "bind9". I
max-ixfr-ratio introduced with 9.17.0 sounds like a workaround instead
of a bugfix.
Anyway, can you recommend a sensible settings? I.e. when does the
performance problem of "large" IXFR starts to happen? Does this depend
on the ratio of the IXFR-size to zone-size, or does it depend on the
siz
Hello all!
Will bind refuse (close) the new TCP connections, or will it accept the
new connection and closes the longest idle TCP connection? Or even better?
Thanks
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
Am 21.01.2020 um 16:40 schrieb Ondřej Surý:
> We are currently investigating performance degradation related to big IXFRs.
> Do you use ixfr-from-differences in your BIND configuration? You could try
> enforcing AFRX on salt change.
>
> This is currently tracked as
> https://gitlab.isc.org/is
Hello Niels!
Thanks for bringing this to attention. I have reported it before [1][2]
without response.
We see this regulary. AFAIS it happens actually always, but if the IXFR
is small, the performance decline is so short that you usually won't
notice it.
The bigger the zonechange ie NSEC3 change
Am 12.09.2019 um 17:39 schrieb Roberto Carna:
Hi people, is it possible to setup BIND in order to implement GSLB
(Global Service Load Balancing) between two sites ?
I need a near Active-Active scenario between two datacenters in
different locations, and I want to do this with an open source so
Hi Tony!
Am 31.07.2019 um 12:44 schrieb Tony Finch:
> Klaus Darilion wrote:
>>
>> What does the log message "journal file is out of date: removing journal
>> file" exactly mean? Is it somehow problematic?
>
> After loading a zone, named discovers the seri
Hello!
BIND 9.12.2-P2, max-journal-size 1m;
What does the log message "journal file is out of date: removing journal
file" exactly mean? Is it somehow problematic?
I have bind as bump in the wire signer, and regularly problems with slow
zone updates for a specific zone which often, almost every
Hi Tony!
Am 12.07.2019 um 13:00 schrieb Tony Finch:
> Yes, that is curious. Are you sure it isn't actually doing an
> IXFR-flavoured AXFR of the whole zone, rather than a delta?
We have a setup with severals Bind in a row:
hidden master
customer
(software unknown)
|
|
V
o
Hi!
I wonder how Bind as master handles IXFR when the requested IXFR would
be much than the AXFR. (For example: if you change the NSEC3 salt).
Are there some mechanisms to detect such a situation and trigger a
fallback to AXFR or will Bind always perform IXFR?
thanks
Klaus
PS: AFAIK the max jou
Am 21.05.2019 um 22:31 schrieb Ict Security:
Under heavy load, Bind becomes extremely load above a certain number of
Qps but, if i query an alias IP address (where normally queries don't
arrive), Bind answers immediately.
btw - how high is the "extremely load"?
Klaus
_
Am 20.05.2019 um 20:16 schrieb Ict Security:
How could i increase the number of socket on a single IP address,
since Bind is working perfectly on the secondary address,
when the first one is stucked?
If the incoming traffic is bursty it may happen that the receive queue
of the socket is full a
Am 25.04.2019 um 14:10 schrieb Martin Meadows via bind-users:
Wondering if anyone is aware of a max file size or max number of lines
that a given BIND zone file can contain?
IF you use a journal, things may get complicated if your journal is over
2G: https://kb.isc.org/docs/aa-01627
regar
Hello!
We have a problem with Bind [2] during incoming IXFR. When there is a
huge IXFR (ie 1,8GB tranferred in 15minutes [1]), the response time
heavily increases. Using dsc's newest "Reponse Time Indexer" we clearly
see that Bind answers slow:
Response Time normal during
Window
Am 14.07.2018 um 00:38 schrieb Matthew Pounsett:
> On 13 July 2018 at 06:04, Michał Kępień wrote:
>
>> Hopefully this will shed some light on the matter:
>>
>> https://gitlab.isc.org/isc-projects/bind9/issues/339#note_12805
>>
>> That is helpful, thanks. That comment says the issue require
What is an "extraordinarily large zone transfer"? We do have regularly
AXFR and IXFRs around 2GB. Is this "extraordinarily large"?
regards
Klaus
Weitergeleitete Nachricht
Betreff: Operational Notification: Extremely large zone transfers can
result in corrupted journal file
Hi Anand!
Am 09.07.2018 um 14:04 schrieb Anand Buddhdev:
On 09/07/2018 13:50, Klaus Darilion wrote:
Hi Klaus,
named-journalprint dumps the journal without any time information.
Does the journal include time information? (Timestamp of add/del)
If yes, can I somehow extract the timestamps
Hi!
named-journalprint dumps the journal without any time information.
Does the journal include time information? (Timestamp of add/del)
If yes, can I somehow extract the timestamps?
thanks
Klaus
___
Please visit https://lists.isc.org/mailman/listinfo
Am 04.06.2018 um 14:20 schrieb Ict Security:
Hi guys,
we are running a Bind 9.x Server, everything is going fine.
Under particular heavy load mometns, with some hundreds of concurrent
queries coming in, sometime Bing stops answering for some seconds or
answer with important delays.
But, when i
This time with log file attached
Thanks
Klaus
Am 23.04.2018 um 14:55 schrieb Klaus Darilion via bind-users:
> Hi all!
>
> Upgrading to Ubuntu 16.04 with Bind 9.10.3 did not solved the problem.
>
> I enabled debug log (trace 2) and query logging. Unless my monitoring
> tr
locking operations in bind?
Thanks
Klaus
Am 15.03.2018 um 14:45 schrieb Klaus Darilion:
> Hi!
>
> I use bind 9.9.5.dfsg-3ubuntu0.17 with around 20 slave zones (from small
> to huge).
>
> I query the SOA of every configured zone once a second to monitor bind.
>
> Once
Hi Latitude!
Short answer: I think 2s delay is not possible in a distributed system
with many global distributed slaves and limited ressources.
Long answer: It all depends on how much money you have and time in
setting up such a service - long comments inline.
Am 07.03.2018 um 07:10 schrieb
Hi!
I use bind 9.9.5.dfsg-3ubuntu0.17 with around 20 slave zones (from small
to huge).
I query the SOA of every configured zone once a second to monitor bind.
Once a day my script reports timeouts (3 seconds) querying a SOA. This
server is a test server, hence it is idle except the monitoring ch
Am 14.03.2018 um 15:20 schrieb Tony Finch:
> Klaus Darilion wrote:
>>
>> I have now set
>> max-journal-size 50M;
>> and restartet bind a few times. But the journal files are still GBytes.
>> When should Bind flush the journal into the zone file?
>
Am 14.03.2018 um 13:38 schrieb Tony Finch:
> Klaus Darilion wrote:
>>
>> Thanks for the detailed answer. So I will use a few MBytes. But would it
>> be possible to set max-journal-size=0?
>
> There's a minimum journal size (the calculation in the code comes to
Am 14.03.2018 um 13:04 schrieb Tony Finch:
> Klaus Darilion wrote:
>>
>> But on a server with slave-zone only (fetched by ixfr) - do I need a
>> journal at all? How can I disable it - by setting the max-size to 0?
>
> The journal reduces the cost of re-writing zone
Am 14.03.2018 um 13:10 schrieb Ray Bellis:
> On 14/03/2018 12:08, Anand Buddhdev wrote:
>
>> Not that I know of. The amount of RAM in a server is probably the most
>> significant limit for loading zones into BIND.
>
> Anand is correct - there's no intrinsic limit other than RAM.
>
> I personal
1 - 100 of 143 matches
Mail list logo
