bilities like being able to shift production load for
maintenance on the named backends).
Best of luck! Let us know where you cap out!
Regards,
Mathew Eis
Northern Arizona University
Information Technology Services
-Original Message-
From: "Browne, Stuart"
Date: Thursday,
360k qps is actually quite good… the best I have heard of until now on EL was
180k [1]. There, it was recommended to manually tune the number of subthreads
with the -U parameter.
Since you’ve mentioned rmem/wmem changes, specifically you want to:
1. check for send buffer overflow; as indicated
What you are describing more generally sounds like what is known as split-view
or split-horizon DNS. In short, you split all (or part by virtue of delegation
or forwarders) of your namespace into “internal” and “external” partitions;
this is documented in the context of BIND here:
https://ftp.i
content from old and new nameservers, that will be easy
in this case since all are slaves to the same (hidden) master.
Thanks again,
Mathew Eis
Northern Arizona University
-Original Message-
From: Mark Andrews
Date: Monday, March 6, 2017 at 5:32 PM
To: Mathew Ian Eis
Cc: "bind-
Hi BIND,
Hoping someone in the community will have experience with this.
We are looking to migrate off a set of nameservers to another set of
nameservers. For all practical considerations, both sets of servers are slave
to the same hidden master, which yields interesting considerations that are
ps -C named -o start,lstart is the time since the process was started.
One can also force BIND to “reset” with a SIGHUP without actually stopping and
starting the daemon.
This will cause (among many other things) the pid file to be reset. (You can
also find a “general: notice: running” about t
Hi BIND,
We are running BIND behind a Citrix NetScaler (v 11.0) load balancer, and
recently had a report that BIND 9.11 is unable to resolve names from our public
nameservers.
The issue can be easily reproduced with the BIND 9.11 client, e.g.: $ dig
nau.edu @a.ns.nau.edu (will return status: F
server IP is 25.25.25.25 and my slave is 26.26.26.26. Using
my config from my first email and your code from your reply (lets use only the
part from the linked doc you wrote) can you provide a modified view for
internal and external for both the master and slave server?
Sorry for all the ques
I think you are pretty close. One detail that you appear to be missing are is
in the linked document:
server 10.0.1.1 {
/* Deliver notify messages to external view. */
keys { external-key; };
};
Your slaves should have a similar statement in each view with the IP of the
master and the relevant
---
From: Tony Finch
Date: Thursday, July 14, 2016 at 3:17 AM
To: Mathew Eis
Cc: "bind-users@lists.isc.org"
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis wrote:
>
> sig-validity-interval seems to only affect the expiration date of newly
>
,
Mathew Eis
-Original Message-
From: Tony Finch
Date: Wednesday, July 6, 2016 at 2:48 AM
To: Mathew Eis
Cc: "bind-users@lists.isc.org"
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian Eis wrote:
>
> Does all of that sound right?
I believ
its thing and
not hang onto zombie keys anymore.
Does all of that sound right?
Thanks again,
-Mathew Eis
From: Tony Finch
Date: Tuesday, July 5, 2016 at 10:48 AM
To: Mathew Eis , "bind-users@lists.isc.org"
Subject: Re: auto-dnssec maintain and DNSKEY removal
Mathew Ian
to-dnssec maintain and DNSKEY removal
Mathew Ian Eis wrote:
>
> We think that in some cases, named may be choosing to use a key past the
> removal date (as in [2]), while our file maintenance process removes the
> keys as per their deletion date – after which named no longer has the
Hi BIND,
The documentation for auto-dnssec maintain suggests that named will remove
DNSKEYs from zones when the deletion time marked in the metadata occurs [1].
Unfortunately, it seems this is not always the case.
We are currently trying to diagnose the source of residual DNSKEYs in our zones
I support the license change as well, and I’d like to specifically applaud the
use of a license that still allows for commercial use even while nicely asking
for the re-contribution of any improvements.
(speaking for myself and not the University)
-Mathew Eis
__
ossible; e.g.
what would you put in the NS/SOA records to keep the master hidden and the
slaves non-authoritative?
Thanks again,
-Mathew Eis
From: John W. Blue [john.b...@rrcic.com]
Sent: Monday, April 04, 2016 7:12 PM
To: Mathew Ian Eis; bind-users@lists.
Hi BIND,
I have a question about authoritative servers in a split horizon environment
(suppose two views “internal” and “external”).
Is is necessary to have separate internal authoritative (listed in internal
zone NS records, but not in whois or external NS records) servers, if the
internal re
@nau.edu
(928) 523-2960
-Original Message-
From: Michael Brunnbauer
Date: Friday, April 1, 2016 at 9:29 AM
To: Mathew Eis
Cc: "bind-users@lists.isc.org" ,
Subject: Re: Recursive bind becomes unresponsive with high load
>
>Hello Mathew,
>
>On Fri, Apr 01, 2016 at
What OS are you running your BIND server on? Is it virtualized?
Is it fully unresponsive, or could it be simply taking longer to respond than
your client timeout?
Cheers,
Mathew Eis
Northern Arizona University
Information Technology Services
mathew@nau.edu
(928) 523-2960
-Origin
Cc: "bind-users@lists.isc.org"
Subject: Re: force re-sign of individual host record?
>
> "rndc sign zone [class [view]]" should do it.
>
>In message , Mathew Ian Eis write
>s:
>> Hi BIND,
>>
>> Anyone know if there is a good way t
Hi BIND,
Anyone know if there is a good way to force named to resign a single host
record? (e.g. without generating new ZSKs, etc.?)
An ntp glitch recently caused our master nameserver to jump many hours into the
future, whereupon it began issuing invalid (to the world) RRSIGs with an
inceptio
sers-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Noel Butler
Sent: Tuesday, February 23, 2016 6:19 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: Interesting behavior with wildcard
Hi BIND,
I’ve encountered (quite by accident) an interesting behavior in BIND with
wildcard domains:
The relevant configuration is a zone; e.g. bar.com, with what I’ll call a
“second level” wildcard host, e.g. *.foo.bar.com A 10.10.10.5 in that zone. (as
opposed to what might be considered the
Howdy Mark,
Can you please clarify the best practice for this?
> Recursive servers (honouring RD=1) however can be authoritative for zones.
In this context of "authoritative", do you mean that they can be fully
functional slaves and have a complete copy of the zone information?
I would imagine
"bind-users@lists.isc.org"
Date: Thursday, August 20, 2015 at 4:59 PM
To: "bind-users@lists.isc.org"
Subject: Re: DNSSEC secondary (free)
>On Thu, Aug 20, 2015 at 06:29:57PM +, Mathew Ian Eis wrote:
>> I believe Hurricane Electric’s free DNS https://dns.he.net/
I believe Hurricane Electric’s free DNS https://dns.he.net/ supports DNSSEC if
you do zone transfers to them. (No personal experience, but we’ve been
considering using them for the same purpose, and they seem to have a good
community reputation).
Mathew Eis
Northern Arizona University
From:
Howdy BIND,
We’ve been troubleshooting an issue with iOS print discovery using DNS-SD for
the last several weeks. We made a little bit of a breakthrough this evening
when we observed in a packet trace that the response case was fully lowercase,
regardless of the query case. It seems iOS is doin
-Original Message-
From: Tony Finch
Date: Friday, May 22, 2015 at 2:32 AM
To: Mathew Eis
Cc: "bind-users@lists.isc.org"
Subject: Re: random latency in named
>Mathew Ian Eis wrote:
>>
>> * The OS is RHEL 6.6; we just updated the kernel to
>> 2.6.32-50
Hi BIND,
I’ve been trying to track down the source of random latency in our production
servers, without much luck. At random intervals - several times an hour - named
appears to suddenly stop processing queries for around 0-2500ms, only to resume
moments later. This of course introduces latency
29 matches
Mail list logo
