headers
Jonathan Reed | 25 May 21:51
Picon

multiple ints: views or separate records?

Hi,


I have a few systems with multiple physical and virtual interfaces. One system has a single A record but im considering splitting it up. I'd like to persuade users to talk with a specific interface depending mostly on the app and sometimes from the subnet where their request originates. I want to keep things really easy for the users. What's your experience in influencing that decision while keeping things dead simple? keeping in mind that they have the potential of communicating with the system from a number of different angles.

Is using views my best approach? Or would it be recommended to just settle and publish a bunch of CNAMEs (or A) and having them stick to using those? Or maintain both? Said another way, how well have your users adapted to name changes?

Thanks.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 1 comment |
headers
Barry Margolin | 25 May 17:22
Picon
Favicon

Re: different between views and having multiple instances

In article <mailman.876.1337944460.63724.bind-users <at> lists.isc.org>,
 "Spain, Dr. Jeffry A." <spainj <at> countryday.net> wrote:

> Rather than running multiple bind instances on one server, is virtualization 
> an option for you? Thus you could build multiple virtual machines each 
> running a single bind instance.

Seems like overkill if BIND is the only thing you're running on one of 
the instances, since each VM will have to run the full OS and background 
processes.

But if you want to have a general testbed, it seems like a good fit.

--

-- 
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 0 comments |
headers
Axel Rau | 25 May 13:59
Picon

9.9.1 continues to sign with inactive KSK

Hi all,

there is a KSK roll over running for framail.de.
Its a inline-signing maintain configuration, upgraded fron 9.9.0.
The tags of the KSKs with their dates are (set with dnssec-settime):
---
[framail.de/KSK/1699/8(A:2012-05-23T17:55:02, I:2012-05-27T17:55:02, D:2012-05-28T17:55:02)]
[framail.de/KSK/46210/8(A:2012-05-20T16:55:03, I:2012-05-24T16:55:03, D:2012-05-25T16:55:03)]
---
46210 is inactive and still used to sign DNSKEYs (from  dig +dnssec DNSKEY framail.de. at
2012-05-25T13:55) :
---
framail.de.		86400	IN	RRSIG	DNSKEY 8 2 86400 20120622185603 20120523175603 46210 framail.de...
framail.de.		86400	IN	RRSIG	DNSKEY 8 2 86400 20120623175502 20120524165502 1699 framail.de...
---
Shouln't named have ceased signing keys with this key?

Axel
---
PGP-Key:29E99DD6  ☀ +49 151 2300 9283  ☀ computing @ chaos claudius

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 2 comments |
headers
Jan-Piet Mens | 25 May 07:44
Picon

Re: different between views and having multiple instances

> I need to understand the difference between configuring bind views and
> having multiple instances of bind. I have 5 network interfaces on my server
> and I want to have 2 instances of DNS server (just for testing) and I don't
> know which one to do ?

BIND views are powerful, but configuring them can become complex.

If your machine has the resources for doing so, I'd recommend running
multiple instances of BIND, which will enable you to stop/start your
test-instances at will.  Furthermore you'll probably find configuration
of individual BIND name servers easier to create and manage. On the
down-side you'll need monitoring for the N instances, you'll probably
have N logs, etc.

Knowing what I do from your description, I would chose the N instances.

        -JP
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 1 comment |
headers
Barry Margolin | 25 May 00:52
Picon
Favicon

Re: different between views and having multiple instances

In article <mailman.872.1337885546.63724.bind-users <at> lists.isc.org>,
 Mike Hoskins <michoski <at> cisco.com> wrote:

> the other thing is if your testing needs to stop/start named for some
> reason, it might be less impactful to run separate instances.  however, if
> you run 'rndc' you will see that many of the commands can be ran in a
> manner that only affects specified views.

Even if you don't have to stop the server, you might want to run 
separate instances so that there's less danger of breaking the 
named.conf used by the production server during testing.

--

-- 
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 0 comments |
headers
Mike Hoskins | 24 May 20:52
Picon
Favicon

Re: different between views and having multiple instances

-----Original Message-----
From: Amira Othman <a.othman <at> cairosource.com>
Date: Thursday, May 24, 2012 8:04 AM
To: <bind-users <at> lists.isc.org>
Subject: different between views and having multiple instances

>Hi all
>
>I need to understand the difference between configuring bind views and
>having multiple instances of bind. I have 5 network interfaces on my
>server
>and I want to have 2 instances of DNS server (just for testing) and I
>don't
>know which one to do ?

i'm sure others will chime in with additional detail, but i think it's
largely a matter of your needs and level of paranoia.  if you are
separating authoritative and caching functions, do you trust software to
institute that policy or do you want to have physical segregation?

i use views extensively now, and haven't had any issues...  but have gone
the physical route in the past (particularly before views existed).
however, when i did that i actually had entirely different servers on
disparate networks hosting the internal and external instances of bind.

the other thing is if your testing needs to stop/start named for some
reason, it might be less impactful to run separate instances.  however, if
you run 'rndc' you will see that many of the commands can be ran in a
manner that only affects specified views.

historically there were also performance considerations, but i think those
are mostly moot with all the tuning in recent releases.

if it's all on one server, views probably make sense...

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 0 comments |
headers
John Williams | 24 May 20:20
Picon
Favicon

Re: different between views and having multiple instances

In theory, you would use views to serve up different data to subnets.  For example, you may want to show your internal clients one set of IP addresses while the external world see's a subset of that data.  That is a perfect utilization of views.

You may want to setup different instances of BIND if you have different configuration requirements, or if you want different zones to be served on different IP addresses.

Hope that helps.


From: Amira Othman <a.othman <at> cairosource.com>
To: bind-users <at> lists.isc.org
Sent: Thursday, May 24, 2012 11:04 AM
Subject: different between views and having multiple instances

Hi all

I need to understand the difference between configuring bind views and
having multiple instances of bind. I have 5 network interfaces on my server
and I want to have 2 instances of DNS server (just for testing) and I don't
know which one to do ?

thanks

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 0 comments |
headers
Groups | 24 May 19:53
Picon

Graphing Tool

I have several years of logs that I would like to 'put into' graphs to 
see the trending.

I would like to 'import' the logs on a different server as I don't have 
to have 'real time' graphs..

Thx
Charles
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 0 comments |
headers
Amira Othman | 24 May 17:04

different between views and having multiple instances

Hi all

I need to understand the difference between configuring bind views and
having multiple instances of bind. I have 5 network interfaces on my server
and I want to have 2 instances of DNS server (just for testing) and I don't
know which one to do ?

thanks

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 0 comments |
headers
Rock July | 24 May 08:36
Picon
Favicon

DNS64 - multiple mapping

Hi All,
 
Is it possible for me to add multiple dns64 in options? I want to have different IPv6 prefix for each IPv4 network address.
If not, what are the other possible options?
 
Thanks,
Rock
 
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 1 comment |
headers
Ben | 23 May 20:14
Picon

Operation cancelled Error

Hi,

I am doing load testing for bind as caching dns server.Fro that i 
configure one machine as client and one as server.I setup bind as 
caching dns server and set recursive-clients 30000.

While doing load test from client machine via resperf, i got many errors 
in named.run file which shows,I checked that time there is no cpu high 
usage / memory high usage on server and clients.Why server is not 
permitted operation.

23-May-2012 23:30:12.085 error (operation canceled) resolving 
'www.thethreadexchange.com/AAAA/IN': 192.33.14.30#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'c2.nstld.net/A/IN': 192.42.93.31#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'nothirst.com/A/IN': 192.54.112.30#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'172.153.42.186.in-addr.arpa/PTR/IN': 199.212.0.53#53
23-May-2012 23:30:12.085 error (operation canceled) resolving 
'xxy.com/MX/IN': 192.12.94.30#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'192.140.138.187.in-addr.arpa/PTR/IN': 193.0.9.3#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'mail.n-u-c.ru/A/IN': 193.232.128.6#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'www.gayteacher.net/A/IN': 108.59.10.134#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'www.forever-christies.com/A/IN': 192.12.94.30#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'166.98.232.189.in-addr.arpa/PTR/IN': 200.3.13.10#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'89.140.112.200.in-addr.arpa/PTR/IN': 202.12.28.140#53
23-May-2012 23:30:12.086 error (operation canceled) resolving 
'9z772drlt.89ys/A/IN': 192.228.79.201#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'video327.myfreecams.com/A/IN': 192.26.92.30#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'ns1.thny.bbc.co.uk/A/IN': 194.83.244.131#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'6.246.26.190.in-addr.arpa/PTR/IN': 200.3.13.10#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'instagram.com/A/IN': 192.54.112.30#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'acriacao.com/A/IN': 192.12.94.30#53
23-May-2012 23:30:12.087 error (operation canceled) resolving 
'technologie.gazeta.pl/A/IN': 192.203.230.10#53

rndc status shows,

version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2
CPUs found: 8
worker threads: 8
number of zones: 19
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 6400/29900/30000
tcp clients: 0/100
server is up and running

i constanly watch rndc status command , and at recuresive-clients tab , 
first values increases maximum up to 6000-6500, why it is not going to 
maximum which i define 30000..?
rndc status shows 8 worker process, when i checked  by pgrep named , it 
shows only single instance.so does it need to show 8 instance or ?
Currently we use bind as caching name server , so why rndc status shows 
number of zones 19..?

Kindly guide me to resolve above confusion.

Bind build info:
  named -V
BIND 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 built with 
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' 
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' 
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' 
'--disable-openssl-version-check' '--with-dlz-ldap=yes' 
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes' 
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 
'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'

 From client machine :

/usr/local/nom/bin/resperf -s 10.115.1.231 -d 
/root/dnsperf_test_queries.tsv
DNS Resolution Performance Testing Tool
Nominum Version 2.0.0.0

[Status] Command line: resperf -s 10.115.1.231 -d 
/root/dnsperf_test_queries.tsv
[Status] Sending
[Status] Reached 65536 outstanding queries
[Status] Waiting for more responses
[Status] Testing complete

Statistics:

   Queries sent:         74038
   Queries completed:    74038
   Queries lost:         0
   Run time (s):         100.000000
   Maximum throughput:   2838.000000 qps
   Lost at that point:   24.32%

what are the configuration parameter required to  increase QPS for 
server? I mean any fine tuning in bind / OS side, please suggest us.

Best Regards,
Ben

Regards,
Ben
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users <at> lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Permalink | Reply | 4 comments |

Gmane