Re: RRL active by default?

[/dev/rob0]

On Thu, May 01, 2014 at 05:10:50PM -0500, Lawrence K. Chen, P.Eng.
wrote:
> Does compiling in RRL mean its active, even without a rate-limit
> {} control block?

No, and also note the your rate-limit {} stanza could be either in
your options {} statement, or in a view {} statement. The latter
replaces rather than supplements what you have in options.

> The other day, I got reports some service is getting intermittent
> lookup failures for our ldap server.
>
> Why these appliances have to query DNS servers many times per
> second to get the address of a record with a TTL of 1 day....

Do you have them directly querying authoritative nameservers? Your
workaround, perhaps, is to have caching-only servers between your
appliances and your authoritative servers.

> In looking at the logs, I saw messages about rate-limit of various
> subnets. (but, only for the busiest 2 of 8 caching servers)

RRL should only be used on authoritative servers. Are you saying you
saw such logs from a named instance without a rate-limit stanza?
Indeed, that should not be so.

> Starting when I first updated to 9.9.4-P1. Though both had said
> they had stopped limiting responses by the time I looked.
>
> Just in case, I threw in a
>
> rate-limit {
> exempt-clients { k-state; };
> };
>
> where "k-state" is the same acl used with allow-query {} and
> allow-recursion {}.

There's also "log-only yes;" you might try.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

[Jeremy C. Reed]

On Thu, 1 May 2014, Lawrence K. Chen, P.Eng. wrote:

> Does compiling in RRL mean its active, even without a rate-limit {}
> control block?

Only for the built-in Chaos "_bind" view (for id.server, authors.bind,
hostname.bind, and version.bind).

[Lawrence K. Chen, P.Eng.]

Awww...I found messages about version.bind.

--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally

[Jeremy C. Reed]

> On 05/02/14 09:23, Jeremy C. Reed wrote:
> > Only for the built-in Chaos "_bind" view (for id.server, authors.bind,
> > hostname.bind, and version.bind).

On Fri, 2 May 2014, Lawrence K. Chen, P.Eng. wrote:
> Awww...I found messages about version.bind.

My workaround I use is like:

# for builtin tests do not rate-limit
# redefine chaos builtin zones
# can't redefine builtin view '_bind'
view "_dnsbench_bind" chaos {
recursion no;
notify no;
allow-new-zones no;

rate-limit {
responses-per-second 0;
};
zone "version.bind" chaos {
type master;
database "_builtin version";
};

zone "hostname.bind" chaos {
type master;
database "_builtin hostname";
};

zone "authors.bind" chaos {
type master;
database "_builtin authors";
};

zone "id.server" chaos {
type master;
database "_builtin id";
};

};

Or edit bin/named/config.c (you will quickly find the configuration) and
make and install.

[Lawrence K. Chen, P.Eng.]

Can't seem to figure out how to work something like that into my configuration.

It doesn't like that I have "allow-recursion { k-state; };" set in
options....then something about "when using 'view' statements, all zones must
be in views.

So, I uncommented the view "ksu" { lines in my config (there used to be a
separate view for a "JOIN K-STATE" SSID, which basically sent you to a special
website regardless of what you wanted to connect to.....it was scrapped,
because users using computers running an OS that starts with W....would still
be stuck going to the site when they switched to normal wireless. (even
though the TTL for the zone was only 5 seconds...)

And, then it finally crashed complain that there was no root hints for the
view "_ksu_bind", and making class IN view "_ksu_bind" with all the same
zones, including the hint zone....it still complained that there was no root
hints for view "_ksu_bind" and crashed.

> daemon.notice] starting BIND 9.9.4-P2 -c /var/chroot/named/etc/named/named.conf -4
> daemon.notice] built with '--prefix=/usr/local' '--sysconfdir=/etc/named'
> '--localstatedir=/var' '--with-openssl' '--enable-threads' '--enable-largefile'
> '--with-libtool' '--enable-ipv6' '--enable-newstats' '--enable-filter-aaaa'
> '--enable-rrl' 'CFLAGS=-m64 -O2' 'LDFLAGS=-Wl,-R/usr/local/ssl/lib/64
> -L/usr/local/ssl/lib/64 -Wl,-R/usr/local/lib/amd64 -L/usr/local/lib/amd64
> -Wl,-R/usr/local/lib -L/usr/local/lib'
> daemon.notice] ----------------------------------------------------
> daemon.notice] BIND 9 is maintained by Internet Systems Consortium,
> daemon.notice] Inc. (ISC), a non-profit 501(c)(3) public-benefit
> daemon.notice] corporation. Support and training for BIND 9 are
> daemon.notice] available at https://www.isc.org/support
> daemon.notice] ----------------------------------------------------
> daemon.warning] no root hints for view '_ksu_bind'
> daemon.notice] command channel listening on 127.0.0.1#953
> daemon.crit] db.c:795: REQUIRE(rdataset->rdclass == db->rdclass) failed, back trace
> daemon.crit] #0 4307e3 in ??
> daemon.crit] #1 fffffd7ffeef92ca in ??
> daemon.crit] #2 fffffd7fff1d8467 in ??
> daemon.crit] #3 fffffd7fff1dafc6 in ??
> daemon.crit] #4 fffffd7fff1ef91e in ??
> daemon.crit] #5 fffffd7fff2f1f39 in ??
> daemon.crit] #6 fffffd7fff2f4b29 in ??
> daemon.crit] #7 45a851 in ??
> daemon.crit] #8 45bc3e in ??
> daemon.crit] #9 fffffd7ffef1a49f in ??
> daemon.crit] #10 fffffd7ffeacbfbb in ??
> daemon.crit] exiting (due to assertion failure)

[Tony Finch]

Lawrence K. Chen, P.Eng. <lkc...@ksu.edu> wrote:
>
> And, then it finally crashed complain that there was no root hints for the
> view "_ksu_bind", and making class IN view "_ksu_bind" with all the same
> zones, including the hint zone....it still complained that there was no root
> hints for view "_ksu_bind" and crashed.

Did you put the _ksu_bind view in the CHAOS class or leave it in the
default IN class?

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Viking, North Utsire: Easterly or southeasterly 4 or 5, occasionally 6 in
south Viking. Slight or moderate. Rain or showers. Good, occasionally poor.