diff options
Diffstat (limited to 'contrib/bind/doc/misc/FAQ.2of2')
-rw-r--r-- | contrib/bind/doc/misc/FAQ.2of2 | 2071 |
1 files changed, 0 insertions, 2071 deletions
diff --git a/contrib/bind/doc/misc/FAQ.2of2 b/contrib/bind/doc/misc/FAQ.2of2 deleted file mode 100644 index f9594ee..0000000 --- a/contrib/bind/doc/misc/FAQ.2of2 +++ /dev/null @@ -1,2071 +0,0 @@ -Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!news.kodak.com!news-nysernet-16.sprintlink.net!news-in-east1.sprintlink.net!news.sprintlink.net!newshub.northeast.verio.net!news.idt.net!newsin.iconnet.net!IConNet!not-for-mail -From: cdp2582@hertz.njit.edu (Chris Peckham) -Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers,comp.protocols.dns.bind -Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 2 of 2) -Supersedes: <cptd-faq-2-911181667@njit.edu> -Followup-To: comp.protocols.tcp-ip.domains -Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA -Lines: 2050 -Sender: cdp@chipmunk.iconnet.net -Approved: news-answers-request@MIT.EDU -Distribution: world -Expires: Wednesday, 20 Jan 99 11:47:26 EDT -Message-ID: <cptd-faq-2-913826846@njit.edu> -References: <cptd-faq-1-913826846@njit.edu> -Reply-To: domain-faq@pfmc.net (comp.protocols.tcp-ip.domains FAQ comments) -Keywords: BIND,DOMAIN,DNS -X-Posting-Frequency: posted during the first week of each month -Date: Wed, 16 Dec 1998 16:47:32 GMT -NNTP-Posting-Host: chipmunk.iconnet.net -NNTP-Posting-Date: Wed, 16 Dec 1998 11:47:32 EDT -Xref: senator-bedfellow.mit.edu comp.protocols.tcp-ip.domains:22180 comp.answers:34269 news.answers:146737 comp.protocols.dns.bind:6040 - -Posted-By: auto-faq 3.3 beta (Perl 5.004) -Archive-name: internet/tcp-ip/domains-faq/part2 - -(Continued from Part 1, where you'll find the introduction and -table of contents.) - - -=============================================================================== - -Section 5. CONFIGURATION - - Q5.1 Upgrading from 4.9.x to 8.x - Q5.2 Changing a Secondary server to a Primary server ? - Q5.3 Moving a Primary server to another server - Q5.4 How do I subnet a Class B Address ? - Q5.5 Subnetted domain name service - Q5.6 Recommended format/style of DNS files - Q5.7 DNS on a system not connected to the Internet - Q5.8 Multiple Domain configuration - Q5.9 wildcard MX records - Q5.10 How do you identify a wildcard MX record ? - Q5.11 Why are fully qualified domain names recommended ? - Q5.12 Distributing load using named - Q5.13 Round robin IS NOT load balancing - Q5.14 Order of returned records - Q5.15 resolv.conf - Q5.16 How do I delegate authority for sub-domains ? - Q5.17 DNS instead of NIS on a Sun OS 4.1.x system - Q5.18 Patches to add functionality to BIND - Q5.19 How to serve multiple domains from one server - Q5.20 hostname and domain name the same - Q5.21 Restricting zone transfers - Q5.22 DNS in firewalled and private networks - Q5.23 Different DNS answers for same RR - ------------------------------------------------------------------------------ - -Question 5.1. Upgrading from 4.9.x to 8.x - -Date: Wed Jul 9 22:00:07 EDT 1997 - -Q: Help ! How do I use the Completely new configuration syntax in BIND 8 -? I've attempted to upgrade bind from 4.9.5 to 8.1, but unfortunately it -didn't seem to like the same config/zone files.. is this normal or should -8.1 be able to read the same files as 4.9.5 did? - -A: If you then look in doc/html/config.html, you will find directions on -how to convert a 4.9.x .boot file to 8.x .conf file, as well as directions -on how to utilize all of the new features of the 8.x .conf file format. - ------------------------------------------------------------------------------ - -Question 5.2. Changing a Secondary server to a Primary server ? - -Date: Fri Jul 5 23:54:35 EDT 1996 - -For 4.8.3, it's prudent to kill and restart following any changes to -named.boot. - -In BIND 4.9.3, you only have to kill and restart named if you change a -primary zone to a secondary or v-v, or if you delete a zone and remain -authoritative for its parent. Every other case should be taken care of by -a HUP. (Ed. note: 4.9.3b9 may still require you to kill and restart the -server due to some bugs in the HUP code). - -You will also need to update the server information on the root servers. -You can do this by filing a new domain registration form to inform -InterNIC of the change. They will then update the root server's SOA -records. This process usually takes 10-12 business days after they -receive the request. - ------------------------------------------------------------------------------ - -Question 5.3. Moving a Primary server to another server - -Date: Fri Jul 5 23:54:35 EDT 1996 - -The usual solution is to move the primary to ns.newserver.com, and have -ns.oldserver.com be configured as a secondary server until the change to -the root servers takes place after the request has been made to the -InterNIC. - -If you are moving to a different ISP which will change your IP's, the -recommend setting for the SOA that would minimize problems for your name -servers using the old settings can be done as follows: - -Gradually lower the TTL value in your SOA (that's the last one of the five -numbers) to always be equal to the time left until you change over. -(assuming that none of your resource records have individual TTL's set, if -so, do likewise with them.) So, the day before, lower to 43200 seconds -(12 hours). Then lower every few hours to be the time remaining until -the change-over. So, an hour before the change, you may just want to -lower it all the way to 60 seconds or so. That way no one can cache -information past the change-over. - -After the change, start gradually incrementing the TTL value, because -you'll probably be making changes to work out problems. Once everything -stabilizes, move the TTL up to whatever your normal values are. - -To minimize name servers from using the "old settings", you can do the -same thing with the "refresh" interval in the SOA (the second number of -the SOA). That will tell the secondaries to refresh every X seconds. -Lower that value as you approach the changeover date. You probably don't -want to go much below an hour or you'll start the primary thrashing as all -the secondaries perpetually refresh. - -Also see the answer to the "How can I change the IP address of our server -?" in the INTRODUCTION section. - ------------------------------------------------------------------------------ - -Question 5.4. How do I subnet a Class B Address ? - -Date: Mon Jun 15 23:21:39 EDT 1998 - -That you need to subnet at all is something of a misconception. You can -also think of a class B network as giving you 65,534 individual hosts, and -such a network will work. You can also configure your class B as 16,384 -networks of 2 hosts each. That's obviously not very practical, but it -needs to be made clear that you are not constrained by the size of an -octet (remember that many older devices would not work in a network -configured in this manner). - -So, the question is: why do you need to subnet? One reason is that it is -easier to manage a subnetted network, and in fact, you can delegate the -responsibility for address space management to local administrators on the -various subnets. Also, IP based problems will end up localized rather -than affecting your entire network. - -If your network is a large backbone with numerous segments individually -branching off the backbone, that too suggests subnetting. - -Subnetting can also be used to improve routing conditions. - -You may wish to partition your network to disallow certain protocols on -certain segments of your net. You can, for example, restrict IP or IPX to -certain segments only by adding a router routing high level protocols, -and across the router you may have to subnet. - -Finally, as far as how many subnets you need depends on the answer to the -above question. As far as subnet masks are concerned, the mask can be -anything from 255.0.0.0 to 255.255.255.252. You'll probably be looking at -9 or 10 bits for the subnet (last octet 128 or 192 respectively). RFC -1219 discusses the issue of subnetting very well and leaves the network -administrator with a large amount of flexibility for future growth. - -(The following section was contributed by Berislav Todorovic.) - -A user or an ISP, having a whole /16 sized IP block (former "Class B") -network assigned/allocated, has the responsibility of maintaining the -reverse domain for the whole network. That policy is currently applied by -all regional Internet registries (RIPE NCC, ARIN, APNIC). In other words, -if you're assigned a whole "B class" (say, 10.91/16), you're in charge for -the whole 91.10.IN-ADDR.ARPA zone. This zone may be organized using two -methods, according to the network topology being in use. - -The first, "brute force" method is to place all PTR records directly into -a single zone file. Example: - - $origin 91.10.in-addr.arpa - @ IN SOA (usual stuff) - IN NS ns1.mydomain.com. - IN NS ns2.mydomain.com. - - 1.1 IN PTR one-1.mydomain.com. ; ---> 10.91.1.1 - 2.1 IN PTR one-2.mydomain.com. ; ---> 10.91.1.2 - ... - 254.1 IN PTR one-254.mydomain.com. ; ---> 10.91.1.254 - 1.2 IN PTR two-1.mydomain.com. ; ---> 10.91.2.1 - -While this approach may look simple in the networks with a central -management authority (say, campus networks), maintaining such a zone file -becomes more and more difficult in the more complex environment. Thus, -this becomes a bad method. Furthermore, if you're an ISP, it is more -likely that a /16 network will be subnetted and its subnets be assigned to -your customers. - -Therefore, another "smarter" approach is to delegate portions of the -reverse domain 91.10.IN-ADDR.ARPA to the end users of the subnets of -10.91/16. There would only be NS records in the zone file, while PTR -record insertion would be the responsibility of the end users. For -example, if you assign: - - * 10.91.0.0/22 (10.91.0.0 - 10.91.3.255) to Customer-A.COM - * 10.91.4.0/23 (10.91.4.0 - 10.91.5.255) to Customer-B.COM - * 10.91.7.0/24 (10.91.7.0 - 10.91.7.255) to Customer-C.COM - -then each customer will maintain zone files for the reverse domains of -their own networks (say, Customer C will maintain the zone -7.91.10.IN-ADDR.ARPA, customer B their 2 zones, Customer A their own 4 -zones). In this constellation, the zone file for reverse domain -91.10.IN-ADDR.ARPA will look like this: - - $origin 91.10.in-addr.arpa - @ IN SOA (usual stuff) - IN NS ns1.mydomain.com. - IN NS ns2.mydomain.com. - - ; --- Customer-A.COM - - - 0 IN NS ns.customer-A.com. - IN NS ns1.mydomain.com. - 1 IN NS ns.customer-A.com. - IN NS ns1.mydomain.com. - 2 IN NS ns.customer-A.com. - IN NS ns1.mydomain.com. - 3 IN NS ns.customer-A.com. - IN NS ns1.mydomain.com. - - ; --- Customer-B.COM - - 4 IN NS ns.customer-B.com. - IN NS ns1.mydomain.com. - 5 IN NS ns.customer-B.com. - IN NS ns1.mydomain.com. - - ; --- Customer-C.COM - - 7 IN NS ns.customer-C.com. - IN NS ns1.mydomain.com. - -The zone file of the Customer C reverse domain would look like this: - - $origin 7.91.10.in-addr.arpa - @ IN SOA (usual stuff) - IN NS ns.customer-C.com. - IN NS ns1.mydomain.com. - - 1 IN PTR one.customer-C.com. - 2 IN PTR two.customer-C.com. - 3 IN PTR three.customer-C.com. - ... - ------------------------------------------------------------------------------ - -Question 5.5. Subnetted domain name service - -Date: Thu Jul 16 10:50:41 EDT 1998 - -If you are looking for some examples of handling subnetted class C -networks as separate DNS domains, see RFC 2317 for more information. - -Details follow- You need to delegate down to the fourth octet, so you will -have one domain per IP address ! Here is how you can subdelegate a -in-addr.arpa address for non-byte aligned subnet masks: - -Take as an example the net 192.1.1.x, and example subnet mask -255.255.255.240. - -We first define the domain for the class C net, - - $origin 1.1.192.in-addr.arpa - @ SOA (usual stuff) - @ ns some.nameserver - ns some.other.nameserver - ; delegate a subdomain - one ns one.nameserver - ns some.nameserver - ; delegate another - two ns two.nameserver - ns some.nameserver - ; CNAME pointers to subdomain one - 0 CNAME 0.one - 1 CNAME 1.one - ; through - 15 CNAME 15.one - ; CNAME pointers to subdomain two - 16 CNAME 16.two - 17 CNAME 17.two - 31 CNAME 31.two - ; CNAME as many as required. - -Now, in the delegated nameserver, one.nameserver - - $origin one.1.1.192.in-addr.arpa - @ SOA (usual stuff) - NS one.nameserver - NS some.nameserver ; secondary for us - 0 PTR onenet.one.domain - 1 PTR onehost.one.domain - ; through - 15 PTR lasthost.one.domain - -And similar for the two.1.1.192.in-addr.arpa delegated domain. - -There is additional documentation and a perl script that may be used for -this purpose available for anonymous ftp from: - -ftp.is.co.za : /networking/ip/dns/gencidrzone/gencidrzone - ------------------------------------------------------------------------------ - -Question 5.6. Recommended format/style of DNS files - -Date: Sun Nov 27 23:32:41 EST 1994 - -This answer is quoted from an article posted by Paul Vixie: - - I've gone back and forth on the question of whether the BOG should - include a section on this topic. I know what I myself prefer, but - I'm wary of ramming my own stylistic preferences down the throat of - every BOG reader. But since you ask :-)... - - Create /var/named. If your system is too old to have a /var, either - create one or use /usr/local/adm/named instead. Put your named.boot - in it, and make /etc/named.boot a symlink to it. If your system - doesn't have symlinks, you're S-O-L (but you knew that). In - named.boot, put a "directory" directive that specifies your actual - BIND working directory: - - directory /var/named - - All relative pathnames used in "primary", "secondary", and "cache" - directives will be evaluated relative to this directory. Create two - subdirectories, /var/named/pri and /var/named/sec. Whenever you add - a "primary" directive to your named.boot, use "pri/WHATEVER" as the - path name. And then put the primary zone file into "pri/WHATEVER". - Likewise when you add "secondary" directives, use "sec/WHATEVER" and - BIND (really named-xfer) will create the files in that - subdirectory. - - (Variations: (1) make a midlevel directory "zones" and put "pri" and - "sec" into it; (2) if you tend to pick up a lot of secondaries from - a few hosts, group them together in their own subdirectories -- - something like /var/named/zones/uucp if you're a UUCP Project name - server.) - - For your forward files, name them after the zone. dec.com becomes - "/var/named/zones/pri/dec.com". For your reverse files, name them - after the network number. 0.1.16.in-addr.arpa becomes - "/var/named/zones/pri/16.1.0". - - When creating or maintaining primary zone files, try to use the same - SOA values everywhere, except for the serial number which varies per - zone. Put a $ORIGIN directive at the top of the primary zone file, - not because its needed (it's not since the default origin is the - zone named in the "primary" directive) but because it make it easier - to remember what you're working on when you have a lot of primary - zones. Put some comments up there indicating contact information - for the real owner if you're proxying. Use RCS and put the "Id" - in a ";" comment near the top of the zone file. - - The SOA and other top level information should all be listed - together. But don't put IN on every line, it defaults nicely. For - example: - -============== -@ IN SOA gw.home.vix.com. postmaster.vix.com. ( - 1994082501 ; serial - 3600 ; refresh (1 hour) - 1800 ; retry (30 mins) - 604800 ; expire (7 days) - 3600 ) ; minimum (1 hour) - - NS gw.home.vix.com. - NS ns.uu.net. - NS uucp-gw-1.pa.dec.com. - NS uucp-gw-2.pa.dec.com. - - MX 10 gw.home.vix.com. - MX 20 uucp-gw-1.pa.dec.com. - MX 20 uucp-gw-1.pa.dec.com. -============== - - I don't necessarily recommend those SOA values. Not every zone is - as volatile as the example shown. I do recommend that serial number - format; it's in date format with a 2-digit per-day revision number. - This format will last us until 2147 A.D. at which point I expect a - better solution will have been found :-). (Note that it would last - until 4294 A.D. except that there are some old BINDs out there that - use a signed quantity for representing serial number internally; I - suppose that as long as none of these are still running after 2047 - A.D., that we can use the above serial number format until 4294 - A.D., at which point a better solution will HAVE to be found.) - - You'll note that I use a tab stop for "IN" even though I never again - specify it. This leaves room for names longer than 7 bytes without - messing up the columns. You might also note that I've put the MX - priority and destination in the same tab stop; this is because both - are part of the RRdata and both are very different from MX which is - an RRtype. Some folks seem to prefer to group "MX" and the priority - together in one tab stop. While this looks neat it's very confusing - to newcomers and for them it violates the law of least - astonishment. - - If you have a multi-level zone (one which contains names that have - dots in them), you can use additional $ORIGIN statements but I - recommend against it since there is no "back" operator. That is, - given the above example you can add: - -============= -$ORIGIN home -gw A 192.5.5.1 -============= - - The problem with this is that subsequent RR's had better be - somewhere under the "home.vix.com" name or else the $ORIGIN that - introduces them will have to use a fully qualified name. FQDN - $ORIGIN's aren't bad and I won't be mad if you use them. - Unqualified ones as shown above are real trouble. I usually stay - away from them and just put the whole name in: - -============= -gw.home A 192.5.5.1 -============= - - In your reverse zones, you're usually in some good luck because the - owner name is usually a single short token or sometimes two. - -============= -$ORIGIN 5.5.192.in-addr.arpa. -@ IN SOA ... - NS ... -1 PTR gw.home.vix.com. -========================================= -$ORIGIN 1.16.in-addr.arpa. -@ IN SOA ... - NS ... -2.0 PTR gatekeeper.dec.com. -============= - - It is usually pretty hard to keep your forward and reverse zones in - sync. You can avoid that whole problem by just using "h2n" (see - the ORA book, DNS and BIND, and its sample toolkit, included in the - BIND distribution or on ftp.uu.net (use the QUOTE SITE EXEC INDEX - command there to find this -- I never can remember where it's at). - "h2n" and many tools like it can just read your old /etc/hosts file - and churn it into DNS zone files. (May I recommend - contrib/decwrl/mkdb.pl from the BIND distribution?) However, if you - (like me) prefer to edit these things by hand, you need to follow - the simple convention of making all of your holes consistent. If - you use 192.5.5.1 and 192.5.5.3 but not (yet) 192.5.5.2, then in - your forward file you will have something like - -============= -... -gw.home A 192.5.5.1 -;avail A 192.5.5.2 -pc.home A 192.5.5.3 -============= - - and in your reverse file you will have something like - -============= -... -1 PTR gw.home.vix.com. -;2 PTR avail -3 PTR pc.home.vix.com. -============= - - This convention will allow you to keep your sanity and make fewer - errors. Any kind of automation (h2n, mkdb, or your own - perl/tcl/awk/python tools) will help you maintain a consistent - universe even if it's also a complex one. Editing by hand doesn't - have to be deadly but you MUST take care. - ------------------------------------------------------------------------------ - -Question 5.7. DNS on a system not connected to the Internet - -Date: Sun Nov 27 23:32:41 EST 1994 - -You need to create your own root domain name server until you connect to -the internet. Your roots need to delegate to mydomain.com and any -in-addr.arpa subdomains you might have, and that's about it. As soon as -you're connected, rip out the fake roots and use the real ones. - -It does not actually have to be another server pretending to be the root. -You can set up the name server so that it is primary for each domain above -you and leave them empty (i.e. you are foo.bar.com - claim to be primary -for bar.com and com) - -If you connect intermittently and want DNS to work when you are connected, -and "fail" when you are not, you can point the resolver at the name server -at the remote site and if the connection (SLIP/PPP) isn't up, the resolver -doesn't have a route to the remote server and since there's only one name -server in resolv.conf, the resolver quickly backs off the using -/etc/hosts. No problem. You could do the same with multiple name server -and a resolver that did configurable /etc/hosts fallback. - ------------------------------------------------------------------------------ - -Question 5.8. Multiple Domain configuration - -Date: Fri Dec 2 15:40:49 EST 1994 - -If you want to have multiple domain names pointing to the same -destination, such as: - - ftp ftp.biff.com connects user to -> ftp.biff.com - ftp ftp.fred.com connects user to -> ftp.biff.com - ftp ftp.bowser.com connects user to -> ftp.biff.com - -You may do this by using CNAMEs: - - ftp.bowser.com. IN CNAME ftp.biff.com. - -You can also do the same thing with multiple A records. - ------------------------------------------------------------------------------ - -Question 5.9. wildcard MX records - -Date: Sun Nov 27 23:32:41 EST 1994 - -Does BIND not understand wildcard MX records such as the following? - - *.foo.com MX 0 mail.foo.com. - -No. It just doesn't work. - -Explicit RR's at one level of specificity will, by design, "block" a -wildcard at a lesser level of specificity. I suspect that you have an RR -(an A RR, perhaps?) for "bar.foo.com" which is blocking the application of -your "*.foo.com" wildcard. The initial MX query is thus failing (NOERROR -but an answer count of 0), and the backup query finds the A RR for -"bar.foo.com" and uses it to deliver the mail directly (which is what you -DIDN'T want it to do). Adding an explicit MX RR for the host is therefore -the right way to handle this situation. - -See RFC 1034, Section 4.3.3 ("Wildcards") for more information on this -"blocking" behavior, along with an illustrative example. See also RFC 974 -for an explanation of standard mailer behavior in the face of an "empty" -response to one's MX query. - -Basically, what it boils down to is, there is no point in trying to use a -wildcard MX for a host which is otherwise listed in the DNS. - -It just doesn't work. - ------------------------------------------------------------------------------ - -Question 5.10. How do you identify a wildcard MX record ? - -Date: Thu Dec 1 11:10:39 EST 1994 - -You don't really need to "identify" a wildcard MX RR. The precedence for -u@dom is: - - exact match MX - exact match A - wildcard MX - -One way to implement this is to query for ("dom",IN,MX) and if the answer -name that comes back is "*." something, you know it's a wildcard, -therefore you know there is no exact match MX, and you therefore query for -("dom",IN,A) and if you get something, use it. if you don't, use the -previous wildcard response. - -RFC 974 explains this pretty well. - ------------------------------------------------------------------------------ - -Question 5.11. Why are fully qualified domain names recommended ? - -Date: Sun Nov 27 23:32:41 EST 1994 - -The documentation for BIND 4.9.2 says that the hostname should be set to -the full domain style name (i.e host.our.domain rather than host). What -advantages are there in this, and are there any adverse consequences if we -don't? - -Paul Vixie likes to do it :-) He lists a few reasons - - -* Sendmail can be configured to just use Dj$w rather than Dj$w.mumble - where "mumble" is something you have to edit in by hand. Granted, most - people use "mumble" elsewhere in their config files ("tack on local - domain", etc) but why should it be a requirement ? -* The real reason is that not doing it violates a very useful invariant: - gethostbyname(gethostname) == gethostbyaddr(primary_interface_address) - - - If you take an address and go "backwards" through the PTR's with it, - you'll get a FQDN, and if you push that back through the A RR's, you get - the same address. Or you should. Many multi-homed hosts violate this - uncaringly. - - If you take a non-FQDN hostname and push it "forwards" through the A - RR's, you get an address which, if you push it through the PTR's, comes - back as a FQDN which is not the same as the hostname you started with. - Consider the fact that, absent NIS/YP, there is no "domainname" command - analogous to the "hostname" command. (NIS/YP's doesn't count, of - course, since it's sometimes-but-only-rarely the same as the Internet - domain or subdomain above a given host's name.) The "domain" keyword in - resolv.conf doesn't specify the parent domain of the current host; it - specifies the default domain of queries initiated on the current host, - which can be a very different thing. (As of RFC 1535 and BIND 4.9.2's - compliance with it, most people use "search" in resolv.conf, which - overrides "domain", anyway.) - - What this means is that there is NO authoritative way to - programmatically discover your host's FQDN unless it is set in the - hostname, or unless every application is willing to grovel the "netstat - -in" tables, find what it hopes is the primary address, and do a PTR - query on it. - - FQDN /bin/hostnames are, intuitively or not, the simplest way to go. - ------------------------------------------------------------------------------ - -Question 5.12. Distributing load using named - -Date: Thu Jul 16 10:42:05 EDT 1998 - -When you attempt to distribute the load on a system using named, the first -response be cached, and then later queries use the cached value (This -would be for requests that come through the same server). Therefore, it -can be useful to use a lower TTL on records where this is important. You -can use values like 300 or 500 seconds. - -If your local caching server has ROUND_ROBIN, it does not matter what the -authoritative servers have -- every response from the cache is rotated. - -But if it doesn't, and the authoritative server site is depending on this -feature (or the old "shuffle-A") to do load balancing, then if one doesn't -use small TTLs, one could conceivably end up with a really nasty -situation, e.g., hundreds of workstations at a branch campus pounding on -the same front end at the authoritative server's site during class -registration. - -Not nice. - -Paul Vixie has an example of the ROUND_ROBIN code in action. Here is -something that he wrote regarding his example: - - I want users to be distributed evenly among those 3 hosts. - - Believe it or not :-), BIND offers an ugly way to do this. I offer - for your collective amusement the following snippet from the - ugly.vix.com zone file: - - hydra cname hydra1 - cname hydra2 - cname hydra3 - hydra1 a 10.1.0.1 - a 10.1.0.2 - a 10.1.0.3 - hydra2 a 10.2.0.1 - a 10.2.0.2 - a 10.2.0.3 - hydra3 a 10.3.0.1 - a 10.3.0.2 - a 10.3.0.3 - - Note that having multiple CNAME RR's at a given name is - meaningless according to the DNS RFCs but BIND doesn't mind (in - fact it doesn't even complain). If you call - gethostbyname("hydra.ugly.vix.com") (try it!) you will get - results like the following. Note that there are two round robin - rotations going on: one at ("hydra",CNAME) and one at each - ("hydra1",A) et al. I used a layer of CNAME's above the layer of - A's to keep the response size down. If you don't have nine - addresses you probably don't care and would just use a pile of - CNAME's pointing directly at real host names. - - {hydra.ugly.vix.com - name: hydra2.ugly.vix.com - aliases: hydra.ugly.vix.com - addresses: 10.2.0.2 10.2.0.3 10.2.0.1 - - {hydra.ugly.vix.com - name: hydra3.ugly.vix.com - aliases: hydra.ugly.vix.com - addresses: 10.3.0.2 10.3.0.3 10.3.0.1 - - {hydra.ugly.vix.com - name: hydra1.ugly.vix.com - aliases: hydra.ugly.vix.com - addresses: 10.1.0.2 10.1.0.3 10.1.0.1 - - {hydra.ugly.vix.com - name: hydra2.ugly.vix.com - aliases: hydra.ugly.vix.com - addresses: 10.2.0.3 10.2.0.1 10.2.0.2 - - {hydra.ugly.vix.com - name: hydra3.ugly.vix.com - aliases: hydra.ugly.vix.com - addresses: 10.3.0.3 10.3.0.1 10.3.0.2 - -Please note that this is not a recommended practice and will not work with -modern BIND unless you have the entry "multiple-cnames yes" in your -named.conf file. - ------------------------------------------------------------------------------ - -Question 5.13. Round robin IS NOT load balancing - -Date: Mon Mar 9 22:10:51 EST 1998 - -Round robin != load balancing. It's a very crude attempt at load -balancing, and a method that is possible without breaking DNS protocols. -If a host is down that is included in a round robin list, then -connections to that particular host will fail. In addition, true load -balancing should take into consideration the actual LOAD on the system. - -Information on one such technique, implemented by Roland J. Schemers III -at Stanford, may be found at -http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html. - -Additional information may be found in RFC 1794. MultiNet for OpenVMS -also includes this feature. - ------------------------------------------------------------------------------ - -Question 5.14. Order of returned records - -Date: Tue Apr 8 20:21:02 EDT 1997 - -Sorting, is the *resolver's* responsibility. RFC 1123: - - - 6.1.3.4 Multihomed Hosts - - When the host name-to-address function encounters a host - with multiple addresses, it SHOULD rank or sort the - addresses using knowledge of the immediately connected - network number(s) and any other applicable performance or - history information. - - DISCUSSION: - The different addresses of a multihomed host generally - imply different Internet paths, and some paths may be - preferable to others in performance, reliability, or - administrative restrictions. There is no general way - for the domain system to determine the best path. A - recommended approach is to base this decision on local - configuration information set by the system - administrator. - -In BIND 4.9.x's resolver code, the "sortlist" directive in resolv.conf -can be used to configure this. The directive may also be used in the -named.boot as well. - ------------------------------------------------------------------------------ - -Question 5.15. resolv.conf - -Date: Fri Feb 10 15:46:17 EST 1995 - -The question was asked one time, "Why should I use 'real' IP addresses in -/etc/resolv.conf and not 0.0.0.0 or 127.0.0.1" ? - -Paul Vixie writes on the issue of the contents of resolv.conf: - - It's historical. Some kernels can't unbind a UDP socket's source - address, and some resolver versions (notably not including BIND - 4.9.2 or 4.9.3's) try to do this. The result can be wide area - network traffic with 127.0.0.1 as the source address. Rather than - giving out a long and detailed map of version/vendor combinations of - kernels/BINDs that have/don't this problem, I just tell folks not to - use 127.0.0.1 at all. - - 0.0.0.0 is just an alias for the first interface address assigned - after a system boot, and if that interface is a up-and-down point to - point link (PPP, SLIP, whatever), there's no guarantee that you'll - be able to reach yourself via 0.0.0.0 during the entire lifetime of - any system instance. On most kernels you can finesse this by adding - static routes to 127.0.0.1 for each of your interface addresses, but - some kernels don't like that trick and rather than give a detailed - map of which ones work and which ones don't, I just globally - recommend against 0.0.0.0. - - If you know enough to know that 127.0.0.1 or 0.0.0.0 is safe on your - kernel and resolver, then feel free to use them. If you don't know - for sure that it is safe, don't use them. I never use them (except - on my laptop, whose hostname is "localhost" and whose 0.0.0.0 is - 127.0.0.1 since I ifconfig my lo0 before any other interface). The - operational advantage to using a real IP address rather than an - wormhole like 0.0.0.0 or 127.0.0.1, is that you can then "rdist" or - otherwise share identical copies of your resolv.conf on all the - systems on any given subnet, not all of which will be servers. - -The problem was with older versions of the resolver (4.8.X). If you -listed 127.0.0.1 as the first entry in resolv.conf, and for whatever -reason the local name server wasn't running and the resolver fell back to -the second name server listed, it would send queries to the name server -with the source IP address set to 127.0.0.1 (as it was set when the -resolver was trying to send to 127.0.0.1--you use the loopback address to -send to the loopback address). - ------------------------------------------------------------------------------ - -Question 5.16. How do I delegate authority for sub-domains ? - -Date: Mon Nov 10 22:57:54 EST 1997 - -When you start having a very big domain that can be broken into logical -and separate entities that can look after their own DNS information, you -will probably want to do this. Maintain a central area for the things -that everyone needs to see and delegate the authority for the other parts -of the organization so that they can manage themselves. - -Another essential piece of information is that every domain that exists -must have it NS records associated with it. These NS records denote the -name servers that are queried for information about that zone. For your -zone to be recognized by the outside world, the server responsible for the -zone above you must have created a NS record for your your new servers -(NOTE that the new servers DO NOT have to be in the new domain). For -example, putting the computer club onto the network and giving them -control over their own part of the domain space we have the following. - -The machine authorative for gu.uwa.edu.au is mackerel and the machine -authorative for ucc.gu.uwa.edu.au is marlin. - -in mackerel's data for gu.uwa.edu.au we have the following - - @ IN SOA ... - IN A 130.95.100.3 - IN MX mackerel.gu.uwa.edu.au. - IN MX uniwa.uwa.edu.au. - - marlin IN A 130.95.100.4 - - ucc IN NS marlin.gu.uwa.edu.au. - IN NS mackerel.gu.uwa.edu.au. - -Marlin is also given an IP in our domain as a convenience. If they blow -up their name serving there is less that can go wrong because people can -still see that machine which is a start. You could place "marlin.ucc" in -the first column and leave the machine totally inside the ucc domain as -well. - -The second NS line is because mackerel will be acting as secondary name -server for the ucc.gu domain. Do not include this line if you are not -authorative for the information included in the sub-domain. - -To delegate authority for PTR records, the same concepts apply. - - stub 10.168.192.in-addr.arpa <subdomain server addr> db.192.168.10 - -may be added to your primary server's named.boot in recent versions of -bind. In other versions (and recent ones :-) ), the following lines may -be added to the db.192.168.10 zone file to perform the same function: - - xxx IN NS <server1> - xxx IN NS <server2> - xxx IN NS <server3> ; if needed -... - xxx IN NS <serverN> ; if needed - ------------------------------------------------------------------------------ - -Question 5.17. DNS instead of NIS on a Sun OS 4.1.x system - -Date: Sat Dec 7 01:14:17 EST 1996 - -Comments relating to running bind 4.9.x on a Sun OS 4.1.x system and the -effect on sendmail, ftp, telnet and other TCP/IP services bypassing NIS -and directly using named is documented quite well in the -comp.sys.sun.admin FAQ in questions one and two. You can get them from: - -* ftp.ece.uc.edu : /pub/sun-faq/FAQs/sun-faq.general -* http://www.cis.ohio-state.edu/hypertext/faq/usenet/comp-sys-sun-faq - -as well as from rtfm.mit.edu in the usual place, etc. - ------------------------------------------------------------------------------ - -Question 5.18. Patches to add functionality to BIND - -Date: Wed Jan 14 11:57:20 EST 1998 - -There are others, but these are listed here: - -* When using the round robin DNS and assigning 3 IPs to a host (for - example), a process to guarantee that all 3 IPs are reachable may be - found at - http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html - -* Patches for 4.9.3-REL that will support the IPv6 AAAA record format may - be found at ftp.inria.fr : /network/ipv6/ - - This is built into more recent versions of BIND (after 4.9.5?) - -* A patch for 4.9.3-REL that will allow you to turn off forwarding of - information from my server may be found at ftp.vix.com : - /pub/bind/release/4.9.3/contrib/noforward.tar.gz - - Also look at - - ftp.is.co.za : /networking/ip/dns/bind/contrib/noforward.tar.gz - -* How do I tell a server to listen to a particular interface to listen and - respond to DNS queries on ? - - Mark Andrews has a patch that will tell a 4.9.4 server to listen to a - particular interface and respond to DNS queries. It may be found at an - unofficial location: http://www.ultra.net/~jzp/andrews.patch.txt - - This is built into BIND 8.1.1. - -* A patch to implement "selective forwarding" from Todd Aven at - http://www.dns.net/dnsrd/servers.html. - ------------------------------------------------------------------------------ - -Question 5.19. How to serve multiple domains from one server - -Date: Tue Nov 5 23:44:02 EST 1996 - -Most name server implementations allow information about multiple domains -to be kept on one server, and questions about those domains to be -answered by that one server. For instance, there are many large servers -on the Internet that each serve information about more than 1000 -different domains. - -To be completely accurate, a server contains information about zones, -which are parts of domains that are kept as a single unit. [Ed note: for -a definition of zones and domains, see Section 2: The Name Service in the -"Name Server Operations Guide" included with the BIND 4.9.5 distribution.] - -In the configuration of the name server, the additional zones need to be -specified. An important consideration is whether a particular server is -primary or secondary for any specific zone--a secondary server maintains -only a copy of the zone, periodically refreshing its copy from another, -specified, server. In BIND, to set up a server as a secondary server for -the x.y.z zone, to the configuration file /etc/named.boot add the line - - secondary x.y.z 10.0.0.1 db.x.y.z - -where 10.0.0.1 is the IP address of the server that the zone will be -copied from, and db.x.y.z is a local filename that will contain the copy -of the zone. - -If this is a question related to how to set up multiple IP numbers on one -system, which you do not need to do to act as a domain server for -multiple domains, see - -http://www.thesphere.com/%7Edlp/TwoServers/. - ------------------------------------------------------------------------------ - -Question 5.20. hostname and domain name the same - -Date: Wed Jul 9 21:47:36 EDT 1997 - -Q: I have a subdomain sub.foobar.com. I would like to name a host -sub.foobar.com. It should also be the mail relay for all hosts in -sub.foobar.com. How do I do this ? - -A: You would add an A record for sub.foobar.com, and multiple MX records -pointing to this host (sub.foobar.com). For example: - -sub.foobar.com. IN A 1.2.3.4 ; address of host -; -foo.sub.foobar.com. IN MX 10 sub.foobar.com. -bar.sub.foobar.com. IN MX 10 sub.foobar.com. - -The host, sub.foobar.com, may also need to be to configured to understand -that mail addressed to user@sub.foobar.com and possibly other sub.foobar.com -hosts should be treated as local. - ------------------------------------------------------------------------------ - -Question 5.21. Restricting zone transfers - -Date: Wed Jan 14 12:16:35 EST 1998 - -Q: How do I restrict my zone transfers to my secondaries or other trusted -hosts? - -A: Use the 'xfrnets' directive within the named.boot file or the -'secure_zone' TXT RR within a zone file. The BOG has more information on -both of these options. - -As an example within an 4.9.x named.boot file: - - xfernets 10.1.2.0&255.255.255.0 44.66.10.0&255.255.255.0 - - -Only Nameservers on these networks will be able to do zone transfers from -the server with this configuration. - -Please note that 'secure_zone' restricts all access to the containing -zone, as well as restricting zone transfers :-) . - -BIND 8.x supports restricting zone transfers on a per-zone basis in the -named.conf file, whereas BIND 4.9.x only supports xfrnets as a global -option. - ------------------------------------------------------------------------------ - -Question 5.22. DNS in firewalled and private networks - -Date: Mon Sep 14 22:15:16 EDT 1998 - -(The following section was contributed by Berislav Todorovic) - -When talking about private networks, we distinguish between two cases: - -* Networks consisting of firewall-separated private and public subnetworks - - * Same domain name used in private and public part of the network - * Different domain names used in the public and private subnetwork - -* Closed networks, not connected the Internet at all - -* The first case of the "Same domain name", we're talking about DNS - configuration, usually referred to as "split DNS". In this case, two - different DNS servers (or two separate DNS processes on the same - multi-homed machine) have to be configured. One of them ("private DNS") - will serve the internal network and will contain data about all hosts in - the private part of the network. The other one ("public DNS") will serve - Internet users and will contain only the most necessary RR's for - Internet users (like MX records for email exchange, A and CNAME records - for public Web servers, records for other publicly accessible hosts - etc.). Both of them will be configured as primary for the same corporate - domain (e.g. DOMAIN.COM). The public DNS will be delegated with the - appropriate NIC as authoritative for domain DOMAIN.COM. - - Private DNS - resolves names from DOMAIN.COM for hosts inside the - private network. If asked for a name outside DOMAIN.COM, they should - forward the request to the public DNS (forwarders line should be used in - the boot file). They should NEVER contact a root DNS on the Internet. - The boot file for the private DNS should, therefore, be: - - primary domain.com ZONE.domain.com - primary 1.10.in-addr.arpa REV.10.1 - forwarders 172.16.12.10 - slave - Public DNS - resolves names from DOMAIN.COM for hosts on the public part - of the network. If asked for a name outside DOMAIN.COM they should - contact root DNS servers or (optionally) forward the request to a - forwarder on the ISP network. Boot file for the public DNS should be of - the form: - - primary domain.com ZONE.domain.com - primary 12.16.172.in-addr.arpa REV.172.16.12 - ... (other domains) - Zone files for domain DOMAIN.COM on the public and private DNS should - be: - - ; --- Public DNS - zone file for DOMAIN.COM - - domain.com. IN SOA ns.domain.com. hostmaster.domain.com. ( ... ) - IN NS ns.domain.com. - IN NS ns.provider.net. - IN MX 10 mail.provider.net. - - ns IN A 172.16.12.10 - www IN A 172.16.12.12 - ftp IN A 172.16.12.13 - ... - - ; --- Private DNS - zone file for DOMAIN.COM - - domain.com. IN SOA ns1.domain.com. hostmaster.domain.com. ( ... ) - IN NS ns1.domain.com. - IN NS ns2.domain.com. - wks1-1 IN A 10.1.1.1 - wks1-2 IN A 10.1.1.2 - ... - - The second case of the "Same domain name", is simpler than the previous - case: in the internal network, a separate domain name might be used. - Recommended domain name syntax is "name.local" (e.g. DOMAIN.LOCAL). - Sample configuration: - - ; --- Private DNS - named.boot - - primary domain.local ZONE.domain.local - ... - forwarders 172.16.12.10 - slave - - ; --- Public DNS - named.boot - - primary domain.com ZONE.domain.com - ... - IMPLEMENTATION NOTES - - Location of the DNS service in both cases is irrelevant. Usually, they - are located on two different physical servers, each of them connected to - the appropriate part of the network (private, public). Certain savings - may be done if public DNS service is hosted on the ISP network - in that - case, the user will need only one (private) DNS server. - - Finally, both public and private DNS, in some cases, may be placed on - the servers in the private network, behind the firewall. With a Cisco - PIX, a statical public/private IP address mapping in this case would be - needed. Two servers for the same domain could be even placed on the - same physical server, with two different DNS processes running on - different IP interfaces. Note that BIND 8 is needed in the latter case. - -* If the network is not connected to the Internet at all, only private DNS - servers are needed. However, due to the lack of Internet connectivity, - internal servers will fail to contact the root DNS servers every time a - user types, by mistake, an address outside the corporate domain - DOMAIN.COM. Some older servers won't even work if they can't reach root - servers. To overcome this, it is most proper to create a so-called "fake - root zone" on one or more DNS servers in the corporation. That would - make all DNS servers within the corporation think there is only one or - two DNS servers in the world, all located on the corporation network. - Only domain names used within the corporation (DOMAIN.COM, appropriate - inverse domains etc.) should be entered in the fake root zone file. Note - that no cache line in the boot file of the "root" DNS makes sense. - Sample configuration: - - ; --- named.boot - - primary domain.com ZONE.domain.com - primary 1.10.in-addr.arpa REV.10.1 - priamry . ZONE.root - ... (other data; NOTE - do *NOT* place any "cache" line here !!!) - - ; --- ZONE.root - fake root zone file, containing only corporation domains - - . IN NS ns.domain.com. hostmaster.domain.com. ( ... ) - IN NS ns.domain.com. - IN NS ns2.domain.com. - - domain.com. IN NS ns.domain.com. - ns.domain.com. IN A 10.1.1.1 - domain.com. IN NS ns2.domain.com. - ns2.domain.com. IN A 10.1.1.2 - - 1.10.in-addr.arpa. IN NS ns.domain.com. - IN NS ns2.domain.com. - - Other zone files follow standard configuration. - ------------------------------------------------------------------------------ - -Question 5.23. Different DNS answers for same RR - -Date: Mon Sep 14 22:15:16 EDT 1998 - -(The following section was contributed by Berislav Todorovic) - -Many times there is a need for a DNS server to send different answers for -same RR's, depending on the IP address of the request sender. For example, -many coprporations wish to make their customers to use the "geographically -closest" Web server when accessing corporate Web pages. A corporation may -impose the following policy: if someone asked for the IP address of -WWW.DOMAIN.COM, they may want to: - -* Answer that the IP address is 172.16.2.3, if the request came from one - of the following IP networks: 172.1/16, 172.2/16 or 172.10/16. -* Answer that the IP address is 172.16.1.1, if the request came from the - IP address 172.16/16 or 172.17.128/18. -* By default, for all other requests send the answer that the IP address - is 172.16.2.3. - -The example above will need a DNS to send different A RR's, depending on -the source of queries. A similar approach may be imposed for MX's, CNAME's -etc. The question which arise here is: IS IT POSSIBLE? - -[Ed note: There are commercial products such as Cisco's Distributed -Director that also will address this issue] - -The simple answer to the question is: NOT DIRECTLY. This is true if -standard DNS software (e.g. BIND) is used on the DNS servers. However, -there are two workarounds which may solve this problem: - -* Using two DNS servers on different UDP ports + UDP redirector -* Using two DNS servers on different IP addresses + NAT on the router - -Solution 1: (tested on a Linux system and should work on other Unix boxes -as well). Software needed is: - -* BIND 8 -* udprelay - a package which redirects traffic to other UDP port - (sunsite.unc.edu: /pub/Linux/system/network/misc/udprelay-0.2.tar.Z ). - -Build and install udprelay and bring up two DNS servers on different UDP -ports, using different configuration files (i.e., bring one on 5300 and -the other one on 5400): - - // --- named.conf.5300 - options { - directory "/var/named" - listen-on port 5300 { any; }; - ... (other options) - }; - - zone "domain.com" { - type master; - file "domain.com.5300"; - }; - - // --- named.conf.5400 - - options { - directory "/var/named" - listen-on port 5400 { any; }; - ... (other options) - }; - - zone "domain.com" { - type master; - file "domain.com.5400"; - }; - - - ; domain.com.5300 - ... (SOA and other stuff) - - www IN A 172.16.2.3 - - ; --- domain.com.5400 - ... (SOA and other stuff) - - www IN A 172.16.1.1 - -As can be seen, there will be two separate zone files for DOMAIN.COM, -depending on which UDP port the server listens to. Each zone file can -contain different records. Now, when configure udprelay to forward UDP -traffic from port 53 to 5300 or 5400, depending on the remote IP address: - - relay 172.1.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53 - relay 172.2.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53 - relay 172.10.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53 - relay 172.16.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53 - relay 172.17.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53 - relay * * 53 172.16.1.1 5400 53 -After starting udprelay, all traffic coming to port 53 will be redirected -to 5300 or 5400, depending on the source IP address. - -NOTE - This solution deals with the UDP part of DNS only. Zone xfers will -be able to be done from one DNS server only, since this solution doesn't -deal the TCP part of DNS. This is, thus, a partial solution but it works! - -Solution 2: Bring up two DNS servers on your network, using "private" IP -addresses (RFC 1918), say ns1.domain.com (10.1.1.1) and ns2.domain.com -(10.1.1.2). Both servers will have the same public address - 172.16.1.1, -which will be used to access the servers. Configure them to be both -primary for domain DOMAIN.COM. Let one of them (say, ns1) be the -"default" DNS, which will be used in most of the cases. Establish NAT on -the router, so it translates the public IP address 172.16.1.1 to 10.1.1.1 -and delegate your "default" DNS with the appropriate NIC, using its public -address 172.16.1.1. Once you're assured everything works, setup your -router to translate the public IP address 172.16.1.1 to either 10.1.1.1 or -10.1.1.2, depending on the requestor IP address. After that, depending on -the source IP address, the router will return one translation or the -latter, thus forwarding the remote side to the appropriate DNS server. - -=============================================================================== - -Section 6. PROBLEMS - - Q6.1 No address for root server - Q6.2 Error - No Root Nameservers for Class XX - Q6.3 Bind 4.9.x and MX querying? - Q6.4 Do I need to define an A record for localhost ? - Q6.5 MX records, CNAMES and A records for MX targets - Q6.6 Can an NS record point to a CNAME ? - Q6.7 Nameserver forgets own A record - Q6.8 General problems (core dumps !) - Q6.9 malloc and DECstations - Q6.10 Can't resolve names without a "." - Q6.11 Why does swapping kill BIND ? - Q6.12 Resource limits warning in system - Q6.13 ERROR:ns_forw: query...learnt - Q6.14 ERROR:zone has trailing dot - Q6.15 ERROR:Zone declared more then once - Q6.16 ERROR:response from unexpected source - Q6.17 ERROR:record too short from [zone name] - Q6.18 ERROR:sysquery: findns error (3) - Q6.19 ERROR:Err/TO getting serial# for XXX - Q6.20 ERROR:zonename IN NS points to a CNAME - Q6.21 ERROR:Masters for secondary zone [XX] unreachable - Q6.22 ERROR:secondary zone [XX] expired - Q6.23 ERROR:bad response to SOA query from [address] - Q6.24 ERROR:premature EOF, fetching [zone] - Q6.25 ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours - Q6.26 ERROR:connect(IP/address) for zone [XX] failed - Q6.27 ERROR:sysquery: no addrs found for NS - Q6.28 ERROR:zone [name] rejected due to errors - ------------------------------------------------------------------------------ - -Question 6.1. No address for root server - -Date: Wed Jan 14 12:15:54 EST 1998 - -Q: I've been getting the following messages lately from bind-4.9.2.. - ns_req: no address for root server - -We are behind a firewall and have the following for our named.cache file - - - ; list of servers - . 99999999 IN NS POBOX.FOOBAR.COM. - 99999999 IN NS FOOHOST.FOOBAR.COM. - foobar.com. 99999999 IN NS pobox.foobar.com. - -You can't do that. Your nameserver contacts POBOX.FOOBAR.COM, gets the -correct list of root servers from it, then tries again and fails because -of your firewall. - -You will need a 'forwarder' definition, to ensure that all requests are -forwarded to a host which can penetrate the firewall. And it is unwise to -put phony data into 'named.cache'. - -Q: We are getting logging information in the form: - -Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS - (A.ROOT-SERVERS.NET) -Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS - (B.ROOT-SERVERS.NET) -Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS - (C.ROOT-SERVERS.NET) -... - -We are running bind 4.9.5PL1 Our system IS NOT behind a firewall. Any ideas ? - -This was discussed on the mailing list in November of 1996. The short -answer was to ignore it as it was not a problem. That being said, you -should upgrade to a newer version at this time if you are running a -non-current version :-) - ------------------------------------------------------------------------------ - -Question 6.2. Error - No Root Nameservers for Class XX - -Date: Sun Nov 27 23:32:41 EST 1994 - -Q: I've received errors before about "No root nameservers for class XX" - but they've been because of network connectivity problems. - I believe that Class 1 is Internet Class data. - And I think I heard someone say that Class 4 is Hesiod?? - Does anyone know what the various Class numbers are? - -From RFC 1700: - - DOMAIN NAME SYSTEM PARAMETERS - The Internet Domain Naming System (DOMAIN) includes several - parameters. These are documented in [RFC1034] and [RFC1035]. The - CLASS parameter is listed here. The per CLASS parameters are - defined in separate RFCs as indicated. - - Domain System Parameters: - - Decimal Name References - -------- ---- ---------- - 0 Reserved [PM1] - 1 Internet (IN) [RFC1034,PM1] - 2 Unassigned [PM1] - 3 Chaos (CH) [PM1] - 4 Hesoid (HS) [PM1] - 5-65534 Unassigned [PM1] - 65535 Reserved [PM1] - -DNS information for RFC 1700 was taken from - -ftp.isi.edu : /in-notes/iana/assignments/dns-parameters - -Hesiod is class 4, and there are no official root nameservers for class 4, -so you can safely declare yourself one if you like. You might want to -put up a packet filter so that no one outside your network is capable of -making Hesiod queries of your machines, if you define yourself to be a -root nameserver for class 4. - ------------------------------------------------------------------------------ - -Question 6.3. Bind 4.9.x and MX querying? - -Date: Sun Nov 27 23:32:41 EST 1994 - -If you query a 4.9.x DNS server for MX records, a list of the MX records -as well as a list of the authorative nameservers is returned. This -happens because bind 4.9.2 returns the list of nameserver that are -authorative for a domain in the response packet, along with their IP -addresses in the additional section. - ------------------------------------------------------------------------------ - -Question 6.4. Do I need to define an A record for localhost ? - -Date: Sat Sep 9 00:36:01 EDT 1995 - -Somewhere deep in the BOG (BIND Operations Guide) that came with 4.9.3 -(section 5.4.3), it says that you define this yourself (if need be) in -the same zone files as your "real" IP addresses for your domain. Quoting -the BOG: - - - ... As implied by this PTR - record, there should be a ``localhost.my.dom.ain'' - A record (with address 127.0.0.1) in every domain - that contains hosts. ``localhost.'' will lose its - trailing dot when 1.0.0.127.in-addr.arpa is queried - for;... - -The sample files in the BIND distribution show you what needs to be done -(see the BOG). - -Some HP boxen (especially those running HP OpenView) will also need -"loopback" defined with this IP address. You may set it as a CNAME -record pointing to the "localhost." record. - ------------------------------------------------------------------------------ - -Question 6.5. MX records, CNAMES and A records for MX targets - -Date: Sun Nov 27 23:32:41 EST 1994 - -The O'Reilly "DNS and Bind" book warns against using non-canonical names -in MX records, however, this warning is given in the context of mail hubs -that MX to each other for backup purposes. How does this apply to mail -spokes. RFC 974 has a similar warning, but where is it specifically -prohibited to us an alias in an MX record ? - -Without the restrictions in the RFC, a MTA must request the A records for -every MX listed to determine if it is in the MX list then reduce the list. -This introduces many more lookups than would other wise be required. If -you are behind a 1200 bps link YOU DON'T WANT TO DO THIS. The addresses -associated with CNAMES are not passed as additional data so you will force -additional traffic to result even if you are running a caching server -locally. - -There is also the problem of how does the MTA find all of it's IP -addresses. This is not straight forward. You have to be able to do this is -you allow CNAMEs (or extra A's) as MX targets. - -The letter of the law is that an MX record should point to an A record. - -There is no "real" reason to use CNAMEs for MX targets or separate As for -nameservers any more. CNAMEs for services other than mail should be used -because there is no specified method for locating the desired server yet. - -People don't care what the names of MX targets are. They're invisible to -the process anyway. If you have mail for "mary" redirected to "sue" is -totally irrelevant. Having CNAMEs as the targets of MX's just needlessly -complicates things, and is more work for the resolver. - -Having separate A's for nameservers like "ns.your.domain" is pointless -too, since again nobody cares what the name of your nameserver is, since -that too is invisible to the process. If you move your nameserver from -"mary.your.domain" to "sue.your.domain" nobody need care except you and -your parent domain administrator (and the InterNIC). Even less so for -mail servers, since only you are affected. - -Q: Given the example - - - hello in cname realname - mailx in mx 0 hello - - Now, while reading the operating manual of bind it clearly states - that this is *not* valid. These two statements clearly contradict - each other. Is there some later RFC than 974 that overrides what is - said in there with respect to MX and CNAMEs? Anyone have the - reference handy? - -A: This isn't what the BOG says at all. See below. You can have a CNAME - that points to some other RR type; in fact, all CNAMEs have to point - to other names (Canonical ones, hence the C in CNAME). What you - can't have is an MX that points to a CNAME. MX RR's that point to - names which have only CNAME RR's will not work in many cases, and - RFC 974 intimates that it's a bad idea: - - Note that the algorithm to delete irrelevant RRs breaks if LOCAL has - a alias and the alias is listed in the MX records for REMOTE. (E.g. - REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL). This - can be avoided if aliases are never used in the data section of MX - RRs. - - Here's the relevant BOG snippet: - - aliases {ttl addr-class CNAME Canonical name - ucbmonet IN CNAME monet - - The Canonical Name resource record, CNAME, speci- - fies an alias or nickname for the official, or - canonical, host name. This record should be the - only one associated with the alias name. All other - resource records should be associated with the - canonical name, not with the nickname. Any - resource records that include a domain name as - their value (e.g., NS or MX) must list the canoni- - cal name, not the nickname. - ------------------------------------------------------------------------------ - -Question 6.6. Can an NS record point to a CNAME ? - -Date: Wed Mar 1 11:14:10 EST 1995 - -Can I do this ? Is it legal ? - - - @ SOA (.........) - NS ns.host.this.domain. - NS second.host.another.domain. - ns CNAME third - third IN A xxx.xxx.xxx.xxx - -No. Only one RR type is allowed to refer, in its data field, to a CNAME, -and that's CNAME itself. So CNAMEs can refer to CNAMEs but NSs and MXs -cannot. - -BIND 4.9.3 (Beta11 and later) explicitly syslogs this case rather than -simply failing as pre-4.9 servers did. Here's a current example: - - Dec 7 00:52:18 gw named[17561]: "foobar.com IN NS" \ - points to a CNAME (foobar.foobar.com) - -Here is the reason why: - -Nameservers are not required to include CNAME records in the Additional -Info section returned after a query. It's partly an implementation -decision and partly a part of the spec. The algorithm described in RFC -1034 (pp24,25; info also in RFC 1035, section 3.3.11, p 18) says 'Put -whatever addresses are available into the additional section, using glue -RRs [if necessary]'. Since NS records are speced to contain only primary -names of hosts, not CNAMEs, then there's no reason for algorithm to -mention them. If, on the other hand, it's decided to allow CNAMEs in NS -records (and indeed in other records) then there's no reason that CNAME -records might not be included along with A records. The Additional Info -section is intended for any information that might be useful but which -isn't strictly the answer to the DNS query processed. It's an -implementation decision in as much as some servers used to follow CNAMEs -in NS references. - ------------------------------------------------------------------------------ - -Question 6.7. Nameserver forgets own A record - -Date: Fri Dec 2 16:17:31 EST 1994 - -Q: Lately, I've been having trouble with named 4.9.2 and 4.9.3. - Periodically, the nameserver will seem to "forget" its own A record, - although the other information stays intact. One theory I had was - that somehow a site that the nameserver was secondary for was - "corrupting" the A record somehow. - -A: This is invariably due to not removing ALL of the cached zones - when you moved to 4.9.X. Remove ALL cached zones and restart - your nameservers. - - You get "ignoreds" because the primaries for the relevant zones are - running old versions of BIND which pass out more glue than is - required. named-xfer trims off this extra glue. - ------------------------------------------------------------------------------ - -Question 6.8. General problems (core dumps !) - -Date: Sun Dec 4 22:21:22 EST 1994 - -Paul Vixie says: - - I'm always interested in hearing about cases where BIND dumps core. - However, I need a stack trace. Compile with -g and not -O (unless - you are using gcc and know what you are doing) and then when it - dumps core, get into dbx or gdb using the executable and the core - file and use "bt" to get a stack trace. Send it to me - <paul@vix.com> along with specific circumstances leading to or - surrounding the crash (test data, tail of the debug log, tail of the - syslog... whatever matters) and ideally you should save your core - dump for a day or so in case I have questions you can answer via - gdb/dbx. - ------------------------------------------------------------------------------ - -Question 6.9. malloc and DECstations - -Date: Mon Jan 2 14:19:22 EST 1995 - -We have replaced malloc on our DECstations with a malloc that is more -compact in memory usage, and this helped the operation of bind a lot. The -source is now available for anonymous ftp from - -ftp.cs.wisc.edu : /pub/misc/malloc.tar.gz - ------------------------------------------------------------------------------ - -Question 6.10. Can't resolve names without a "." - -(Answer written by Mark Andrews) You are not using a RFC 1535 aware -resolver. Depending upon the age of your resolver you could try adding a -search directive to resolv.conf. - - e.g. - domain <domain> - search <domain> [<domain2> ...] - -If that doesn't work you can configure you server to serve the parent and -grandparent domains as this is the default search list. - -"domain langley.af.mil" has an implicit "search langley.af.mil af.mil mil" -in the old resolvers, and you are timing out trying to resolve the -address with one of these domains tacked on. - -When resolving internic.net the following will be tried in order. - - internic.net.langley.af.mil - internic.net.af.mil - internic.net.mil - internic.net. - -RFC 1535 aware resolvers try qualified address first. - - internic.net. - internic.net.langley.af.mil - internic.net.af.mil - internic.net.mil - -RFC 1535 documents the problems associated with the old search -algorithim, including security issues, and how to alleviate some of the -problems. - ------------------------------------------------------------------------------ - -Question 6.11. Why does swapping kill BIND ? - -Date: Thu Jul 4 23:20:20 EDT 1996 - -The question was: - - I've been diagnosing a problem with BIND 4.9.x (where x is usually 3BETA9 - or 3REL) for several months now. I finally tracked it down to swap space - utilization on the unix boxes. - - This happens under (at least) under Linux 1.2.9 & 1.2.13, SunOS 4.1.3U1, - 4.1.1, and Solaris 2.5. The symptom is that if these machines get into - swap at all bind quits resolving most, if not all queries. Mind you that - these machines are not "swapping hard", but rather we're talking about a - several hundred K TEMPORARY deficiency. I have noticed while digging - through various archives that there is some referral to "bind thrashing - itself to death". Is this what is happening ? - -And the answer is: - - Yes it is. Bind can't tolerate having even a few pages swapped out. - The time required to send responses climbs to several seconds/request, - and the request queue fills and overflows. - - It's possible to shrink memory consumption a lot by undefining STATS - and XSTATS, and recompiling. You could nuke DEBUG too, which will - cut the code size down some, but probably not the data size. If that - doesn't do the job then it sounds like you'll need to move DNS onto a - separate box. - - BIND tends to touch all of its resident pages all of the time with - normal activity... if you look at the RSS verses the total process - size, you will always see the RSS within, usually, 90% of the total - size of the process. This means that *any* paging of named-owned - pages will stall named. Thus, a machine running a heavily accessed - named process cannot afford to swap *at all*. - - (Paul Vixie continues on this subject): - I plan to try to get BIND to exhibit slightly better locality of - reference in some future release. Of course, I can only do this if - the query names also exhibit some kind of hot spots. If someone - queries all your names often, BIND will have to touch all of its VM - pool that often. (Right now, BIND touches everything pretty often - even if you're just hammering on some hot spots -- that's the part - I'd like to fix. Malloc isn't cooperating.) - ------------------------------------------------------------------------------ - -Question 6.12. Resource limits warning in system - -Date: Sun Feb 15 22:04:43 EST 1998 - -When bind-8.1.1 is started the following informational message appears in -the syslog... - - Feb 13 14:19:35 ns1named[1986]: - "cannot set resource limits on this system" - -What does this mean ? - -A: It means that BIND doesn't know how to implement the "coresize", -"datasize", "stacksize", or "files" process limits on your OS. - -If you're not using these options, you may ignore the message. - ------------------------------------------------------------------------------ - -Question 6.13. ERROR:ns_forw: query...learnt - -Date: Sun Feb 15 23:08:06 EST 1998 - -The following message appears in syslog: - - Jan 22 21:59:55 server1 named[21386]: ns_forw: query(testval) contains - our address (dns1.foobar.org:1.2.3.4) learnt (A=:NS=) - -what does it mean ? - -A: This means that when it was looking up the NS records for the domain -containing "testval" (i.e. the root domain), it found an NS record -pointing to dns1.foobar.org, and the A record for this is 1.2.3.4. -This is server1's own IP address, but it's not authoritative for the -root domain. The (A-:NS=) part of the message means that it didn't -learn these NS records from any other machine. - -You may have listed dns1.foobar.org in your root server cache -file, even though it's not configured as a root server. - - -\question 09jul:linuxq ERROR:recvfrom: Connection refused - -Date: Wed Jul 9 21:57:40 EDT 1997 - -DNS on my linux system is reporting the error - -\verbatim -Mar 26 12:11:20 idg named[45]: recvfrom: Connection refused - -When I start or restart the named program I get no errors. What could be -causing this ? - -A: Are you running the BETA9 version of bind 4.9.3 ? It is a bug that -does no harm and the error reporting was corrected in later releases. You -should upgrade to a newer version of bind. - ------------------------------------------------------------------------------ - -Question 6.14. ERROR:zone has trailing dot - -Date: Wed Jul 9 22:11:51 EDT 1997 - -If syslog reports "zone has trailing dot", the zone information contains a -trailing dot in the named.boot file where it does not belong. - - - example: - secondary domain.com. xxx.xxx.xxx.xxx S-domain.com - ^ ------------------------------------------------------------------------------ - -Question 6.15. ERROR:Zone declared more then once - -Date: Wed Jul 9 22:12:45 EDT 1997 - -If syslog reports "Zone declared more then once", - -A zone is specified multiple times in the named.boot file - - example: - secondary domain.com 198.247.225.251 S-domain.com - secondary zone.com 198.247.225.251 S-zone.com - primary domain.com P-domain.com - - domain.com is declared twice, once as primary, and once as secondary - ------------------------------------------------------------------------------ - -Question 6.16. ERROR:response from unexpected source - -Date: Wed Jul 9 22:12:45 EDT 1997 - -If syslog reports "response from unexpected source", BIND (pre 4.9.3) has -a bug if implimented on a multi homed server. This error indicates that -the response to a query came from an address other then the one sent to. -So, if ace gets a response from an unexpected source, ace will ignore the -response. - ------------------------------------------------------------------------------ - -Question 6.17. ERROR:record too short from [zone name] - -Date: Mon Jun 15 21:34:49 EDT 1998 - -If syslog report "record too short from [zone name]", The secondary server -is trying to pull a zone from the primary server. For some reason, the -primary sent an incomplete zone. This usually is a problem at the primary -server. - - To troubleshoot, try this: - - dig [zonename] axfr @[primary IP address] - - Often, this is caused by a line broken in the middle. - -When the primary server's "named.boot" file contains "xfrnets" entries -for other servers and the secondary is not listed, this error can occur. -Creating an "xfrnets" entry for the secondary will solve the error. - ------------------------------------------------------------------------------ - -Question 6.18. ERROR:sysquery: findns error (3) - -Date: Wed Jul 9 22:17:09 EDT 1997 - -If syslog reports "sysquery: findns error (3)" or -"qserial_query(zonename): sysquery FAILED", there is no ns record for the -zone. or the NS record is not defined correctly. - ------------------------------------------------------------------------------ - -Question 6.19. ERROR:Err/TO getting serial# for XXX - -Date: Wed Jul 9 22:18:41 EDT 1997 - -If syslog reports "Err/TO getting serial# for XXX", there could be a -number of possible errors: - - - An incorrect IP address in named.boot, - - A network reachibility problem, - - The primary is lame for the zone. - -An external check to see if you can retrieve the SOA is the best way to -work out which it is. - ------------------------------------------------------------------------------ - -Question 6.20. ERROR:zonename IN NS points to a CNAME - -Date: Wed Jul 9 22:20:29 EDT 1997 - -If syslog reports "zonename IN NS points to a CNAME" or "zonename IN MX -points to a CNAME", named is 'reminding' you that due to various RFCs, an -NS or MX record cannot point to a CNAME. - - EXAMPLE 1 - --------- - domain.com IN SOA (...stuff...) - IN NS ns.domain.com. - ns IN CNAME machine.domain.com. - machine IN A 1.2.3.4 - - The IN NS record points to ns, which is a CNAME for machine. This - is what results in the above error - - EXAMPLE 2 - --------- - domain.com IN SOA (...stuff...) - IN MX mail.domain.com. - mail IN CNAME machine.domain.com. - machine IN A 1.2.3.4 - - This would cause the MX variety of the error. - - The fix is point MX and NS records to a machine that is defined explicitly - by an IN A record. - ------------------------------------------------------------------------------ - -Question 6.21. ERROR:Masters for secondary zone [XX] unreachable - -Date: Wed Jul 9 22:24:27 EDT 1997 - -If syslog reports "Masters for secondary zone [XX] unreachable", the -initial attempts to load a zone failed, and the name server is still -trying. If this occurs multiple times, a problem exists, likely on the -primary server. This is a fairly generic error, and could indicate a vast -number of problems. It might be that named is not running on the primary -server, or they do not have the correct zone file. If this keeps up long -enough a zone might expire. - ------------------------------------------------------------------------------ - -Question 6.22. ERROR:secondary zone [XX] expired - -Date: Wed Jul 9 22:25:53 EDT 1997 - -If syslog reports "secondary zone [XX] expired", there has been a -expiration of a secondary zone on this server. - -An expired zone is one in which a transfer hasn't successfully been -completed in the amount of time specified before a zone expires. - -This problem could be anything which prevents a zone transfer: The primary -server is down, named isn't running on the primary, named.boot has the -wrong IP address, etc. - ------------------------------------------------------------------------------ - -Question 6.23. ERROR:bad response to SOA query from [address] - -Date: Wed Jan 14 12:15:11 EST 1998 - -If syslog reports "bad response to SOA query from [address], zone [name]", -a syntax error may exist in the SOA record of the zone your server is -attempting to pull. - -It may also indicate that the primary server is lame, possibly due to a -syntax error somewhere in the zone file. - ------------------------------------------------------------------------------ - -Question 6.24. ERROR:premature EOF, fetching [zone] - -Date: Wed Jul 9 22:28:26 EDT 1997 - -If syslog reports "premature EOF, fetching [zone]", a syntax error exists -on the zone at the primary location, likely towards the End of File (EOF) -location. - ------------------------------------------------------------------------------ - -Question 6.25. ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours - -Date: Wed Jul 9 22:30:03 EDT 1997 - -If syslog reports "Zone [name] SOA serial# rcvd from [address] is < ours", -the zone transfer failed because the primary machine has a lower serial -number in the SOA record than the one on file on this server. - ------------------------------------------------------------------------------ - -Question 6.26. ERROR:connect(IP/address) for zone [XX] failed - -Date: Wed Jan 14 12:21:40 EST 1998 - -If syslog reports "connect(address) for zone [name] failed: No route to -host" or "connect(address) for zone [name] failed: Connection timed out", -it could be that there is no route to the specified host or a slow primary -system. Try a traceroute to the address specified to isolate the problem. -The problem may be a mistyped IP address in named.boot. - -A very slow primary machine or a connection may have been initialized, -then connectivity lost for some reason, etc. Try networking -troubleshooting tools like ping and traceroute, then try connecting to -port 53 using nslookup or dig. - -If syslog reports "connect(address) for zone [name] failed: Connection -refused", the destination address is not allowing the connection. Either -the destination is not running DNS (port 53), or possibly filtering the -connection from you. It is also possible that the named.boot is pointing -to the wrong address. - ------------------------------------------------------------------------------ - -Question 6.27. ERROR:sysquery: no addrs found for NS - -Date: Wed Jul 9 22:37:01 EDT 1997 - -If syslog reports "sysquery: no addrs found for NS" , the IN NS record may -be pointing to a host with no IN A record. - ------------------------------------------------------------------------------ - -Question 6.28. ERROR:zone [name] rejected due to errors - -Date: Wed Jul 9 22:37:51 EDT 1997 - -If syslog reports "primary zone [name] rejected due to errors", there will -likely be another more descriptive error along with this, like "zonefile: -line 17: database format error". That zone file should be investigated -for errors. - -=============================================================================== - -Section 7. ACKNOWLEDGEMENTS - - Q7.1 How is this FAQ generated ? - Q7.2 What formats are available ? - Q7.3 Contributors - ------------------------------------------------------------------------------ - -Question 7.1. How is this FAQ generated ? - -Date: Mon Jun 15 21:45:53 EDT 1998 - -This FAQ is maintained in BFNN (Bizzarre Format with No Name). This -allows me to create ASCII, HTML, and GNU info (postscript coming soon) -from one source file. - -The perl script "bfnnconv.pl" that is available with the linux FAQ is used -to generate the various output files from the BFNN source. This script is -available at - -txs-11.mit.edu : /pub/linux/docs/linux-faq/linux-faq.source.tar.gz - ------------------------------------------------------------------------------ - -Question 7.2. What formats are available ? - -Date: Fri Dec 6 16:51:31 EST 1996 - -You may obtain one of the following formats for this document: - -* ASCII: http://www.intac.com/~cdp/cptd-faq/cptd-faq.ascii -* BFNN: http://www.intac.com/~cdp/cptd-faq/cptd-faq.bfnn -* GNU info: http://www.intac.com/~cdp/cptd-faq/cptd-faq.info -* HTML: http://www.intac.com/~cdp/cptd-faq/index.html - ------------------------------------------------------------------------------ - -Question 7.3. Contributors - -Date: Thu Jul 16 10:45:57 EDT 1998 - -Many people have helped put this list together. Listed in e-mail address -alphabetical order, the following people have contributed to this FAQ: - -* <BERI@etf.bg.ac.yu> (Berislav Todorovic) -* <Benoit.Grange@inria.fr> (Benoit.Grange) -* <D.T.Shield@csc.liv.ac.uk> (Dave Shield) -* <Karl.Auer@anu.edu.au> (Karl Auer) -* <Todd.Aven@BankersTrust.Com> -* <adam@comptech.demon.co.uk> (Adam Goodfellow) -* <andras@is.co.za> (Andras Salamon) -* <barmar@bbnplanet.com> (Barry Margolin) -* <barr@pop.psu.edu> (David Barr) -* <bj@herbison.com> (B.J. Herbison) -* <bje@cbr.fidonet.org> (Ben Elliston) -* <brad@birch.ims.disa.mil> (Brad Knowles) -* <ckd@kei.com> (Christopher Davis) -* <cdp2582@hertz.njit.edu> (Chris Peckham) -* <cricket@hp.com> (Cricket Liu) -* <cudep@csv.warwick.ac.uk> (Ian 'Vato' Dickinson [ID17]) -* <dj@netscape.com> (David Jagoda) -* <djk@cyber.com.au> (David Keegel) -* <dillon@best.com> (Matthew Dillon) -* <dparter@cs.wisc.edu> (David Parter) -* <e07@nikhef.nl> (Eric Wassenaar) -* <fitz@think.com> (Tom Fitzgerald) -* <fwp@CC.MsState.Edu> (Frank Peters) -* <gah@cco.caltech.edu> (Glen A. Herrmannsfeldt) -* <glenn@popco.com> (Glenn Fleishman) -* <harvey@indyvax.iupui.edu> (James Harvey) -* <hubert@cac.washington.edu> (Steve Hubert) -* <ivanl@pacific.net.sg> (Ivan Leong) -* <jpass@telxon.com> (Jim Pass) -* <jhawk@panix.com> (John Hawkinson) -* <jmalcolm@uunet.uu.net> (Joseph Malcolm) -* <jprovo@augustus.ultra.net> (Joe Provo) -* <jrs@foliage.com> (J. Richard Sladkey) -* <jsd@gamespot.com> (Jon Drukman) -* <jwells@pacificcoast.net> (John Wells) -* <kop@meme.com> (Karl O. Pinc) -* <kevin@cfc.com> (Kevin Darcy) -* <lamont@abstractsoft.com> (Sean T. Lamont) -* <lavondes@tidtest.total.fr> (Michel Lavondes) -* <mark@ucsalf.ac.uk> (Mark Powell) -* <marka@syd.dms.CSIRO.AU> (Mark Andrews) -* <mathias@unicorn.swi.com.sg> (Mathias Koerber) -* <mfuhr@dimensional.com> (Michael Fuhr) -* <mike@westie.gi.net> (Michael Hawk) -* <mjo@iao.ford.com> (Mike O'Connor) -* <nick@flapjack.ieunet.ie> (Nick Hilliard) -* <oppedahl@popserver.panix.com> (Carl Oppedahl) -* <patrick@oes.amdahl.com> (Patrick J. Horgan) -* <paul@software.com> (Paul Wren) -* <pb@fasterix.frmug.fr.net> (Pierre Beyssac) -* <ph10@cus.cam.ac.uk> (Philip Hazel) -* <phil@netpart.com> (Phil Trubey) -* <raj@ceeri.ernet.in> (Raj Singh) -* <rocky@panix.com> (R. Bernstein) -* <rv@seins.Informatik.Uni-Dortmund.DE> (Ruediger Volk) -* <sedwards@sedwards.com> (Steve Edwards) -* <shields@tembel.org> (Michael Shields) -* <spsprunk@pop.srv.paranet.com> (Stephen Sprunk) -* <tanner@george.arc.nasa.gov> (Rob Tanner) -* <vixie@vix.com> (Paul A Vixie) -* <wag@swl.msd.ray.com> (William Gianopoulos) -* <whg@inel.gov> (Bill Gray) -* <wolf@pasteur.fr> (Christophe Wolfhugel) - -Thank you ! - |