d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f0c6e880d6
freebsd-dev/contrib/bind/doc/misc/FAQ.2of2
Jeroen Ruigrok van der Werven 015944e3a5 Virgin import of BIND v8.2.3-T6B
2000-10-31 14:17:05 +00:00

2072 lines
83 KiB
Plaintext
Raw Blame History

Path: senator-bedfellow.mit.edu!bloom-beacon.mit.edu!news.kodak.com!news-nysernet-16.sprintlink.net!news-in-east1.sprintlink.net!news.sprintlink.net!newshub.northeast.verio.net!news.idt.net!newsin.iconnet.net!IConNet!not-for-mail
From: cdp2582@hertz.njit.edu (Chris Peckham)
Newsgroups: comp.protocols.tcp-ip.domains,comp.answers,news.answers,comp.protocols.dns.bind
Subject: comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 2 of 2)
Supersedes: <cptd-faq-2-911181667@njit.edu>
Followup-To: comp.protocols.tcp-ip.domains
Organization: NJIT.EDU - New Jersey Institute of Technology, Newark, NJ, USA
Lines: 2050
Sender: cdp@chipmunk.iconnet.net
Approved: news-answers-request@MIT.EDU
Distribution: world
Expires: Wednesday, 20 Jan 99 11:47:26 EDT
Message-ID: <cptd-faq-2-913826846@njit.edu>
References: <cptd-faq-1-913826846@njit.edu>
Reply-To: domain-faq@pfmc.net (comp.protocols.tcp-ip.domains FAQ comments)
Keywords: BIND,DOMAIN,DNS
X-Posting-Frequency: posted during the first week of each month
Date: Wed, 16 Dec 1998 16:47:32 GMT
NNTP-Posting-Host: chipmunk.iconnet.net
NNTP-Posting-Date: Wed, 16 Dec 1998 11:47:32 EDT
Xref: senator-bedfellow.mit.edu comp.protocols.tcp-ip.domains:22180 comp.answers:34269 news.answers:146737 comp.protocols.dns.bind:6040
Posted-By: auto-faq 3.3 beta (Perl 5.004)
Archive-name: internet/tcp-ip/domains-faq/part2
(Continued from Part 1, where you'll find the introduction and
table of contents.)
===============================================================================
Section 5. CONFIGURATION
Q5.1 Upgrading from 4.9.x to 8.x
Q5.2 Changing a Secondary server to a Primary server ?
Q5.3 Moving a Primary server to another server
Q5.4 How do I subnet a Class B Address ?
Q5.5 Subnetted domain name service
Q5.6 Recommended format/style of DNS files
Q5.7 DNS on a system not connected to the Internet
Q5.8 Multiple Domain configuration
Q5.9 wildcard MX records
Q5.10 How do you identify a wildcard MX record ?
Q5.11 Why are fully qualified domain names recommended ?
Q5.12 Distributing load using named
Q5.13 Round robin IS NOT load balancing
Q5.14 Order of returned records
Q5.15 resolv.conf
Q5.16 How do I delegate authority for sub-domains ?
Q5.17 DNS instead of NIS on a Sun OS 4.1.x system
Q5.18 Patches to add functionality to BIND
Q5.19 How to serve multiple domains from one server
Q5.20 hostname and domain name the same
Q5.21 Restricting zone transfers
Q5.22 DNS in firewalled and private networks
Q5.23 Different DNS answers for same RR
-----------------------------------------------------------------------------
Question 5.1. Upgrading from 4.9.x to 8.x
Date: Wed Jul 9 22:00:07 EDT 1997
Q: Help ! How do I use the Completely new configuration syntax in BIND 8
? I've attempted to upgrade bind from 4.9.5 to 8.1, but unfortunately it
didn't seem to like the same config/zone files.. is this normal or should
8.1 be able to read the same files as 4.9.5 did?
A: If you then look in doc/html/config.html, you will find directions on
how to convert a 4.9.x .boot file to 8.x .conf file, as well as directions
on how to utilize all of the new features of the 8.x .conf file format.
-----------------------------------------------------------------------------
Question 5.2. Changing a Secondary server to a Primary server ?
Date: Fri Jul 5 23:54:35 EDT 1996
For 4.8.3, it's prudent to kill and restart following any changes to
named.boot.
In BIND 4.9.3, you only have to kill and restart named if you change a
primary zone to a secondary or v-v, or if you delete a zone and remain
authoritative for its parent. Every other case should be taken care of by
a HUP. (Ed. note: 4.9.3b9 may still require you to kill and restart the
server due to some bugs in the HUP code).
You will also need to update the server information on the root servers.
You can do this by filing a new domain registration form to inform
InterNIC of the change. They will then update the root server's SOA
records. This process usually takes 10-12 business days after they
receive the request.
-----------------------------------------------------------------------------
Question 5.3. Moving a Primary server to another server
Date: Fri Jul 5 23:54:35 EDT 1996
The usual solution is to move the primary to ns.newserver.com, and have
ns.oldserver.com be configured as a secondary server until the change to
the root servers takes place after the request has been made to the
InterNIC.
If you are moving to a different ISP which will change your IP's, the
recommend setting for the SOA that would minimize problems for your name
servers using the old settings can be done as follows:
Gradually lower the TTL value in your SOA (that's the last one of the five
numbers) to always be equal to the time left until you change over.
(assuming that none of your resource records have individual TTL's set, if
so, do likewise with them.) So, the day before, lower to 43200 seconds
(12 hours). Then lower every few hours to be the time remaining until
the change-over. So, an hour before the change, you may just want to
lower it all the way to 60 seconds or so. That way no one can cache
information past the change-over.
After the change, start gradually incrementing the TTL value, because
you'll probably be making changes to work out problems. Once everything
stabilizes, move the TTL up to whatever your normal values are.
To minimize name servers from using the "old settings", you can do the
same thing with the "refresh" interval in the SOA (the second number of
the SOA). That will tell the secondaries to refresh every X seconds.
Lower that value as you approach the changeover date. You probably don't
want to go much below an hour or you'll start the primary thrashing as all
the secondaries perpetually refresh.
Also see the answer to the "How can I change the IP address of our server
?" in the INTRODUCTION section.
-----------------------------------------------------------------------------
Question 5.4. How do I subnet a Class B Address ?
Date: Mon Jun 15 23:21:39 EDT 1998
That you need to subnet at all is something of a misconception. You can
also think of a class B network as giving you 65,534 individual hosts, and
such a network will work. You can also configure your class B as 16,384
networks of 2 hosts each. That's obviously not very practical, but it
needs to be made clear that you are not constrained by the size of an
octet (remember that many older devices would not work in a network
configured in this manner).
So, the question is: why do you need to subnet? One reason is that it is
easier to manage a subnetted network, and in fact, you can delegate the
responsibility for address space management to local administrators on the
various subnets. Also, IP based problems will end up localized rather
than affecting your entire network.
If your network is a large backbone with numerous segments individually
branching off the backbone, that too suggests subnetting.
Subnetting can also be used to improve routing conditions.
You may wish to partition your network to disallow certain protocols on
certain segments of your net. You can, for example, restrict IP or IPX to
certain segments only by adding a router routing high level protocols,
and across the router you may have to subnet.
Finally, as far as how many subnets you need depends on the answer to the
above question. As far as subnet masks are concerned, the mask can be
anything from 255.0.0.0 to 255.255.255.252. You'll probably be looking at
9 or 10 bits for the subnet (last octet 128 or 192 respectively). RFC
1219 discusses the issue of subnetting very well and leaves the network
administrator with a large amount of flexibility for future growth.
(The following section was contributed by Berislav Todorovic.)
A user or an ISP, having a whole /16 sized IP block (former "Class B")
network assigned/allocated, has the responsibility of maintaining the
reverse domain for the whole network. That policy is currently applied by
all regional Internet registries (RIPE NCC, ARIN, APNIC). In other words,
if you're assigned a whole "B class" (say, 10.91/16), you're in charge for
the whole 91.10.IN-ADDR.ARPA zone. This zone may be organized using two
methods, according to the network topology being in use.
The first, "brute force" method is to place all PTR records directly into
a single zone file. Example:
$origin 91.10.in-addr.arpa
@ IN SOA (usual stuff)
IN NS ns1.mydomain.com.
IN NS ns2.mydomain.com.
1.1 IN PTR one-1.mydomain.com. ; ---> 10.91.1.1
2.1 IN PTR one-2.mydomain.com. ; ---> 10.91.1.2
...
254.1 IN PTR one-254.mydomain.com. ; ---> 10.91.1.254
1.2 IN PTR two-1.mydomain.com. ; ---> 10.91.2.1
While this approach may look simple in the networks with a central
management authority (say, campus networks), maintaining such a zone file
becomes more and more difficult in the more complex environment. Thus,
this becomes a bad method. Furthermore, if you're an ISP, it is more
likely that a /16 network will be subnetted and its subnets be assigned to
your customers.
Therefore, another "smarter" approach is to delegate portions of the
reverse domain 91.10.IN-ADDR.ARPA to the end users of the subnets of
10.91/16. There would only be NS records in the zone file, while PTR
record insertion would be the responsibility of the end users. For
example, if you assign:
* 10.91.0.0/22 (10.91.0.0 - 10.91.3.255) to Customer-A.COM
* 10.91.4.0/23 (10.91.4.0 - 10.91.5.255) to Customer-B.COM
* 10.91.7.0/24 (10.91.7.0 - 10.91.7.255) to Customer-C.COM
then each customer will maintain zone files for the reverse domains of
their own networks (say, Customer C will maintain the zone
7.91.10.IN-ADDR.ARPA, customer B their 2 zones, Customer A their own 4
zones). In this constellation, the zone file for reverse domain
91.10.IN-ADDR.ARPA will look like this:
$origin 91.10.in-addr.arpa
@ IN SOA (usual stuff)
IN NS ns1.mydomain.com.
IN NS ns2.mydomain.com.
; --- Customer-A.COM
0 IN NS ns.customer-A.com.
IN NS ns1.mydomain.com.
1 IN NS ns.customer-A.com.
IN NS ns1.mydomain.com.
2 IN NS ns.customer-A.com.
IN NS ns1.mydomain.com.
3 IN NS ns.customer-A.com.
IN NS ns1.mydomain.com.
; --- Customer-B.COM
4 IN NS ns.customer-B.com.
IN NS ns1.mydomain.com.
5 IN NS ns.customer-B.com.
IN NS ns1.mydomain.com.
; --- Customer-C.COM
7 IN NS ns.customer-C.com.
IN NS ns1.mydomain.com.
The zone file of the Customer C reverse domain would look like this:
$origin 7.91.10.in-addr.arpa
@ IN SOA (usual stuff)
IN NS ns.customer-C.com.
IN NS ns1.mydomain.com.
1 IN PTR one.customer-C.com.
2 IN PTR two.customer-C.com.
3 IN PTR three.customer-C.com.
...
-----------------------------------------------------------------------------
Question 5.5. Subnetted domain name service
Date: Thu Jul 16 10:50:41 EDT 1998
If you are looking for some examples of handling subnetted class C
networks as separate DNS domains, see RFC 2317 for more information.
Details follow- You need to delegate down to the fourth octet, so you will
have one domain per IP address ! Here is how you can subdelegate a
in-addr.arpa address for non-byte aligned subnet masks:
Take as an example the net 192.1.1.x, and example subnet mask
255.255.255.240.
We first define the domain for the class C net,
$origin 1.1.192.in-addr.arpa
@ SOA (usual stuff)
@ ns some.nameserver
ns some.other.nameserver
; delegate a subdomain
one ns one.nameserver
ns some.nameserver
; delegate another
two ns two.nameserver
ns some.nameserver
; CNAME pointers to subdomain one
0 CNAME 0.one
1 CNAME 1.one
; through
15 CNAME 15.one
; CNAME pointers to subdomain two
16 CNAME 16.two
17 CNAME 17.two
31 CNAME 31.two
; CNAME as many as required.
Now, in the delegated nameserver, one.nameserver
$origin one.1.1.192.in-addr.arpa
@ SOA (usual stuff)
NS one.nameserver
NS some.nameserver ; secondary for us
0 PTR onenet.one.domain
1 PTR onehost.one.domain
; through
15 PTR lasthost.one.domain
And similar for the two.1.1.192.in-addr.arpa delegated domain.
There is additional documentation and a perl script that may be used for
this purpose available for anonymous ftp from:
ftp.is.co.za : /networking/ip/dns/gencidrzone/gencidrzone
-----------------------------------------------------------------------------
Question 5.6. Recommended format/style of DNS files
Date: Sun Nov 27 23:32:41 EST 1994
This answer is quoted from an article posted by Paul Vixie:
I've gone back and forth on the question of whether the BOG should
include a section on this topic. I know what I myself prefer, but
I'm wary of ramming my own stylistic preferences down the throat of
every BOG reader. But since you ask :-)...
Create /var/named. If your system is too old to have a /var, either
create one or use /usr/local/adm/named instead. Put your named.boot
in it, and make /etc/named.boot a symlink to it. If your system
doesn't have symlinks, you're S-O-L (but you knew that). In
named.boot, put a "directory" directive that specifies your actual
BIND working directory:
directory /var/named
All relative pathnames used in "primary", "secondary", and "cache"
directives will be evaluated relative to this directory. Create two
subdirectories, /var/named/pri and /var/named/sec. Whenever you add
a "primary" directive to your named.boot, use "pri/WHATEVER" as the
path name. And then put the primary zone file into "pri/WHATEVER".
Likewise when you add "secondary" directives, use "sec/WHATEVER" and
BIND (really named-xfer) will create the files in that
subdirectory.
(Variations: (1) make a midlevel directory "zones" and put "pri" and
"sec" into it; (2) if you tend to pick up a lot of secondaries from
a few hosts, group them together in their own subdirectories --
something like /var/named/zones/uucp if you're a UUCP Project name
server.)
For your forward files, name them after the zone. dec.com becomes
"/var/named/zones/pri/dec.com". For your reverse files, name them
after the network number. 0.1.16.in-addr.arpa becomes
"/var/named/zones/pri/16.1.0".
When creating or maintaining primary zone files, try to use the same
SOA values everywhere, except for the serial number which varies per
zone. Put a $ORIGIN directive at the top of the primary zone file,
not because its needed (it's not since the default origin is the
zone named in the "primary" directive) but because it make it easier
to remember what you're working on when you have a lot of primary
zones. Put some comments up there indicating contact information
for the real owner if you're proxying. Use RCS and put the "Id"
in a ";" comment near the top of the zone file.
The SOA and other top level information should all be listed
together. But don't put IN on every line, it defaults nicely. For
example:
==============
@ IN SOA gw.home.vix.com. postmaster.vix.com. (
1994082501 ; serial
3600 ; refresh (1 hour)
1800 ; retry (30 mins)
604800 ; expire (7 days)
3600 ) ; minimum (1 hour)
NS gw.home.vix.com.
NS ns.uu.net.
NS uucp-gw-1.pa.dec.com.
NS uucp-gw-2.pa.dec.com.
MX 10 gw.home.vix.com.
MX 20 uucp-gw-1.pa.dec.com.
MX 20 uucp-gw-1.pa.dec.com.
==============
I don't necessarily recommend those SOA values. Not every zone is
as volatile as the example shown. I do recommend that serial number
format; it's in date format with a 2-digit per-day revision number.
This format will last us until 2147 A.D. at which point I expect a
better solution will have been found :-). (Note that it would last
until 4294 A.D. except that there are some old BINDs out there that
use a signed quantity for representing serial number internally; I
suppose that as long as none of these are still running after 2047
A.D., that we can use the above serial number format until 4294
A.D., at which point a better solution will HAVE to be found.)
You'll note that I use a tab stop for "IN" even though I never again
specify it. This leaves room for names longer than 7 bytes without
messing up the columns. You might also note that I've put the MX
priority and destination in the same tab stop; this is because both
are part of the RRdata and both are very different from MX which is
an RRtype. Some folks seem to prefer to group "MX" and the priority
together in one tab stop. While this looks neat it's very confusing
to newcomers and for them it violates the law of least
astonishment.
If you have a multi-level zone (one which contains names that have
dots in them), you can use additional $ORIGIN statements but I
recommend against it since there is no "back" operator. That is,
given the above example you can add:
=============
$ORIGIN home
gw A 192.5.5.1
=============
The problem with this is that subsequent RR's had better be
somewhere under the "home.vix.com" name or else the $ORIGIN that
introduces them will have to use a fully qualified name. FQDN
$ORIGIN's aren't bad and I won't be mad if you use them.
Unqualified ones as shown above are real trouble. I usually stay
away from them and just put the whole name in:
=============
gw.home A 192.5.5.1
=============
In your reverse zones, you're usually in some good luck because the
owner name is usually a single short token or sometimes two.
=============
$ORIGIN 5.5.192.in-addr.arpa.
@ IN SOA ...
NS ...
1 PTR gw.home.vix.com.
=========================================
$ORIGIN 1.16.in-addr.arpa.
@ IN SOA ...
NS ...
2.0 PTR gatekeeper.dec.com.
=============
It is usually pretty hard to keep your forward and reverse zones in
sync. You can avoid that whole problem by just using "h2n" (see
the ORA book, DNS and BIND, and its sample toolkit, included in the
BIND distribution or on ftp.uu.net (use the QUOTE SITE EXEC INDEX
command there to find this -- I never can remember where it's at).
"h2n" and many tools like it can just read your old /etc/hosts file
and churn it into DNS zone files. (May I recommend
contrib/decwrl/mkdb.pl from the BIND distribution?) However, if you
(like me) prefer to edit these things by hand, you need to follow
the simple convention of making all of your holes consistent. If
you use 192.5.5.1 and 192.5.5.3 but not (yet) 192.5.5.2, then in
your forward file you will have something like
=============
...
gw.home A 192.5.5.1
;avail A 192.5.5.2
pc.home A 192.5.5.3
=============
and in your reverse file you will have something like
=============
...
1 PTR gw.home.vix.com.
;2 PTR avail
3 PTR pc.home.vix.com.
=============
This convention will allow you to keep your sanity and make fewer
errors. Any kind of automation (h2n, mkdb, or your own
perl/tcl/awk/python tools) will help you maintain a consistent
universe even if it's also a complex one. Editing by hand doesn't
have to be deadly but you MUST take care.
-----------------------------------------------------------------------------
Question 5.7. DNS on a system not connected to the Internet
Date: Sun Nov 27 23:32:41 EST 1994
You need to create your own root domain name server until you connect to
the internet. Your roots need to delegate to mydomain.com and any
in-addr.arpa subdomains you might have, and that's about it. As soon as
you're connected, rip out the fake roots and use the real ones.
It does not actually have to be another server pretending to be the root.
You can set up the name server so that it is primary for each domain above
you and leave them empty (i.e. you are foo.bar.com - claim to be primary
for bar.com and com)
If you connect intermittently and want DNS to work when you are connected,
and "fail" when you are not, you can point the resolver at the name server
at the remote site and if the connection (SLIP/PPP) isn't up, the resolver
doesn't have a route to the remote server and since there's only one name
server in resolv.conf, the resolver quickly backs off the using
/etc/hosts. No problem. You could do the same with multiple name server
and a resolver that did configurable /etc/hosts fallback.
-----------------------------------------------------------------------------
Question 5.8. Multiple Domain configuration
Date: Fri Dec 2 15:40:49 EST 1994
If you want to have multiple domain names pointing to the same
destination, such as:
ftp ftp.biff.com connects user to -> ftp.biff.com
ftp ftp.fred.com connects user to -> ftp.biff.com
ftp ftp.bowser.com connects user to -> ftp.biff.com
You may do this by using CNAMEs:
ftp.bowser.com. IN CNAME ftp.biff.com.
You can also do the same thing with multiple A records.
-----------------------------------------------------------------------------
Question 5.9. wildcard MX records
Date: Sun Nov 27 23:32:41 EST 1994
Does BIND not understand wildcard MX records such as the following?
*.foo.com MX 0 mail.foo.com.
No. It just doesn't work.
Explicit RR's at one level of specificity will, by design, "block" a
wildcard at a lesser level of specificity. I suspect that you have an RR
(an A RR, perhaps?) for "bar.foo.com" which is blocking the application of
your "*.foo.com" wildcard. The initial MX query is thus failing (NOERROR
but an answer count of 0), and the backup query finds the A RR for
"bar.foo.com" and uses it to deliver the mail directly (which is what you
DIDN'T want it to do). Adding an explicit MX RR for the host is therefore
the right way to handle this situation.
See RFC 1034, Section 4.3.3 ("Wildcards") for more information on this
"blocking" behavior, along with an illustrative example. See also RFC 974
for an explanation of standard mailer behavior in the face of an "empty"
response to one's MX query.
Basically, what it boils down to is, there is no point in trying to use a
wildcard MX for a host which is otherwise listed in the DNS.
It just doesn't work.
-----------------------------------------------------------------------------
Question 5.10. How do you identify a wildcard MX record ?
Date: Thu Dec 1 11:10:39 EST 1994
You don't really need to "identify" a wildcard MX RR. The precedence for
u@dom is:
exact match MX
exact match A
wildcard MX
One way to implement this is to query for ("dom",IN,MX) and if the answer
name that comes back is "*." something, you know it's a wildcard,
therefore you know there is no exact match MX, and you therefore query for
("dom",IN,A) and if you get something, use it. if you don't, use the
previous wildcard response.
RFC 974 explains this pretty well.
-----------------------------------------------------------------------------
Question 5.11. Why are fully qualified domain names recommended ?
Date: Sun Nov 27 23:32:41 EST 1994
The documentation for BIND 4.9.2 says that the hostname should be set to
the full domain style name (i.e host.our.domain rather than host). What
advantages are there in this, and are there any adverse consequences if we
don't?
Paul Vixie likes to do it :-) He lists a few reasons -
* Sendmail can be configured to just use Dj$w rather than Dj$w.mumble
where "mumble" is something you have to edit in by hand. Granted, most
people use "mumble" elsewhere in their config files ("tack on local
domain", etc) but why should it be a requirement ?
* The real reason is that not doing it violates a very useful invariant:
gethostbyname(gethostname) == gethostbyaddr(primary_interface_address)
If you take an address and go "backwards" through the PTR's with it,
you'll get a FQDN, and if you push that back through the A RR's, you get
the same address. Or you should. Many multi-homed hosts violate this
uncaringly.
If you take a non-FQDN hostname and push it "forwards" through the A
RR's, you get an address which, if you push it through the PTR's, comes
back as a FQDN which is not the same as the hostname you started with.
Consider the fact that, absent NIS/YP, there is no "domainname" command
analogous to the "hostname" command. (NIS/YP's doesn't count, of
course, since it's sometimes-but-only-rarely the same as the Internet
domain or subdomain above a given host's name.) The "domain" keyword in
resolv.conf doesn't specify the parent domain of the current host; it
specifies the default domain of queries initiated on the current host,
which can be a very different thing. (As of RFC 1535 and BIND 4.9.2's
compliance with it, most people use "search" in resolv.conf, which
overrides "domain", anyway.)
What this means is that there is NO authoritative way to
programmatically discover your host's FQDN unless it is set in the
hostname, or unless every application is willing to grovel the "netstat
-in" tables, find what it hopes is the primary address, and do a PTR
query on it.
FQDN /bin/hostnames are, intuitively or not, the simplest way to go.
-----------------------------------------------------------------------------
Question 5.12. Distributing load using named
Date: Thu Jul 16 10:42:05 EDT 1998
When you attempt to distribute the load on a system using named, the first
response be cached, and then later queries use the cached value (This
would be for requests that come through the same server). Therefore, it
can be useful to use a lower TTL on records where this is important. You
can use values like 300 or 500 seconds.
If your local caching server has ROUND_ROBIN, it does not matter what the
authoritative servers have -- every response from the cache is rotated.
But if it doesn't, and the authoritative server site is depending on this
feature (or the old "shuffle-A") to do load balancing, then if one doesn't
use small TTLs, one could conceivably end up with a really nasty
situation, e.g., hundreds of workstations at a branch campus pounding on
the same front end at the authoritative server's site during class
registration.
Not nice.
Paul Vixie has an example of the ROUND_ROBIN code in action. Here is
something that he wrote regarding his example:
I want users to be distributed evenly among those 3 hosts.
Believe it or not :-), BIND offers an ugly way to do this. I offer
for your collective amusement the following snippet from the
ugly.vix.com zone file:
hydra cname hydra1
cname hydra2
cname hydra3
hydra1 a 10.1.0.1
a 10.1.0.2
a 10.1.0.3
hydra2 a 10.2.0.1
a 10.2.0.2
a 10.2.0.3
hydra3 a 10.3.0.1
a 10.3.0.2
a 10.3.0.3
Note that having multiple CNAME RR's at a given name is
meaningless according to the DNS RFCs but BIND doesn't mind (in
fact it doesn't even complain). If you call
gethostbyname("hydra.ugly.vix.com") (try it!) you will get
results like the following. Note that there are two round robin
rotations going on: one at ("hydra",CNAME) and one at each
("hydra1",A) et al. I used a layer of CNAME's above the layer of
A's to keep the response size down. If you don't have nine
addresses you probably don't care and would just use a pile of
CNAME's pointing directly at real host names.
{hydra.ugly.vix.com
name: hydra2.ugly.vix.com
aliases: hydra.ugly.vix.com
addresses: 10.2.0.2 10.2.0.3 10.2.0.1
{hydra.ugly.vix.com
name: hydra3.ugly.vix.com
aliases: hydra.ugly.vix.com
addresses: 10.3.0.2 10.3.0.3 10.3.0.1
{hydra.ugly.vix.com
name: hydra1.ugly.vix.com
aliases: hydra.ugly.vix.com
addresses: 10.1.0.2 10.1.0.3 10.1.0.1
{hydra.ugly.vix.com
name: hydra2.ugly.vix.com
aliases: hydra.ugly.vix.com
addresses: 10.2.0.3 10.2.0.1 10.2.0.2
{hydra.ugly.vix.com
name: hydra3.ugly.vix.com
aliases: hydra.ugly.vix.com
addresses: 10.3.0.3 10.3.0.1 10.3.0.2
Please note that this is not a recommended practice and will not work with
modern BIND unless you have the entry "multiple-cnames yes" in your
named.conf file.
-----------------------------------------------------------------------------
Question 5.13. Round robin IS NOT load balancing
Date: Mon Mar 9 22:10:51 EST 1998
Round robin != load balancing. It's a very crude attempt at load
balancing, and a method that is possible without breaking DNS protocols.
If a host is down that is included in a round robin list, then
connections to that particular host will fail. In addition, true load
balancing should take into consideration the actual LOAD on the system.
Information on one such technique, implemented by Roland J. Schemers III
at Stanford, may be found at
http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html.
Additional information may be found in RFC 1794. MultiNet for OpenVMS
also includes this feature.
-----------------------------------------------------------------------------
Question 5.14. Order of returned records
Date: Tue Apr 8 20:21:02 EDT 1997
Sorting, is the *resolver's* responsibility. RFC 1123:
6.1.3.4 Multihomed Hosts
When the host name-to-address function encounters a host
with multiple addresses, it SHOULD rank or sort the
addresses using knowledge of the immediately connected
network number(s) and any other applicable performance or
history information.
DISCUSSION:
The different addresses of a multihomed host generally
imply different Internet paths, and some paths may be
preferable to others in performance, reliability, or
administrative restrictions. There is no general way
for the domain system to determine the best path. A
recommended approach is to base this decision on local
configuration information set by the system
administrator.
In BIND 4.9.x's resolver code, the "sortlist" directive in resolv.conf
can be used to configure this. The directive may also be used in the
named.boot as well.
-----------------------------------------------------------------------------
Question 5.15. resolv.conf
Date: Fri Feb 10 15:46:17 EST 1995
The question was asked one time, "Why should I use 'real' IP addresses in
/etc/resolv.conf and not 0.0.0.0 or 127.0.0.1" ?
Paul Vixie writes on the issue of the contents of resolv.conf:
It's historical. Some kernels can't unbind a UDP socket's source
address, and some resolver versions (notably not including BIND
4.9.2 or 4.9.3's) try to do this. The result can be wide area
network traffic with 127.0.0.1 as the source address. Rather than
giving out a long and detailed map of version/vendor combinations of
kernels/BINDs that have/don't this problem, I just tell folks not to
use 127.0.0.1 at all.
0.0.0.0 is just an alias for the first interface address assigned
after a system boot, and if that interface is a up-and-down point to
point link (PPP, SLIP, whatever), there's no guarantee that you'll
be able to reach yourself via 0.0.0.0 during the entire lifetime of
any system instance. On most kernels you can finesse this by adding
static routes to 127.0.0.1 for each of your interface addresses, but
some kernels don't like that trick and rather than give a detailed
map of which ones work and which ones don't, I just globally
recommend against 0.0.0.0.
If you know enough to know that 127.0.0.1 or 0.0.0.0 is safe on your
kernel and resolver, then feel free to use them. If you don't know
for sure that it is safe, don't use them. I never use them (except
on my laptop, whose hostname is "localhost" and whose 0.0.0.0 is
127.0.0.1 since I ifconfig my lo0 before any other interface). The
operational advantage to using a real IP address rather than an
wormhole like 0.0.0.0 or 127.0.0.1, is that you can then "rdist" or
otherwise share identical copies of your resolv.conf on all the
systems on any given subnet, not all of which will be servers.
The problem was with older versions of the resolver (4.8.X). If you
listed 127.0.0.1 as the first entry in resolv.conf, and for whatever
reason the local name server wasn't running and the resolver fell back to
the second name server listed, it would send queries to the name server
with the source IP address set to 127.0.0.1 (as it was set when the
resolver was trying to send to 127.0.0.1--you use the loopback address to
send to the loopback address).
-----------------------------------------------------------------------------
Question 5.16. How do I delegate authority for sub-domains ?
Date: Mon Nov 10 22:57:54 EST 1997
When you start having a very big domain that can be broken into logical
and separate entities that can look after their own DNS information, you
will probably want to do this. Maintain a central area for the things
that everyone needs to see and delegate the authority for the other parts
of the organization so that they can manage themselves.
Another essential piece of information is that every domain that exists
must have it NS records associated with it. These NS records denote the
name servers that are queried for information about that zone. For your
zone to be recognized by the outside world, the server responsible for the
zone above you must have created a NS record for your your new servers
(NOTE that the new servers DO NOT have to be in the new domain). For
example, putting the computer club onto the network and giving them
control over their own part of the domain space we have the following.
The machine authorative for gu.uwa.edu.au is mackerel and the machine
authorative for ucc.gu.uwa.edu.au is marlin.
in mackerel's data for gu.uwa.edu.au we have the following
@ IN SOA ...
IN A 130.95.100.3
IN MX mackerel.gu.uwa.edu.au.
IN MX uniwa.uwa.edu.au.
marlin IN A 130.95.100.4
ucc IN NS marlin.gu.uwa.edu.au.
IN NS mackerel.gu.uwa.edu.au.
Marlin is also given an IP in our domain as a convenience. If they blow
up their name serving there is less that can go wrong because people can
still see that machine which is a start. You could place "marlin.ucc" in
the first column and leave the machine totally inside the ucc domain as
well.
The second NS line is because mackerel will be acting as secondary name
server for the ucc.gu domain. Do not include this line if you are not
authorative for the information included in the sub-domain.
To delegate authority for PTR records, the same concepts apply.
stub 10.168.192.in-addr.arpa <subdomain server addr> db.192.168.10
may be added to your primary server's named.boot in recent versions of
bind. In other versions (and recent ones :-) ), the following lines may
be added to the db.192.168.10 zone file to perform the same function:
xxx IN NS <server1>
xxx IN NS <server2>
xxx IN NS <server3> ; if needed
...
xxx IN NS <serverN> ; if needed
-----------------------------------------------------------------------------
Question 5.17. DNS instead of NIS on a Sun OS 4.1.x system
Date: Sat Dec 7 01:14:17 EST 1996
Comments relating to running bind 4.9.x on a Sun OS 4.1.x system and the
effect on sendmail, ftp, telnet and other TCP/IP services bypassing NIS
and directly using named is documented quite well in the
comp.sys.sun.admin FAQ in questions one and two. You can get them from:
* ftp.ece.uc.edu : /pub/sun-faq/FAQs/sun-faq.general
* http://www.cis.ohio-state.edu/hypertext/faq/usenet/comp-sys-sun-faq
as well as from rtfm.mit.edu in the usual place, etc.
-----------------------------------------------------------------------------
Question 5.18. Patches to add functionality to BIND
Date: Wed Jan 14 11:57:20 EST 1998
There are others, but these are listed here:
* When using the round robin DNS and assigning 3 IPs to a host (for
example), a process to guarantee that all 3 IPs are reachable may be
found at
http://www-leland.stanford.edu/~schemers/docs/lbnamed/lbnamed.html
* Patches for 4.9.3-REL that will support the IPv6 AAAA record format may
be found at ftp.inria.fr : /network/ipv6/
This is built into more recent versions of BIND (after 4.9.5?)
* A patch for 4.9.3-REL that will allow you to turn off forwarding of
information from my server may be found at ftp.vix.com :
/pub/bind/release/4.9.3/contrib/noforward.tar.gz
Also look at
ftp.is.co.za : /networking/ip/dns/bind/contrib/noforward.tar.gz
* How do I tell a server to listen to a particular interface to listen and
respond to DNS queries on ?
Mark Andrews has a patch that will tell a 4.9.4 server to listen to a
particular interface and respond to DNS queries. It may be found at an
unofficial location: http://www.ultra.net/~jzp/andrews.patch.txt
This is built into BIND 8.1.1.
* A patch to implement "selective forwarding" from Todd Aven at
http://www.dns.net/dnsrd/servers.html.
-----------------------------------------------------------------------------
Question 5.19. How to serve multiple domains from one server
Date: Tue Nov 5 23:44:02 EST 1996
Most name server implementations allow information about multiple domains
to be kept on one server, and questions about those domains to be
answered by that one server. For instance, there are many large servers
on the Internet that each serve information about more than 1000
different domains.
To be completely accurate, a server contains information about zones,
which are parts of domains that are kept as a single unit. [Ed note: for
a definition of zones and domains, see Section 2: The Name Service in the
"Name Server Operations Guide" included with the BIND 4.9.5 distribution.]
In the configuration of the name server, the additional zones need to be
specified. An important consideration is whether a particular server is
primary or secondary for any specific zone--a secondary server maintains
only a copy of the zone, periodically refreshing its copy from another,
specified, server. In BIND, to set up a server as a secondary server for
the x.y.z zone, to the configuration file /etc/named.boot add the line
secondary x.y.z 10.0.0.1 db.x.y.z
where 10.0.0.1 is the IP address of the server that the zone will be
copied from, and db.x.y.z is a local filename that will contain the copy
of the zone.
If this is a question related to how to set up multiple IP numbers on one
system, which you do not need to do to act as a domain server for
multiple domains, see
http://www.thesphere.com/%7Edlp/TwoServers/.
-----------------------------------------------------------------------------
Question 5.20. hostname and domain name the same
Date: Wed Jul 9 21:47:36 EDT 1997
Q: I have a subdomain sub.foobar.com. I would like to name a host
sub.foobar.com. It should also be the mail relay for all hosts in
sub.foobar.com. How do I do this ?
A: You would add an A record for sub.foobar.com, and multiple MX records
pointing to this host (sub.foobar.com). For example:
sub.foobar.com. IN A 1.2.3.4 ; address of host
;
foo.sub.foobar.com. IN MX 10 sub.foobar.com.
bar.sub.foobar.com. IN MX 10 sub.foobar.com.
The host, sub.foobar.com, may also need to be to configured to understand
that mail addressed to user@sub.foobar.com and possibly other sub.foobar.com
hosts should be treated as local.
-----------------------------------------------------------------------------
Question 5.21. Restricting zone transfers
Date: Wed Jan 14 12:16:35 EST 1998
Q: How do I restrict my zone transfers to my secondaries or other trusted
hosts?
A: Use the 'xfrnets' directive within the named.boot file or the
'secure_zone' TXT RR within a zone file. The BOG has more information on
both of these options.
As an example within an 4.9.x named.boot file:
xfernets 10.1.2.0&255.255.255.0 44.66.10.0&255.255.255.0
Only Nameservers on these networks will be able to do zone transfers from
the server with this configuration.
Please note that 'secure_zone' restricts all access to the containing
zone, as well as restricting zone transfers :-) .
BIND 8.x supports restricting zone transfers on a per-zone basis in the
named.conf file, whereas BIND 4.9.x only supports xfrnets as a global
option.
-----------------------------------------------------------------------------
Question 5.22. DNS in firewalled and private networks
Date: Mon Sep 14 22:15:16 EDT 1998
(The following section was contributed by Berislav Todorovic)
When talking about private networks, we distinguish between two cases:
* Networks consisting of firewall-separated private and public subnetworks
* Same domain name used in private and public part of the network
* Different domain names used in the public and private subnetwork
* Closed networks, not connected the Internet at all
* The first case of the "Same domain name", we're talking about DNS
configuration, usually referred to as "split DNS". In this case, two
different DNS servers (or two separate DNS processes on the same
multi-homed machine) have to be configured. One of them ("private DNS")
will serve the internal network and will contain data about all hosts in
the private part of the network. The other one ("public DNS") will serve
Internet users and will contain only the most necessary RR's for
Internet users (like MX records for email exchange, A and CNAME records
for public Web servers, records for other publicly accessible hosts
etc.). Both of them will be configured as primary for the same corporate
domain (e.g. DOMAIN.COM). The public DNS will be delegated with the
appropriate NIC as authoritative for domain DOMAIN.COM.
Private DNS - resolves names from DOMAIN.COM for hosts inside the
private network. If asked for a name outside DOMAIN.COM, they should
forward the request to the public DNS (forwarders line should be used in
the boot file). They should NEVER contact a root DNS on the Internet.
The boot file for the private DNS should, therefore, be:
primary domain.com ZONE.domain.com
primary 1.10.in-addr.arpa REV.10.1
forwarders 172.16.12.10
slave
Public DNS - resolves names from DOMAIN.COM for hosts on the public part
of the network. If asked for a name outside DOMAIN.COM they should
contact root DNS servers or (optionally) forward the request to a
forwarder on the ISP network. Boot file for the public DNS should be of
the form:
primary domain.com ZONE.domain.com
primary 12.16.172.in-addr.arpa REV.172.16.12
... (other domains)
Zone files for domain DOMAIN.COM on the public and private DNS should
be:
; --- Public DNS - zone file for DOMAIN.COM
domain.com. IN SOA ns.domain.com. hostmaster.domain.com. ( ... )
IN NS ns.domain.com.
IN NS ns.provider.net.
IN MX 10 mail.provider.net.
ns IN A 172.16.12.10
www IN A 172.16.12.12
ftp IN A 172.16.12.13
...
; --- Private DNS - zone file for DOMAIN.COM
domain.com. IN SOA ns1.domain.com. hostmaster.domain.com. ( ... )
IN NS ns1.domain.com.
IN NS ns2.domain.com.
wks1-1 IN A 10.1.1.1
wks1-2 IN A 10.1.1.2
...
The second case of the "Same domain name", is simpler than the previous
case: in the internal network, a separate domain name might be used.
Recommended domain name syntax is "name.local" (e.g. DOMAIN.LOCAL).
Sample configuration:
; --- Private DNS - named.boot
primary domain.local ZONE.domain.local
...
forwarders 172.16.12.10
slave
; --- Public DNS - named.boot
primary domain.com ZONE.domain.com
...
IMPLEMENTATION NOTES
Location of the DNS service in both cases is irrelevant. Usually, they
are located on two different physical servers, each of them connected to
the appropriate part of the network (private, public). Certain savings
may be done if public DNS service is hosted on the ISP network - in that
case, the user will need only one (private) DNS server.
Finally, both public and private DNS, in some cases, may be placed on
the servers in the private network, behind the firewall. With a Cisco
PIX, a statical public/private IP address mapping in this case would be
needed. Two servers for the same domain could be even placed on the
same physical server, with two different DNS processes running on
different IP interfaces. Note that BIND 8 is needed in the latter case.
* If the network is not connected to the Internet at all, only private DNS
servers are needed. However, due to the lack of Internet connectivity,
internal servers will fail to contact the root DNS servers every time a
user types, by mistake, an address outside the corporate domain
DOMAIN.COM. Some older servers won't even work if they can't reach root
servers. To overcome this, it is most proper to create a so-called "fake
root zone" on one or more DNS servers in the corporation. That would
make all DNS servers within the corporation think there is only one or
two DNS servers in the world, all located on the corporation network.
Only domain names used within the corporation (DOMAIN.COM, appropriate
inverse domains etc.) should be entered in the fake root zone file. Note
that no cache line in the boot file of the "root" DNS makes sense.
Sample configuration:
; --- named.boot
primary domain.com ZONE.domain.com
primary 1.10.in-addr.arpa REV.10.1
priamry . ZONE.root
... (other data; NOTE - do *NOT* place any "cache" line here !!!)
; --- ZONE.root - fake root zone file, containing only corporation domains
. IN NS ns.domain.com. hostmaster.domain.com. ( ... )
IN NS ns.domain.com.
IN NS ns2.domain.com.
domain.com. IN NS ns.domain.com.
ns.domain.com. IN A 10.1.1.1
domain.com. IN NS ns2.domain.com.
ns2.domain.com. IN A 10.1.1.2
1.10.in-addr.arpa. IN NS ns.domain.com.
IN NS ns2.domain.com.
Other zone files follow standard configuration.
-----------------------------------------------------------------------------
Question 5.23. Different DNS answers for same RR
Date: Mon Sep 14 22:15:16 EDT 1998
(The following section was contributed by Berislav Todorovic)
Many times there is a need for a DNS server to send different answers for
same RR's, depending on the IP address of the request sender. For example,
many coprporations wish to make their customers to use the "geographically
closest" Web server when accessing corporate Web pages. A corporation may
impose the following policy: if someone asked for the IP address of
WWW.DOMAIN.COM, they may want to:
* Answer that the IP address is 172.16.2.3, if the request came from one
of the following IP networks: 172.1/16, 172.2/16 or 172.10/16.
* Answer that the IP address is 172.16.1.1, if the request came from the
IP address 172.16/16 or 172.17.128/18.
* By default, for all other requests send the answer that the IP address
is 172.16.2.3.
The example above will need a DNS to send different A RR's, depending on
the source of queries. A similar approach may be imposed for MX's, CNAME's
etc. The question which arise here is: IS IT POSSIBLE?
[Ed note: There are commercial products such as Cisco's Distributed
Director that also will address this issue]
The simple answer to the question is: NOT DIRECTLY. This is true if
standard DNS software (e.g. BIND) is used on the DNS servers. However,
there are two workarounds which may solve this problem:
* Using two DNS servers on different UDP ports + UDP redirector
* Using two DNS servers on different IP addresses + NAT on the router
Solution 1: (tested on a Linux system and should work on other Unix boxes
as well). Software needed is:
* BIND 8
* udprelay - a package which redirects traffic to other UDP port
(sunsite.unc.edu: /pub/Linux/system/network/misc/udprelay-0.2.tar.Z ).
Build and install udprelay and bring up two DNS servers on different UDP
ports, using different configuration files (i.e., bring one on 5300 and
the other one on 5400):
// --- named.conf.5300
options {
directory "/var/named"
listen-on port 5300 { any; };
... (other options)
};
zone "domain.com" {
type master;
file "domain.com.5300";
};
// --- named.conf.5400
options {
directory "/var/named"
listen-on port 5400 { any; };
... (other options)
};
zone "domain.com" {
type master;
file "domain.com.5400";
};
; domain.com.5300
... (SOA and other stuff)
www IN A 172.16.2.3
; --- domain.com.5400
... (SOA and other stuff)
www IN A 172.16.1.1
As can be seen, there will be two separate zone files for DOMAIN.COM,
depending on which UDP port the server listens to. Each zone file can
contain different records. Now, when configure udprelay to forward UDP
traffic from port 53 to 5300 or 5400, depending on the remote IP address:
relay 172.1.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53
relay 172.2.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53
relay 172.10.0.0 mask 255.255.0.0 * 53 172.16.1.1 5300 53
relay 172.16.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53
relay 172.17.0.0 mask 255.255.0.0 * 53 172.16.1.1 5400 53
relay * * 53 172.16.1.1 5400 53
After starting udprelay, all traffic coming to port 53 will be redirected
to 5300 or 5400, depending on the source IP address.
NOTE - This solution deals with the UDP part of DNS only. Zone xfers will
be able to be done from one DNS server only, since this solution doesn't
deal the TCP part of DNS. This is, thus, a partial solution but it works!
Solution 2: Bring up two DNS servers on your network, using "private" IP
addresses (RFC 1918), say ns1.domain.com (10.1.1.1) and ns2.domain.com
(10.1.1.2). Both servers will have the same public address - 172.16.1.1,
which will be used to access the servers. Configure them to be both
primary for domain DOMAIN.COM. Let one of them (say, ns1) be the
"default" DNS, which will be used in most of the cases. Establish NAT on
the router, so it translates the public IP address 172.16.1.1 to 10.1.1.1
and delegate your "default" DNS with the appropriate NIC, using its public
address 172.16.1.1. Once you're assured everything works, setup your
router to translate the public IP address 172.16.1.1 to either 10.1.1.1 or
10.1.1.2, depending on the requestor IP address. After that, depending on
the source IP address, the router will return one translation or the
latter, thus forwarding the remote side to the appropriate DNS server.
===============================================================================
Section 6. PROBLEMS
Q6.1 No address for root server
Q6.2 Error - No Root Nameservers for Class XX
Q6.3 Bind 4.9.x and MX querying?
Q6.4 Do I need to define an A record for localhost ?
Q6.5 MX records, CNAMES and A records for MX targets
Q6.6 Can an NS record point to a CNAME ?
Q6.7 Nameserver forgets own A record
Q6.8 General problems (core dumps !)
Q6.9 malloc and DECstations
Q6.10 Can't resolve names without a "."
Q6.11 Why does swapping kill BIND ?
Q6.12 Resource limits warning in system
Q6.13 ERROR:ns_forw: query...learnt
Q6.14 ERROR:zone has trailing dot
Q6.15 ERROR:Zone declared more then once
Q6.16 ERROR:response from unexpected source
Q6.17 ERROR:record too short from [zone name]
Q6.18 ERROR:sysquery: findns error (3)
Q6.19 ERROR:Err/TO getting serial# for XXX
Q6.20 ERROR:zonename IN NS points to a CNAME
Q6.21 ERROR:Masters for secondary zone [XX] unreachable
Q6.22 ERROR:secondary zone [XX] expired
Q6.23 ERROR:bad response to SOA query from [address]
Q6.24 ERROR:premature EOF, fetching [zone]
Q6.25 ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours
Q6.26 ERROR:connect(IP/address) for zone [XX] failed
Q6.27 ERROR:sysquery: no addrs found for NS
Q6.28 ERROR:zone [name] rejected due to errors
-----------------------------------------------------------------------------
Question 6.1. No address for root server
Date: Wed Jan 14 12:15:54 EST 1998
Q: I've been getting the following messages lately from bind-4.9.2..
ns_req: no address for root server
We are behind a firewall and have the following for our named.cache file -
; list of servers
. 99999999 IN NS POBOX.FOOBAR.COM.
99999999 IN NS FOOHOST.FOOBAR.COM.
foobar.com. 99999999 IN NS pobox.foobar.com.
You can't do that. Your nameserver contacts POBOX.FOOBAR.COM, gets the
correct list of root servers from it, then tries again and fails because
of your firewall.
You will need a 'forwarder' definition, to ensure that all requests are
forwarded to a host which can penetrate the firewall. And it is unwise to
put phony data into 'named.cache'.
Q: We are getting logging information in the form:
Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS
(A.ROOT-SERVERS.NET)
Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS
(B.ROOT-SERVERS.NET)
Apr 8 08:05:22 gute named[107]: sysquery: no addrs found for root NS
(C.ROOT-SERVERS.NET)
...
We are running bind 4.9.5PL1 Our system IS NOT behind a firewall. Any ideas ?
This was discussed on the mailing list in November of 1996. The short
answer was to ignore it as it was not a problem. That being said, you
should upgrade to a newer version at this time if you are running a
non-current version :-)
-----------------------------------------------------------------------------
Question 6.2. Error - No Root Nameservers for Class XX
Date: Sun Nov 27 23:32:41 EST 1994
Q: I've received errors before about "No root nameservers for class XX"
but they've been because of network connectivity problems.
I believe that Class 1 is Internet Class data.
And I think I heard someone say that Class 4 is Hesiod??
Does anyone know what the various Class numbers are?
From RFC 1700:
DOMAIN NAME SYSTEM PARAMETERS
The Internet Domain Naming System (DOMAIN) includes several
parameters. These are documented in [RFC1034] and [RFC1035]. The
CLASS parameter is listed here. The per CLASS parameters are
defined in separate RFCs as indicated.
Domain System Parameters:
Decimal Name References
-------- ---- ----------
0 Reserved [PM1]
1 Internet (IN) [RFC1034,PM1]
2 Unassigned [PM1]
3 Chaos (CH) [PM1]
4 Hesoid (HS) [PM1]
5-65534 Unassigned [PM1]
65535 Reserved [PM1]
DNS information for RFC 1700 was taken from
ftp.isi.edu : /in-notes/iana/assignments/dns-parameters
Hesiod is class 4, and there are no official root nameservers for class 4,
so you can safely declare yourself one if you like. You might want to
put up a packet filter so that no one outside your network is capable of
making Hesiod queries of your machines, if you define yourself to be a
root nameserver for class 4.
-----------------------------------------------------------------------------
Question 6.3. Bind 4.9.x and MX querying?
Date: Sun Nov 27 23:32:41 EST 1994
If you query a 4.9.x DNS server for MX records, a list of the MX records
as well as a list of the authorative nameservers is returned. This
happens because bind 4.9.2 returns the list of nameserver that are
authorative for a domain in the response packet, along with their IP
addresses in the additional section.
-----------------------------------------------------------------------------
Question 6.4. Do I need to define an A record for localhost ?
Date: Sat Sep 9 00:36:01 EDT 1995
Somewhere deep in the BOG (BIND Operations Guide) that came with 4.9.3
(section 5.4.3), it says that you define this yourself (if need be) in
the same zone files as your "real" IP addresses for your domain. Quoting
the BOG:
... As implied by this PTR
record, there should be a ``localhost.my.dom.ain''
A record (with address 127.0.0.1) in every domain
that contains hosts. ``localhost.'' will lose its
trailing dot when 1.0.0.127.in-addr.arpa is queried
for;...
The sample files in the BIND distribution show you what needs to be done
(see the BOG).
Some HP boxen (especially those running HP OpenView) will also need
"loopback" defined with this IP address. You may set it as a CNAME
record pointing to the "localhost." record.
-----------------------------------------------------------------------------
Question 6.5. MX records, CNAMES and A records for MX targets
Date: Sun Nov 27 23:32:41 EST 1994
The O'Reilly "DNS and Bind" book warns against using non-canonical names
in MX records, however, this warning is given in the context of mail hubs
that MX to each other for backup purposes. How does this apply to mail
spokes. RFC 974 has a similar warning, but where is it specifically
prohibited to us an alias in an MX record ?
Without the restrictions in the RFC, a MTA must request the A records for
every MX listed to determine if it is in the MX list then reduce the list.
This introduces many more lookups than would other wise be required. If
you are behind a 1200 bps link YOU DON'T WANT TO DO THIS. The addresses
associated with CNAMES are not passed as additional data so you will force
additional traffic to result even if you are running a caching server
locally.
There is also the problem of how does the MTA find all of it's IP
addresses. This is not straight forward. You have to be able to do this is
you allow CNAMEs (or extra A's) as MX targets.
The letter of the law is that an MX record should point to an A record.
There is no "real" reason to use CNAMEs for MX targets or separate As for
nameservers any more. CNAMEs for services other than mail should be used
because there is no specified method for locating the desired server yet.
People don't care what the names of MX targets are. They're invisible to
the process anyway. If you have mail for "mary" redirected to "sue" is
totally irrelevant. Having CNAMEs as the targets of MX's just needlessly
complicates things, and is more work for the resolver.
Having separate A's for nameservers like "ns.your.domain" is pointless
too, since again nobody cares what the name of your nameserver is, since
that too is invisible to the process. If you move your nameserver from
"mary.your.domain" to "sue.your.domain" nobody need care except you and
your parent domain administrator (and the InterNIC). Even less so for
mail servers, since only you are affected.
Q: Given the example -
hello in cname realname
mailx in mx 0 hello
Now, while reading the operating manual of bind it clearly states
that this is *not* valid. These two statements clearly contradict
each other. Is there some later RFC than 974 that overrides what is
said in there with respect to MX and CNAMEs? Anyone have the
reference handy?
A: This isn't what the BOG says at all. See below. You can have a CNAME
that points to some other RR type; in fact, all CNAMEs have to point
to other names (Canonical ones, hence the C in CNAME). What you
can't have is an MX that points to a CNAME. MX RR's that point to
names which have only CNAME RR's will not work in many cases, and
RFC 974 intimates that it's a bad idea:
Note that the algorithm to delete irrelevant RRs breaks if LOCAL has
a alias and the alias is listed in the MX records for REMOTE. (E.g.
REMOTE has an MX of ALIAS, where ALIAS has a CNAME of LOCAL). This
can be avoided if aliases are never used in the data section of MX
RRs.
Here's the relevant BOG snippet:
aliases {ttl addr-class CNAME Canonical name
ucbmonet IN CNAME monet
The Canonical Name resource record, CNAME, speci-
fies an alias or nickname for the official, or
canonical, host name. This record should be the
only one associated with the alias name. All other
resource records should be associated with the
canonical name, not with the nickname. Any
resource records that include a domain name as
their value (e.g., NS or MX) must list the canoni-
cal name, not the nickname.
-----------------------------------------------------------------------------
Question 6.6. Can an NS record point to a CNAME ?
Date: Wed Mar 1 11:14:10 EST 1995
Can I do this ? Is it legal ?
@ SOA (.........)
NS ns.host.this.domain.
NS second.host.another.domain.
ns CNAME third
third IN A xxx.xxx.xxx.xxx
No. Only one RR type is allowed to refer, in its data field, to a CNAME,
and that's CNAME itself. So CNAMEs can refer to CNAMEs but NSs and MXs
cannot.
BIND 4.9.3 (Beta11 and later) explicitly syslogs this case rather than
simply failing as pre-4.9 servers did. Here's a current example:
Dec 7 00:52:18 gw named[17561]: "foobar.com IN NS" \
points to a CNAME (foobar.foobar.com)
Here is the reason why:
Nameservers are not required to include CNAME records in the Additional
Info section returned after a query. It's partly an implementation
decision and partly a part of the spec. The algorithm described in RFC
1034 (pp24,25; info also in RFC 1035, section 3.3.11, p 18) says 'Put
whatever addresses are available into the additional section, using glue
RRs [if necessary]'. Since NS records are speced to contain only primary
names of hosts, not CNAMEs, then there's no reason for algorithm to
mention them. If, on the other hand, it's decided to allow CNAMEs in NS
records (and indeed in other records) then there's no reason that CNAME
records might not be included along with A records. The Additional Info
section is intended for any information that might be useful but which
isn't strictly the answer to the DNS query processed. It's an
implementation decision in as much as some servers used to follow CNAMEs
in NS references.
-----------------------------------------------------------------------------
Question 6.7. Nameserver forgets own A record
Date: Fri Dec 2 16:17:31 EST 1994
Q: Lately, I've been having trouble with named 4.9.2 and 4.9.3.
Periodically, the nameserver will seem to "forget" its own A record,
although the other information stays intact. One theory I had was
that somehow a site that the nameserver was secondary for was
"corrupting" the A record somehow.
A: This is invariably due to not removing ALL of the cached zones
when you moved to 4.9.X. Remove ALL cached zones and restart
your nameservers.
You get "ignoreds" because the primaries for the relevant zones are
running old versions of BIND which pass out more glue than is
required. named-xfer trims off this extra glue.
-----------------------------------------------------------------------------
Question 6.8. General problems (core dumps !)
Date: Sun Dec 4 22:21:22 EST 1994
Paul Vixie says:
I'm always interested in hearing about cases where BIND dumps core.
However, I need a stack trace. Compile with -g and not -O (unless
you are using gcc and know what you are doing) and then when it
dumps core, get into dbx or gdb using the executable and the core
file and use "bt" to get a stack trace. Send it to me
<paul@vix.com> along with specific circumstances leading to or
surrounding the crash (test data, tail of the debug log, tail of the
syslog... whatever matters) and ideally you should save your core
dump for a day or so in case I have questions you can answer via
gdb/dbx.
-----------------------------------------------------------------------------
Question 6.9. malloc and DECstations
Date: Mon Jan 2 14:19:22 EST 1995
We have replaced malloc on our DECstations with a malloc that is more
compact in memory usage, and this helped the operation of bind a lot. The
source is now available for anonymous ftp from
ftp.cs.wisc.edu : /pub/misc/malloc.tar.gz
-----------------------------------------------------------------------------
Question 6.10. Can't resolve names without a "."
(Answer written by Mark Andrews) You are not using a RFC 1535 aware
resolver. Depending upon the age of your resolver you could try adding a
search directive to resolv.conf.
e.g.
domain <domain>
search <domain> [<domain2> ...]
If that doesn't work you can configure you server to serve the parent and
grandparent domains as this is the default search list.
"domain langley.af.mil" has an implicit "search langley.af.mil af.mil mil"
in the old resolvers, and you are timing out trying to resolve the
address with one of these domains tacked on.
When resolving internic.net the following will be tried in order.
internic.net.langley.af.mil
internic.net.af.mil
internic.net.mil
internic.net.
RFC 1535 aware resolvers try qualified address first.
internic.net.
internic.net.langley.af.mil
internic.net.af.mil
internic.net.mil
RFC 1535 documents the problems associated with the old search
algorithim, including security issues, and how to alleviate some of the
problems.
-----------------------------------------------------------------------------
Question 6.11. Why does swapping kill BIND ?
Date: Thu Jul 4 23:20:20 EDT 1996
The question was:
I've been diagnosing a problem with BIND 4.9.x (where x is usually 3BETA9
or 3REL) for several months now. I finally tracked it down to swap space
utilization on the unix boxes.
This happens under (at least) under Linux 1.2.9 & 1.2.13, SunOS 4.1.3U1,
4.1.1, and Solaris 2.5. The symptom is that if these machines get into
swap at all bind quits resolving most, if not all queries. Mind you that
these machines are not "swapping hard", but rather we're talking about a
several hundred K TEMPORARY deficiency. I have noticed while digging
through various archives that there is some referral to "bind thrashing
itself to death". Is this what is happening ?
And the answer is:
Yes it is. Bind can't tolerate having even a few pages swapped out.
The time required to send responses climbs to several seconds/request,
and the request queue fills and overflows.
It's possible to shrink memory consumption a lot by undefining STATS
and XSTATS, and recompiling. You could nuke DEBUG too, which will
cut the code size down some, but probably not the data size. If that
doesn't do the job then it sounds like you'll need to move DNS onto a
separate box.
BIND tends to touch all of its resident pages all of the time with
normal activity... if you look at the RSS verses the total process
size, you will always see the RSS within, usually, 90% of the total
size of the process. This means that *any* paging of named-owned
pages will stall named. Thus, a machine running a heavily accessed
named process cannot afford to swap *at all*.
(Paul Vixie continues on this subject):
I plan to try to get BIND to exhibit slightly better locality of
reference in some future release. Of course, I can only do this if
the query names also exhibit some kind of hot spots. If someone
queries all your names often, BIND will have to touch all of its VM
pool that often. (Right now, BIND touches everything pretty often
even if you're just hammering on some hot spots -- that's the part
I'd like to fix. Malloc isn't cooperating.)
-----------------------------------------------------------------------------
Question 6.12. Resource limits warning in system
Date: Sun Feb 15 22:04:43 EST 1998
When bind-8.1.1 is started the following informational message appears in
the syslog...
Feb 13 14:19:35 ns1named[1986]:
"cannot set resource limits on this system"
What does this mean ?
A: It means that BIND doesn't know how to implement the "coresize",
"datasize", "stacksize", or "files" process limits on your OS.
If you're not using these options, you may ignore the message.
-----------------------------------------------------------------------------
Question 6.13. ERROR:ns_forw: query...learnt
Date: Sun Feb 15 23:08:06 EST 1998
The following message appears in syslog:
Jan 22 21:59:55 server1 named[21386]: ns_forw: query(testval) contains
our address (dns1.foobar.org:1.2.3.4) learnt (A=:NS=)
what does it mean ?
A: This means that when it was looking up the NS records for the domain
containing "testval" (i.e. the root domain), it found an NS record
pointing to dns1.foobar.org, and the A record for this is 1.2.3.4.
This is server1's own IP address, but it's not authoritative for the
root domain. The (A-:NS=) part of the message means that it didn't
learn these NS records from any other machine.
You may have listed dns1.foobar.org in your root server cache
file, even though it's not configured as a root server.
\question 09jul:linuxq ERROR:recvfrom: Connection refused
Date: Wed Jul 9 21:57:40 EDT 1997
DNS on my linux system is reporting the error
\verbatim
Mar 26 12:11:20 idg named[45]: recvfrom: Connection refused
When I start or restart the named program I get no errors. What could be
causing this ?
A: Are you running the BETA9 version of bind 4.9.3 ? It is a bug that
does no harm and the error reporting was corrected in later releases. You
should upgrade to a newer version of bind.
-----------------------------------------------------------------------------
Question 6.14. ERROR:zone has trailing dot
Date: Wed Jul 9 22:11:51 EDT 1997
If syslog reports "zone has trailing dot", the zone information contains a
trailing dot in the named.boot file where it does not belong.
example:
secondary domain.com. xxx.xxx.xxx.xxx S-domain.com
^
-----------------------------------------------------------------------------
Question 6.15. ERROR:Zone declared more then once
Date: Wed Jul 9 22:12:45 EDT 1997
If syslog reports "Zone declared more then once",
A zone is specified multiple times in the named.boot file
example:
secondary domain.com 198.247.225.251 S-domain.com
secondary zone.com 198.247.225.251 S-zone.com
primary domain.com P-domain.com
domain.com is declared twice, once as primary, and once as secondary
-----------------------------------------------------------------------------
Question 6.16. ERROR:response from unexpected source
Date: Wed Jul 9 22:12:45 EDT 1997
If syslog reports "response from unexpected source", BIND (pre 4.9.3) has
a bug if implimented on a multi homed server. This error indicates that
the response to a query came from an address other then the one sent to.
So, if ace gets a response from an unexpected source, ace will ignore the
response.
-----------------------------------------------------------------------------
Question 6.17. ERROR:record too short from [zone name]
Date: Mon Jun 15 21:34:49 EDT 1998
If syslog report "record too short from [zone name]", The secondary server
is trying to pull a zone from the primary server. For some reason, the
primary sent an incomplete zone. This usually is a problem at the primary
server.
To troubleshoot, try this:
dig [zonename] axfr @[primary IP address]
Often, this is caused by a line broken in the middle.
When the primary server's "named.boot" file contains "xfrnets" entries
for other servers and the secondary is not listed, this error can occur.
Creating an "xfrnets" entry for the secondary will solve the error.
-----------------------------------------------------------------------------
Question 6.18. ERROR:sysquery: findns error (3)
Date: Wed Jul 9 22:17:09 EDT 1997
If syslog reports "sysquery: findns error (3)" or
"qserial_query(zonename): sysquery FAILED", there is no ns record for the
zone. or the NS record is not defined correctly.
-----------------------------------------------------------------------------
Question 6.19. ERROR:Err/TO getting serial# for XXX
Date: Wed Jul 9 22:18:41 EDT 1997
If syslog reports "Err/TO getting serial# for XXX", there could be a
number of possible errors:
- An incorrect IP address in named.boot,
- A network reachibility problem,
- The primary is lame for the zone.
An external check to see if you can retrieve the SOA is the best way to
work out which it is.
-----------------------------------------------------------------------------
Question 6.20. ERROR:zonename IN NS points to a CNAME
Date: Wed Jul 9 22:20:29 EDT 1997
If syslog reports "zonename IN NS points to a CNAME" or "zonename IN MX
points to a CNAME", named is 'reminding' you that due to various RFCs, an
NS or MX record cannot point to a CNAME.
EXAMPLE 1
---------
domain.com IN SOA (...stuff...)
IN NS ns.domain.com.
ns IN CNAME machine.domain.com.
machine IN A 1.2.3.4
The IN NS record points to ns, which is a CNAME for machine. This
is what results in the above error
EXAMPLE 2
---------
domain.com IN SOA (...stuff...)
IN MX mail.domain.com.
mail IN CNAME machine.domain.com.
machine IN A 1.2.3.4
This would cause the MX variety of the error.
The fix is point MX and NS records to a machine that is defined explicitly
by an IN A record.
-----------------------------------------------------------------------------
Question 6.21. ERROR:Masters for secondary zone [XX] unreachable
Date: Wed Jul 9 22:24:27 EDT 1997
If syslog reports "Masters for secondary zone [XX] unreachable", the
initial attempts to load a zone failed, and the name server is still
trying. If this occurs multiple times, a problem exists, likely on the
primary server. This is a fairly generic error, and could indicate a vast
number of problems. It might be that named is not running on the primary
server, or they do not have the correct zone file. If this keeps up long
enough a zone might expire.
-----------------------------------------------------------------------------
Question 6.22. ERROR:secondary zone [XX] expired
Date: Wed Jul 9 22:25:53 EDT 1997
If syslog reports "secondary zone [XX] expired", there has been a
expiration of a secondary zone on this server.
An expired zone is one in which a transfer hasn't successfully been
completed in the amount of time specified before a zone expires.
This problem could be anything which prevents a zone transfer: The primary
server is down, named isn't running on the primary, named.boot has the
wrong IP address, etc.
-----------------------------------------------------------------------------
Question 6.23. ERROR:bad response to SOA query from [address]
Date: Wed Jan 14 12:15:11 EST 1998
If syslog reports "bad response to SOA query from [address], zone [name]",
a syntax error may exist in the SOA record of the zone your server is
attempting to pull.
It may also indicate that the primary server is lame, possibly due to a
syntax error somewhere in the zone file.
-----------------------------------------------------------------------------
Question 6.24. ERROR:premature EOF, fetching [zone]
Date: Wed Jul 9 22:28:26 EDT 1997
If syslog reports "premature EOF, fetching [zone]", a syntax error exists
on the zone at the primary location, likely towards the End of File (EOF)
location.
-----------------------------------------------------------------------------
Question 6.25. ERROR:Zone [XX] SOA serial# rcvd from [Y] is < ours
Date: Wed Jul 9 22:30:03 EDT 1997
If syslog reports "Zone [name] SOA serial# rcvd from [address] is < ours",
the zone transfer failed because the primary machine has a lower serial
number in the SOA record than the one on file on this server.
-----------------------------------------------------------------------------
Question 6.26. ERROR:connect(IP/address) for zone [XX] failed
Date: Wed Jan 14 12:21:40 EST 1998
If syslog reports "connect(address) for zone [name] failed: No route to
host" or "connect(address) for zone [name] failed: Connection timed out",
it could be that there is no route to the specified host or a slow primary
system. Try a traceroute to the address specified to isolate the problem.
The problem may be a mistyped IP address in named.boot.
A very slow primary machine or a connection may have been initialized,
then connectivity lost for some reason, etc. Try networking
troubleshooting tools like ping and traceroute, then try connecting to
port 53 using nslookup or dig.
If syslog reports "connect(address) for zone [name] failed: Connection
refused", the destination address is not allowing the connection. Either
the destination is not running DNS (port 53), or possibly filtering the
connection from you. It is also possible that the named.boot is pointing
to the wrong address.
-----------------------------------------------------------------------------
Question 6.27. ERROR:sysquery: no addrs found for NS
Date: Wed Jul 9 22:37:01 EDT 1997
If syslog reports "sysquery: no addrs found for NS" , the IN NS record may
be pointing to a host with no IN A record.
-----------------------------------------------------------------------------
Question 6.28. ERROR:zone [name] rejected due to errors
Date: Wed Jul 9 22:37:51 EDT 1997
If syslog reports "primary zone [name] rejected due to errors", there will
likely be another more descriptive error along with this, like "zonefile:
line 17: database format error". That zone file should be investigated
for errors.
===============================================================================
Section 7. ACKNOWLEDGEMENTS
Q7.1 How is this FAQ generated ?
Q7.2 What formats are available ?
Q7.3 Contributors
-----------------------------------------------------------------------------
Question 7.1. How is this FAQ generated ?
Date: Mon Jun 15 21:45:53 EDT 1998
This FAQ is maintained in BFNN (Bizzarre Format with No Name). This
allows me to create ASCII, HTML, and GNU info (postscript coming soon)
from one source file.
The perl script "bfnnconv.pl" that is available with the linux FAQ is used
to generate the various output files from the BFNN source. This script is
available at
txs-11.mit.edu : /pub/linux/docs/linux-faq/linux-faq.source.tar.gz
-----------------------------------------------------------------------------
Question 7.2. What formats are available ?
Date: Fri Dec 6 16:51:31 EST 1996
You may obtain one of the following formats for this document:
* ASCII: http://www.intac.com/~cdp/cptd-faq/cptd-faq.ascii
* BFNN: http://www.intac.com/~cdp/cptd-faq/cptd-faq.bfnn
* GNU info: http://www.intac.com/~cdp/cptd-faq/cptd-faq.info
* HTML: http://www.intac.com/~cdp/cptd-faq/index.html
-----------------------------------------------------------------------------
Question 7.3. Contributors
Date: Thu Jul 16 10:45:57 EDT 1998
Many people have helped put this list together. Listed in e-mail address
alphabetical order, the following people have contributed to this FAQ:
* <BERI@etf.bg.ac.yu> (Berislav Todorovic)
* <Benoit.Grange@inria.fr> (Benoit.Grange)
* <D.T.Shield@csc.liv.ac.uk> (Dave Shield)
* <Karl.Auer@anu.edu.au> (Karl Auer)
* <Todd.Aven@BankersTrust.Com>
* <adam@comptech.demon.co.uk> (Adam Goodfellow)
* <andras@is.co.za> (Andras Salamon)
* <barmar@bbnplanet.com> (Barry Margolin)
* <barr@pop.psu.edu> (David Barr)
* <bj@herbison.com> (B.J. Herbison)
* <bje@cbr.fidonet.org> (Ben Elliston)
* <brad@birch.ims.disa.mil> (Brad Knowles)
* <ckd@kei.com> (Christopher Davis)
* <cdp2582@hertz.njit.edu> (Chris Peckham)
* <cricket@hp.com> (Cricket Liu)
* <cudep@csv.warwick.ac.uk> (Ian 'Vato' Dickinson [ID17])
* <dj@netscape.com> (David Jagoda)
* <djk@cyber.com.au> (David Keegel)
* <dillon@best.com> (Matthew Dillon)
* <dparter@cs.wisc.edu> (David Parter)
* <e07@nikhef.nl> (Eric Wassenaar)
* <fitz@think.com> (Tom Fitzgerald)
* <fwp@CC.MsState.Edu> (Frank Peters)
* <gah@cco.caltech.edu> (Glen A. Herrmannsfeldt)
* <glenn@popco.com> (Glenn Fleishman)
* <harvey@indyvax.iupui.edu> (James Harvey)
* <hubert@cac.washington.edu> (Steve Hubert)
* <ivanl@pacific.net.sg> (Ivan Leong)
* <jpass@telxon.com> (Jim Pass)
* <jhawk@panix.com> (John Hawkinson)
* <jmalcolm@uunet.uu.net> (Joseph Malcolm)
* <jprovo@augustus.ultra.net> (Joe Provo)
* <jrs@foliage.com> (J. Richard Sladkey)
* <jsd@gamespot.com> (Jon Drukman)
* <jwells@pacificcoast.net> (John Wells)
* <kop@meme.com> (Karl O. Pinc)
* <kevin@cfc.com> (Kevin Darcy)
* <lamont@abstractsoft.com> (Sean T. Lamont)
* <lavondes@tidtest.total.fr> (Michel Lavondes)
* <mark@ucsalf.ac.uk> (Mark Powell)
* <marka@syd.dms.CSIRO.AU> (Mark Andrews)
* <mathias@unicorn.swi.com.sg> (Mathias Koerber)
* <mfuhr@dimensional.com> (Michael Fuhr)
* <mike@westie.gi.net> (Michael Hawk)
* <mjo@iao.ford.com> (Mike O'Connor)
* <nick@flapjack.ieunet.ie> (Nick Hilliard)
* <oppedahl@popserver.panix.com> (Carl Oppedahl)
* <patrick@oes.amdahl.com> (Patrick J. Horgan)
* <paul@software.com> (Paul Wren)
* <pb@fasterix.frmug.fr.net> (Pierre Beyssac)
* <ph10@cus.cam.ac.uk> (Philip Hazel)
* <phil@netpart.com> (Phil Trubey)
* <raj@ceeri.ernet.in> (Raj Singh)
* <rocky@panix.com> (R. Bernstein)
* <rv@seins.Informatik.Uni-Dortmund.DE> (Ruediger Volk)
* <sedwards@sedwards.com> (Steve Edwards)
* <shields@tembel.org> (Michael Shields)
* <spsprunk@pop.srv.paranet.com> (Stephen Sprunk)
* <tanner@george.arc.nasa.gov> (Rob Tanner)
* <vixie@vix.com> (Paul A Vixie)
* <wag@swl.msd.ray.com> (William Gianopoulos)
* <whg@inel.gov> (Bill Gray)
* <wolf@pasteur.fr> (Christophe Wolfhugel)
Thank you !
Reference in New Issue View Git Blame Copy Permalink