Discussion:
help with NAMED
(too old to reply)
Francesco Gennai
2008-10-19 21:58:19 UTC
Permalink
Process Software MultiNet V5.2 Rev A-X, COMPAQ AlphaServer DS20E 833 MHz,
OpenVMS AXP V8.2

After the upgrade to the most recent NAMED image the name
server answers "query refused" to query coming from external (not localhost)
clients.

-. The name server process is running (show system).
-. I have no allow-query definition in my named config file.
-. If I remove the new image, the name server start to work again.
-. This is the first named upgrade for Multinet 5.2 that I have done.
-. I know (from a site with a similar configuration) that the problem
appeared since the recent ISC security patch, infact I wait until
now to do the upgrade on my prodution system.

What can I do to trace the problem?

Thanks,
Francesco
Jeremy Begg
2008-10-20 01:04:10 UTC
Permalink
Hi Francesco,
Post by Francesco Gennai
Process Software MultiNet V5.2 Rev A-X, COMPAQ AlphaServer DS20E 833 MHz,
OpenVMS AXP V8.2
After the upgrade to the most recent NAMED image the name
server answers "query refused" to query coming from external (not localhost)
clients.
I was told by PSC support that the patch implemented a change in behaviour
for the allow-query options. The previous behaviour allowed queries from
anywhere; the patch changed the default to allow queries only from your
local network.

If the server in question is supposed to answer queries from external hosts
you will have to add this to NAMED.CONF:

/* Allow anyone to query us, but only local hosts can use this */
/* nameserver for general lookups. All others can query only */
/* for domains we are authoratitive for. */

allow-query { any; };
allow-recursion { 127.0.0.1; a.b.c.d/m; };

where 'a.b.c.d/m' is your network starting address and size, e.g. 192.168.1.0/24
Post by Francesco Gennai
-. The name server process is running (show system).
-. I have no allow-query definition in my named config file.
-. If I remove the new image, the name server start to work again.
-. This is the first named upgrade for Multinet 5.2 that I have done.
-. I know (from a site with a similar configuration) that the problem
appeared since the recent ISC security patch, infact I wait until
now to do the upgrade on my prodution system.
What can I do to trace the problem?
Thanks,
Francesco
Regards,

Jeremy Begg

+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
| "OpenVMS Systems Management & Programming" |
|---------------------------------------------------------|
| P.O.Box 402, Walkerville, | E-Mail: ***@vsm.com.au |
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+
Francesco Gennai
2008-10-20 06:40:37 UTC
Permalink
Hi Jeremy,

thank you a lot for your useful answer.
The problem was exactly what you have described.

It is strange that there is no hilight about this important change in
the patch release notes (or perhaps I have missed it).

Thanks, :-)
Francesco
Post by Jeremy Begg
Hi Francesco,
Post by Francesco Gennai
Process Software MultiNet V5.2 Rev A-X, COMPAQ AlphaServer DS20E 833 MHz,
OpenVMS AXP V8.2
After the upgrade to the most recent NAMED image the name
server answers "query refused" to query coming from external (not localhost)
clients.
I was told by PSC support that the patch implemented a change in behaviour
for the allow-query options. The previous behaviour allowed queries from
anywhere; the patch changed the default to allow queries only from your
local network.
If the server in question is supposed to answer queries from external hosts
/* Allow anyone to query us, but only local hosts can use this */
/* nameserver for general lookups. All others can query only */
/* for domains we are authoratitive for. */
allow-query { any; };
allow-recursion { 127.0.0.1; a.b.c.d/m; };
where 'a.b.c.d/m' is your network starting address and size, e.g. 192.168.1.0/24
Post by Francesco Gennai
-. The name server process is running (show system).
-. I have no allow-query definition in my named config file.
-. If I remove the new image, the name server start to work again.
-. This is the first named upgrade for Multinet 5.2 that I have done.
-. I know (from a site with a similar configuration) that the problem
appeared since the recent ISC security patch, infact I wait until
now to do the upgrade on my prodution system.
What can I do to trace the problem?
Thanks,
Francesco
Regards,
Jeremy Begg
+---------------------------------------------------------+
| VSM Software Services Pty. Ltd. |
| http://www.vsm.com.au/ |
| "OpenVMS Systems Management & Programming" |
|---------------------------------------------------------|
| South Australia 5081 | Phone: +61 8 8221 5188 |
|---------------------------| Mobile: 0414 422 947 |
| A.C.N. 068 409 156 | FAX: +61 8 8221 7199 |
+---------------------------------------------------------+
Loading...