SUMMARY?: DNS forwarding via NIS question

From: David W. Blaine (blained@gdls.com)
Date: Fri Jul 23 1999 - 11:44:17 CDT


Hi,

For now I will summarize what I have, but the responses have left me with more
questions! If all this is true, then why isn't any of this covered under Network
Administration or Performance and Tuning classes. I am still hoping to generate
more discussion on this topic.

SUMMARY:

a) Some people misconstrued my question and stated that the '-d' option is the
"debug" flag under the SunOS 4.x version of ypserv. I knew this. My question
really asked about the '-d' option for Solaris. In Solaris, the -d flag on
ypserv does perform the same function as -b in the makefile. From the man page
for ypserv, the means:

     YP_INTERDOMAIN
          The presence of this key causes ypserv to forward host
          lookups that cannot be satisfied by the DBM files to a
          DNS server.

Matt Fansher stated that if you dig through the startup scripts, you'll see that
the '-d' flag is enabled on startup if there is a /etc/resolv.conf file on the
NIS server. I will probably edit the startup scripts and remove this option.

b) I guess I wasn't clear on my question here either. Some responders talked
about SunOS 4.x (when I really was questioning Solaris). In SunOS 4.x, there is
no /etc/nsswitch.conf. /etc/resolv.conf is ignored without NIS running. There
is a way to recompile libc libraries to make this work, however, it is
unsupported by Sun. MIke Cunningham also had this option:

"To get old sunos systems to dns lookups on their own you need to give the
machine a resolver library which it doesnt have. You can get info
on doing the procedure from sunsolve or just do a netsearch on sunos
and resolver

Check this out to..

http://colorado.edu/UnixOps/Resources.html"

I tried going to this site but couldn't get to this html (permission denied).
Anyway, back to Solaris, it was alluded to that with ypserv running with the
'-d' option it forced clients (no matter how their /etc/nsswitch.conf was set)
to make DNS queries through their NIS master. I was not able to confirm this
through snoop. If this is the case, this would cause unnecessary network traffic
to be routed through one point on the network -- the NIS master. Although I
couldn't confirm this, I do see the symptoms: NIS losing binding temporarily.
This blocking problem is discussed below. Could Casper Dik respond to
this????!!!!
 
 
c) The blocking problem was confirmed to still be a problem even in Solaris 2.6.
So if your domain is running with ypserv and the option '-d' (which is easy to
do; see 'a' above), then DNS queries seem to cause NIS to temporarily lose
binding. Matt suggested to remove the '-d' option from the startup files and not
configure '-b' support in the NIS Makefile. This leaves SunOS 4.x boxes without
DNS support but like he said:
 
"we decided it was more trouble that it was worth (also an extra incentive to
get people here to migrate their programs to solaris)."

I would normally agree with him but my customer is a government contractor. They
are constrained by what the government needs (and will pay for). I might still
investigate options provided in 'b' above.

d) Some responders said that I should safely ignore the rpc.nisd_resolv error
messages. But I contest this because I am not directly or indirectly
communicating with any of the hosts listed in the error message. PSINet is our
ISP. They are also our DNS to the Internet. But, neither machine figures into
DNS lookups.

David Blaine

RESPONSES:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 22 Jul 1999 09:41:43 +0200 (MET DST)
From: Thomas Anders <anders@hmi.de>
X-Www-Homepage: http://www.hmi.de/people/anders/
X-Disclaimer: I only speak 4 myself - if at all
To: "David W. Blaine" <blained@gdls.com>
Subject: Re: DNS forwarding via NIS question
MIME-Version: 1.0

On Jul 20, 13:48, David W. Blaine wrote:
> d) Could any of the above cause the following errors we are receiving on a
> Solaris 7 NIS master?
> rpc.nisd_resolv[130]: nres_gethostbyaddr: rc3.nc.us.psi.net != 38.1.46.3.

No, this messages can be safely ignored.

HTH,
Thomas

--
Thomas Anders <anders@hmi.de>
Hahn-Meitner-Institut Berlin, Germany

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 20 Jul 1999 16:30:23 -0400 From: Matthew Stier <Matthew.Stier@tddny.fujitsu.com> X-Accept-Language: en MIME-Version: 1.0 To: "David W. Blaine" <blained@gdls.com> Subject: Re: DNS forwarding via NIS question Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit

"David W. Blaine" wrote:

> Hi Sun-gods: > > I have some confusion over DNS forwarding via NIS. Here's the deal. We have > several NIS domains. Some of these domains have old Sun3 and other SunOS 4.x > boxes in them. For these, the NIS hosts map is compiled using the -b option (DNS > forwarding) in the Makefile. This is done because (as I understand it) these > boxes cannot lookup DNS information on their own; they must get this from their > NIS master. OK, now for the questions: > > a) Does starting ypserv with -d perform the same function? If so, our Solaris > 2.x only domains (which do not have -b compiled into their hosts map) also start > ypserv with -d. Furhtermore... >

The '-d' option is the "debug" flag under the SunOS 4.x version of ypserv.

> > b) Why would this be necessary??? Simply configuring /etc/resolv.conf and > /etc/nsswitch.conf correctly should suffice, right?

The resolver library under SunOS 4.x does not understand the /etc/resolv.conf; unless you want to rebuild the 'c' libraries. (/usr/lib/libc.*)

> > c) I have read in several articles that DNS forwarding causes blocking on NIS > operations (potentially could cause the workstation to lose binding). Would this > still be a problem in Solaris 2.5.1 and above (NISKit 1.2 full patched)? Some of > our NIS domains that are compiled with the -b option for hosts map do > sporadically experience "NIS server not responding" messages.

Since all BIND implementations impliment the 75 second query timeout, its probable that DNS via NIS request could cause the client ypbind to sporadically loose binding.

> > d) Could any of the above cause the following errors we are receiving on a > Solaris 7 NIS master? > rpc.nisd_resolv[130]: nres_gethostbyaddr: rc3.nc.us.psi.net != 38.1.46.3. >

This is an erroneous error message in SunOS 4.1 and 4.1.1 systems.

> > Sorry for all the questions, but your help would be greatly appreciated. > > ------------------ > David Blaine (blained@gdls.com) > Computer Systems Engineer > CSC for GDLS > Phone: 810-825-7650

-- Matthew Lee Stier * Fujitsu Network Communications Unix Systems Administrator | Two Blue Hill Plaza Ph: 914-731-2097 Fx: 914-731-2011 | Sixth Floor Matthew.Stier@fnc.fujitsu.com * Pearl River, NY 10965

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: Arthur Darren Dunham <add@netcom.com> Subject: Re: DNS forwarding via NIS question To: blained@gdls.com Date: Tue, 20 Jul 1999 11:44:32 -0700 (PDT) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit

> > Hi Sun-gods: > > I have some confusion over DNS forwarding via NIS. Here's the deal. We have > several NIS domains. Some of these domains have old Sun3 and other SunOS 4.x > boxes in them. For these, the NIS hosts map is compiled using the -b option (DNS > forwarding) in the Makefile. This is done because (as I understand it) these > boxes cannot lookup DNS information on their own; they must get this from their > NIS master. OK, now for the questions: > > a) Does starting ypserv with -d perform the same function? If so, our Solaris > 2.x only domains (which do not have -b compiled into their hosts map) also start > ypserv with -d. Furhtermore... > > b) Why would this be necessary??? Simply configuring /etc/resolv.conf and > /etc/nsswitch.conf correctly should suffice, right?

Not under SunOS 4.x. There is no /etc/nsswitch.conf. /etc/resolv.conf is ignored without NIS running.

This is true for the default libc libraries. There used to be a package called libresolv+. It replaced the resolver libraries in SunOS 4.x with libraries that could use DNS lookups without NIS running.

> d) Could any of the above cause the following errors we are receiving on a > Solaris 7 NIS master? > rpc.nisd_resolv[130]: nres_gethostbyaddr: rc3.nc.us.psi.net != 38.1.46.3.

Nope. I'm pretty sure that's just an informational message for you (not an error) stating that the 'forward' entry did not match the 'reverse' entry. Perhaps that has changed now (it looks like it does to me).

-- Darren Dunham ddunham@taos.com Unix System Administrator Taos - The SysAdmin Company Got some Dr. Pepper? Santa Clara, CA < Please move on, ...nothing to see here, please disperse >

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 20 Jul 1999 14:36:05 -0400 (EDT) From: Matthew Fansher <fanshem@gcm.com> Subject: Re: DNS forwarding via NIS question To: blained@gdls.com MIME-Version: 1.0 Content-MD5: LAtQn6j4/tV5gE31bl9oLg==

The -d flag on ypserv does perform the same function as -b in the makefile. If you dig through the startup scripts, you'll see that the -d flag is enabled on startup if there's a resolv.conf file on the NIS server. And yes, blocking is still a problem, even in 2.6. What we decided to do here was not do any dns forwarding from NIS (no /etc/resolv.conf on the NIS servers, and no -b in the makefile). All solaris clients were configured with a resolv.conf and the appropriate /etc/nsswitch.conf (IE: files nis dns). Currently, our sunos 4.1.x machines can not resolv DNS entries. I think that there's some sort of freeware package for sunos 4.1.x boxes that emulated the functionality of solaris' nsswitch.conf, however we decided it was more trouble that it was worth (also an extra incentive to get people here to migrate their programs to solaris).

Hope this helps.

-Matt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 20 Jul 1999 14:30:03 -0400 (EDT) From: Michael Cunningham <malice@exit109.com> To: "David W. Blaine" <blained@gdls.com> Subject: Re: DNS forwarding via NIS question MIME-Version: 1.0

To get old sunos systems to dns lookups on their own you need to give the machine a resolver library which it doesnt have. You can get info on doing the procedure from sunsolve or just do a netsearch on sunos and resolver

Check this out to..

http://colorado.edu/UnixOps/Resources.html

Mike

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ORIGINAL QUESTION:

Hi Sun-gods:

I have some confusion over DNS forwarding via NIS. Here's the deal. We have several NIS domains. Some of these domains have old Sun3 and other SunOS 4.x boxes in them. For these, the NIS hosts map is compiled using the -b option (DNS forwarding) in the Makefile. This is done because (as I understand it) these boxes cannot lookup DNS information on their own; they must get this from their NIS master. OK, now for the questions:

a) Does starting ypserv with -d perform the same function? If so, our Solaris 2.x only domains (which do not have -b compiled into their hosts map) also start ypserv with -d. Furhtermore...

b) Why would this be necessary??? Simply configuring /etc/resolv.conf and /etc/nsswitch.conf correctly should suffice, right?

c) I have read in several articles that DNS forwarding causes blocking on NIS operations (potentially could cause the workstation to lose binding). Would this still be a problem in Solaris 2.5.1 and above (NISKit 1.2 full patched)? Some of our NIS domains that are compiled with the -b option for hosts map do sporadically experience "NIS server not responding" messages.

d) Could any of the above cause the following errors we are receiving on a Solaris 7 NIS master? rpc.nisd_resolv[130]: nres_gethostbyaddr: rc3.nc.us.psi.net != 38.1.46.3.

Sorry for all the questions, but your help would be greatly appreciated.

------------------ David Blaine (blained@gdls.com) Computer Systems Engineer CSC for GDLS Phone: 810-825-7650

------------- End Forwarded Message -------------



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:24 CDT