 Questions
and Answers
Jim McKinstry and Amy Rich
Q I've heard that you should
not run your authoritative name servers on the same machines as
your caching name servers. Why not, and how do I separate the two?
A An authoritative server is one
that's listed as an NS record for a given domain. It doesn't
need to know anything about querying the root nameservers, only
answering queries from other machines. A caching name server should
be used by a smaller set of people (i.e., employees of Company Foo)
to look up many requests for varying domains. The caching nameserver
needs to know how to query the root nameservers, expire cache data,
and walk delegation chains.
While the authoritative server must accept connections from the
entire Internet, you can protect the caching server so that connection
requests are limited to the IP range of Company Foo. If you put
your caching server and your authoritative server on the same instance,
then you run the risk of forged information corrupting your cached
data (known as cache poisoning).
The other reason to separate caching and authoritative servers
is mostly important if you have a large number of people using your
name server for cached data. If the caching server and the authoritative
server for domain foo.com are on the same machine (let's
call the machine ns.bar.com), and foo.com changes
its name servers over to another provider (ns.baz.com), ns.bar.com
will still think its authoritative for foo.com if the defunct
zone file for foo.com is not removed. Anyone using ns.bar.com
as a caching server will get the wrong information. If ns.bar.com
were a caching-only server, it would no longer think that it was
authoritative for foo.com. It would go to the root nameservers
and find that the correct authoritative server for foo.com
could be found at ns.baz.com.
To separate the caching and the authoritative name server instances,
you generally run named (or whatever DNS server software
you use) on two different machines. Here's some examples for
BIND 8:
named.conf on a caching only nameserver:
options {
directory "/etc/named";
};
zone "." {
type hint;
file "db.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.local";
};
named.conf on an authoritative only server (turn off recursion
and glue-fetching):
options {
directory "/etc/named";
recursion no;
fetch-glue no;
};
zone "." {
type hint;
file "db.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "db.local";
};
zone "foo.com" {
type master;
file "db.foo.com";
allow-transfer {
192.168.1.2; // our secondary nameserver
};
};
If you're stuck running authoritative and caching server on the
same machine, you may want to restrict recursive queries to a limited
number of IPs:
options {
directory "/etc/named";
allow-recursion {
192.168.1.0/29;
};
};
zone "foo.com" {
type master;
file "db.foo.com";
allow-transfer {
192.168.1.2; // our secondary nameserver
};
allow-query {
any; // let anyone query for our zone
};
};
For more examples and other tips on how to secure BIND, check out
Cricket Liu's presentation at:
http://www.acmebw.com/papers/securing.pdf
Q I have a Solaris 8 machine connected
to a switch with other Solaris 8 machines. This Solaris 8 server NFS
exports several filesystems to the other Solaris 8 machines. I'm
seeing really wretched NFS performance and frequent timeouts when
I try to move even small chunks of data around on the client, no matter
what NFS filesystem I'm using on the server. What's the
issue? Is NFS really this slow?
A There are several things you'll
want to look at. First, I'd check nfsstat to see what
kind of throughput it thinks you're getting. You may also want
to use snoop, nfswatch, or nfstrace to get
a better idea of what's happening on the wire. For example,
snoop may show that you're having DNS issues. Also use
iostat to see whether you're bottlenecking at your disk
and netstat to see if there are any network problems between
the server and the other hosts.
One network tip: make sure that the Suns and the switch all have
the wire speed locked in at 100 full duplex. Do not let either
side try and auto-negotiate the speed or the mode. There are many
Ethernet cards out there that have a difficult time getting auto-negation
right.
Q I'm getting a lot of "file:
table full" error messages on my FreeBSD 4.2-STABLE box. How
do I make the file table bigger?
A You can increase the value of
maxusers in your kernel configuration and recompile and install
a new kernel (reboot needed for the changes to take effect, of course).
This will have the benefit of increasing a number of system defaults.
You can also just modify kern.maxfiles itself on the fly
by doing:
sysctl -w kern.maxfiles=<value>
If you're changing maxusers, 64 is often a decent value for a
well-used single-user machine. If you're supporting a lot of
users, you probably want to increase that even more (up to 256). Setting
kernel.maxfiles to 2088 would be equivalent to setting maxusers
to 64.
Q We have a DHCP server running
on Windows NT. All of the clients that obtain addresses are supposed
to send their hostname to the DHCP server so it can update DNS.
We recently acquired a Sun Ultra 10 machine running Solaris 8, and
it refuses to send its hostname. Is there some configuration variable
to Solaris's DHCP client to tell it to send the hostname?
A Solaris's DHCP client doesn't
send a hostname -- it expects one to be provided by the server.
If you look in /etc/init.d/inetsvc, you see where it tries
to set the hostname based on dhcpinfo calls (if /etc/dhcp.<interface>
exists and <interface> is the primary interface). You
may want to take a look at a third party DHCP client (like ISC's
http://www.isc.org/products/DHCP/ for your Sun machines.
Q I'm used to using Linux and
getting colored output for different types of files when using ls
-G. I've now switched over to FreeBSD and only seem to
get the base color set in my .Xdefaults. Is there a way to
get color ls again?
A The color capable xterm
is part of XFree86 (used by both Linux and FreeBSD). Make sure that
you're running xterm with "xterm-color"
set as the terminal type. You can do this in two ways. Set the TERM
environment variable in your shell:
export TERM=xterm-color (for bourne shell variant users)
setenv TERM xterm-color (for csh variant users)
Or you can explicitly start up xterm with xterm-color
as the terminal type:
xterm -tn xterm-color
In both cases, ls -G should now produce color output.
Q I have an Ultra 220R that I'm
trying to jumpstart from our Ultra 10 Jumpstart server. The 220R
has two internal disks, one 9-Gb disk we want to use as the boot
disk, and one 36-Gb disk want to use for data. The Jumpstart installation
uses the wrong disk as the boot disk when we boot from the network.
Why does it keep choosing the bigger disk, and how do we make it
choose the 9-Gb disk?
A Since you don't provide
your profile, I'm going to guess that you're not specifying
the root_device. If the root_device or boot_device
is not set in the Jumpstart profile, then the root disk is chosen
based on the kernel search order of the SCSI bus. I'm guessing
that you have the 36-Gb disk first in the search order, and it's
therefore being picked up as the root disk. There are a couple workarounds
you can do in the Jumpstart profile. You can set root_device
or boot_device, or you can use explicit partitioning by using
cWtXdYsZ instead of rootdisk.Z. This example assumes
that your 9-Gb disk is c2t0d0s0:
install_type initial_install
system_type standalone
partitioning explicit
filesys c2t0d0s0 512 /
filesys c2t0d0s1 1024 swap
filesys c2t0d0s3 1024 /usr
filesys c2t0d0s4 1024 /var
filesys c2t0d0s5 free /stuff
Q Is there any way I can have a script
modify a crontab entry on the fly? I want to run a little Bourne shell
script that modifies the crontab file if it sees a certain process
running.
A The easiest way is probably to
print out the crontab information, add your new line, and then read
the new crontab back in its entirety. I suggest writing this file
out to some place other than /tmp (some place writable only
by the user you're running this script as), but I'll use
/tmp in the example below. If you're expecting more
than one process to be doing this at a time, add some file-locking
code around the block so that an inconsistent crontab doesn't
get read in by another process.
crontab -l > /tmp/file;
echo "0 2 * * * /bin/command" >> /tmp/file;
crontab /tmp/file
If you're modifying the crontab of someone other than the UID
that the script is running as, don't forget to add the -u
<user> switch to the two crontab commands above.
Q What's the difference between
a Solaris MU (maintenance update) and the Solaris recommended patch
set? If I apply the MU, do I also need the recommended patch set?
A The MU and the recommended patch
set are two different things, and you'll still need the recommended
patch set if you install an MU. The recommended patch set is a collection
of security and prominent bug patches, and is updated every time
a new recommended patch comes out. The MUs are feature upgrades
(like support for the sunblade 100, or IDE drives as a boot disk,
or CPUs faster than 400 MHz) that are generally released every three
to six months or so. If you have a Solaris OS package, note that
versions of Solaris come with a date on them (Solaris 8 06/00, Solaris
8 10/00, etc.). The different dates on the CDROMs correspond with
different MUs.
Q I'm setting up a database
on a Solaris 2.6 machine, and I want to create a raw partition for
it. How do I go about this, and, once it's set up, how do I
tell how big the raw partition is and how much space is being used?
A Assuming you're just using
a directly attached disk without any software mirroring/striping
layer (SDS or Veritas Volume Manager) sitting in the middle, you
can simply use the format utility to create your new disk
slice. Unlike setting up a new ufs filesystem, though, you don't
need to do a newfs on the newly created slice.
If the raw partition already exists and you want to find out how
much space it has, you can use format and print out the partition
table, or you can use prtvtoc with the raw disk device as
an argument. For example:
prtvtoc /dev/rdsk/c0t0d0s0
If you're using the raw partition for a database, the OS no longer
has any concept of free space because the database looks like it's
using the entire slice. Generally, there are tools that come with
the database that will tell you how much space it thinks is left on
the raw device.
Q I'm in the process of setting
up a Netapp filer for our internal user space (home directories).
We're supporting both UNIX users and NT/2000 users, and some
users use both. We have the filer set up to do mixed security, but
the UNIX users see everything as mode 777. If we restrict the UNIX
side to 755, then the Windows users have problems. How do we secure
files on both ends?
A In a mixed environment of NTFS
and NFS where both types of clients will be accessing the same files,
Netapp suggests that you use UNIX-style security instead of mixed
security. In a UNIX-style security model, files newly created by
CIFS clients inherit permissions from the parent directory, and
the group is set to the parent directory's group if it has
the SGID bit. This is similar to standard UNIX security behavior,
except that the permissions also inherit from the parent because
they are not passed in with the create as they would be for UNIX
clients.
Q How do I know what version of
SPARC processor (Sparc 9, Sparc 8, Sparc 7) my Sun box has in it?
A On the modern version of Solaris,
you can run the command /usr/bin/isainfo -v. This will tell
you all of the instruction sets that your CPU will support. I believe
there's also a correlation between the machine type (/usr/bin/uname
-m) and the instruction set:
sun4u sparcv9
sun4m sparcv8
sun4c sparcv7
Q I'm running postfix chrooted
in /var/spool/postfix, and I'm noticing slow response
times getting the SMTP banner when going from localhost to localhost.
Nslookup seems to resolve things just fine, identd isn't
running, and I'm not wrapping anything with tcp wrappers.
This feels like a reverse DNS issue, but everything appears to be
fine. What could be the issue?
A It's possible that the postfix's
chrooted copy of resolv.conf does not match what's in
/etc/. You may want to check for chrooted copies of resolv.conf
(probably /var/spool/postfix/etc/resolv.conf) containing
incorrect data.
Q How do I get a listing of all
of the available network interfaces on my Sun Ultra 60?
A From the Open Boot Prom (aka
the ok prompt), you can use the command show-nets
to see a listing of all network interface device names. If the machine
is in multi-user mode, you can investigate the links from the /dev
tree into the /devices tree.
Jim McKinstry is a Senior Sales Engineer for MTI Technology
Corporation (www.mti.com). MTI is a leading international
provider of data storage management products and services. He can
be reached at: jrmckins@yahoo.com.
Amy Rich, president of the Boston-based Oceanwave Consulting,
Inc. (http://www.oceanwave.com), has been a UNIX systems
administrator for more than five years. She received a BSCS at Worcester
Polytechnic Institute, and can be reached at: arr@oceanwave.com.
| 
