Yes, the example.us zone loads. As I mentioned, no errors in named.log, and the statistics webserver (in named) shows example.us as active, albeit with '-' for the serial number instead of the number in the zone file. How did you get a DNAME into .com?
I did make example.us a zone - it is one, isn't it? If the DNAME has to go in .us, I don't see making this scheme work. As a practical matter, registrars will put NS records into the TLDs, and some (with encouragement) are starting to accept DNSSEC records for the TLDs). But I've yet to see one that provides a means for a registrant to have a DNAME inserted... Unless I'm missing something. Did you actually manage to do this, or is your setup working in third+-level domains? I was hoping/expecting that since my server is the authoritiative server for example.us, the DNAME could go in the example.us zone. I expected that when, as the authoritative server, it was asked for foo.example.us, it would respond with foo.example.net. But the RFC wasn't clear, which is why I asked. thanks. --------------------------------------------------------- This communication may not represent my employer's views, if any, on the matters discussed. _____ From: Jon F. [mailto:pikel....@gmail.com] Sent: Thursday, June 30, 2011 16:11 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: DNAME? I have a similar set up to that and it works. Have you checked the logs to make sure the zone properly loaded? I'm assuming the zone data you posted below is from the example.us zone but your first question makes it sound like you put it in a seperate zone. That would explain the SERVFAIL if the zone data never loaded but the server was authoritative. It does need to be in the .us. ;; ANSWER SECTION: example.com. 60 IN DNAME example.net. test.example.com. 60 IN CNAME test.example.net. test.example.net. 60 IN A 127.0.0.1 And that's with zone data like this: example.com. IN NS ns1.example.net. example.com. IN NS ns2.example.net. example.com. IN A 10.0.0.1 example.com. IN DNAME example.net. Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to do it fully for a domain without adding an A record as well. But what your doing works, it's just not very pretty. Someone may have a better way. On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt <l...@acm.org> wrote: I have domain example.net in production, and have recently acquired example.us and example.info. For whatever reason, I want example.us to simply mirror example.net, which is dynamically udpdated (and dnssec). And I want example.us to be zero maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want to mirror every update made in .net to .us) So, I add a zone to ns1.example.net that looks like: (In view "internal") zone "example.us" { auto-dnssec maintain; type master; allow-transfer { key "TSIG_GLOBAL_KEY"; }; file "EXAMPLE_US.DB"; update-policy { grant "TSIG_GLOBAL_KEY" subdomain example.us. ANY ; }; }; $ORIGIN . $TTL 600 ; 10 minutes example.us. IN SOA ns1.example.net. examplenetadmin.example.net. ( 2011063001 ; serial 172800 ; refresh (2 days) 600 ; retry (10 minutes) 2419200 ; expire (4 weeks) 600 ; minimum (10 minutes) ) example.us. IN DNAME example.net. example.us. IN NS ns1.example.net. example.us. IN NS ns2.example.net. I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net (www.example.net does exist). I see nothing in the named.log, except the trace 99 /notrace commands bracketing the dig, and if I turn on querylog: client <ns1 IP>#33256: view internal: query: www.example.us IN A + (<ns1 IP>). If I look at the named statistics channel, I see that example.us is being served, but the zone serial is '-', not '2011063001'. Questions: o Am I confused about DNAME placement - would it have to go in .US? If so, is this possible? (I don't mean technically possible - I mean practically - e.g. thru a registrar such as godaddy, enom, etc). If not, what explains the SERVFAIL? o Why is '-' reported for the zone serial? o I understand that DNAME and MX don't play well together (DNAME is essentially CNAME, and MX doesn't allow CNAMEs). I suspect I'd have to live with that - unless there are wiser heads? o Is there a better approach? (Assume that I'll also want to do the same thing to example.info...) Thanks. --------------------------------------------------------- This communication may not represent my employer's views, if any, on the matters discussed. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Jonathan French pikel....@gmail.com
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users