date:20110928

RE: dnssec question. confused.

2011-09-28 Thread Marc Lampo

Hello,

1) the dig command, as shown, does not ask an authoritative name server
for eeoc.gov.
   but rather addresses a locally configured caching name server
(10.120.11.107).
   (which may explain the difference in size - 1726 bytes -
as opposed to the 3918 bytes of Doug Barton)
   ((some data may already have timed out of the local cache, observe the
TTL values))

2) I'd say : yes, you receive DNSSEC responses.
   But your caching name server is not validating them : the AD bit is not
set in the answer.

3) The OPT RR, with length 4096, is in the *reply*.
   The server indicates that itself is willing to accept DNS over UDP
packets
up till that size (eg. for dynamic updates).
   (while EDNS0 RFC does not explicitly state replying with EDNS0 is
mandatory,
if a query came in with EDNS0,
there is also a statement that claims this (sending EDNS0 and looking
in the reply)
is a way, for a (dynamic update) client, to find out what the server
is willing to
accept.  This statement seems to imply that EDNS0 in a reply, should
be there if
the client sent EDNS0.
Any other opinions in the list ?)
   In order to see the packet size in the outgoing query packet,
use something like wireshark.

4) DNSSEC query is not precise enough !
   For one thing, DNSSEC requires EDNS0, EDNSO announces a buffersize,
which can vary.
   As long as (!) the buffersize is sufficient, UDP will be used,
but DNS queries can also be sent over TCP (and is your firewall
allowing that ?).

   My suggestion (from a device that is allowed to send DNS queries to the
Internet), try :

dig @dnssec9.datamtn.com. eeoc.gov. +dnssec
dig @dnssec9.datamtn.com. eeoc.gov. +dnssec +bufsize=512
and
dig @dnssec9.datamtn.com. eeoc.gov. +dnssec +vc

 (and don't forget to have your caching NS validate DNSSEC answers,
  because providing signatures that are ignored by clients
  makes the Internet *less* safe)

Kind regards,

Marc Lampo
Security Officer
EURid



-Original Message-
From: Brad Bendily [mailto:brad.bend...@la.gov] 
Sent: 27 September 2011 10:45 PM
To: bind-users@lists.isc.org
Subject: dnssec question. confused.


When trying the DNSSEC check command from:
https://www.dns-oarc.net/oarc/services/replysizetest

behind our corporate firewall, I get:
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
Tested at 2011-09-27 20:32:34 UTC
205.172.49.177 sent EDNS buffer size 4096
205.172.49.177 DNS reply size limit is at least 490


Which, based on the website tells me our firewall is blocking 
or filtering EDNS/DNSSEC packets.



However, what I'm confused about is when I run this command:
dig +dnssec eeoc.gov

I get:

;  DiG 9.7.3-P1  +dnssec eeoc.gov
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 40572
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;eeoc.gov.  IN  A

;; ANSWER SECTION:
eeoc.gov.   19499   IN  A   64.94.64.52
eeoc.gov.   19499   IN  RRSIG   A 7 2 21600 20111208014816
20110909014816 52909 eeoc.gov.
AW5Ny32xDP7+m4XxCSS7q/zuK8RBc+la70Zmg0A/Pe1+p0agkrzbxaHM
GgvKldSKCzVgo7XPGR3LqcGIFDl0CPaaSTxTntlZkdh6x2qS4mM/49+B
9podxzbV3V4LcNpR4c4jyteAa5Uxaz3WSRr1T69PpJyIZZ53JmexkMPi
yOjMcp1IqeSJ0P/06CuZccemo+f/fjGW8xfG/slOp2XJlmbPo1EfJnlw
i07YstZVszHxsgmRUXssEUmkWi3eqAw4Ug2QiRa+zz3JpmgBnC0G7Kxd
SXUJLuvfNdDrtJ9T5anNVRVxCVq499gaJQnWBXKKVVaC9w/BcPnGuSRy OZTyPg==

;; AUTHORITY SECTION:
eeoc.gov.   66519   IN  NS  dnssec10.datamtn.com.
eeoc.gov.   66519   IN  NS  dnssec14.datamtn.com.
eeoc.gov.   66519   IN  NS  dnssec11.datamtn.com.
eeoc.gov.   66519   IN  NS  dnssec12.datamtn.com.
eeoc.gov.   66519   IN  NS  dnssec9.datamtn.com.

;; ADDITIONAL SECTION:
dnssec9.datamtn.com.3114IN  2001:49f0:a02a:1000::238
dnssec11.datamtn.com.   3114IN  2001:470:1:7a::147
dnssec9.datamtn.com.3114IN  RRSIG    7 3 10800
2025185428 20110827185428 21352 datamtn.com.
Ngz7Bl2VWqhIY5Uh8bHJjwyAWQXcEM7qaAH8JSJ5VM5qMelfVA1pV+Y6
RltfXpACQxRpHsayiArGZulzp1XX4yW6+qsHiKLJOcRiS5kmjexBPUlK
zyU3cp7BC5dprHyPBpXKbHExuGlvqrg1aqRJtAmH6Q7tkp2wWqEuO3Ku
LBvvGXN46U+sYPsd98YixlLLTtj2qFo7/vhPN8ao2g6HuFBVIUTU4LuV
d7Wjz+r4Xj722w6RFgZFu9qFwYsOQwTGlon4zqDvflzESSWSjFdzHCZ0
prkagjXwcZYMlQGRMgnmHlEEvvg+lKMdl4imHLx/LKLD+feCzp2d4PFj 9byoYA==
dnssec9.datamtn.com.3114IN  RRSIG    8 3 10800
2025185428 20110827185428 61898 datamtn.com.
NtPfKvEs6DF0Bac9ZbCfi0b0QdeVMSlaNXAyDFSjo4J8uQUYllDwt101
C78VAiXplumZRM/9Vv7fg1/Ds/qCd6wC6wdTR3S8mtDOpLHVhuZTSGI1
jBVBXYjzBdqIBitydwD6vs+VaPsfd352NBqE8teFQJhbVAI98+d9BO4x
/Qx+i2HJOPdQyVRq6dj2NYg1GT4ODDb6VmQUOb01XgIyX/pLt+7AdtId
1FFbA9LfO4xvYTCKAO3LbPvdU7nJ2+mCMu5CNQFNiwAbSHT3letupzpH

Re: if exists host-name for IPv6 DDNS?

2011-09-28 Thread Jan-Piet Mens

  '_' is an illegal character in hostnames in the DNS...
 
 Yeah, I got hosed by that one by a consultant. 

MCSE per chance? [Sorry; couldn't resist.]

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail are not cached!

2011-09-28 Thread Issam Harrathi

Thanks.

2011/9/27 Jan-Piet Mens jpmens@gmail.com

 On Tue Sep 27 2011 at 17:32:22 CEST, Issam Harrathi wrote:

  and you say here it's cached for 30 seconds?!

 Evan said:

  and we've discussed implementing it in BIND9, but haven't had time yet.

 In other words, they are *not* cached in BIND9.

-JP
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: allow-transfer not covering ixfr requests?

2011-09-28 Thread Torsten Segner

Am Tue, 27 Sep 2011 22:03:44 +0200
schrieb Tom Schmitt tomschm...@gmx.de:

 
  
  The odd part is that both NS3 and NS4 weren't able to request ixfr
  transfers. 
  Shouldn't allow-transfer cover these kind of transfer requests as well?
  
 
 
 First: Do you have statements provide ixfr; and request ixfr; in your 
 config?
 
 Second: To do a ixfr a server is first sending a query for the SOA of the 
 zone to determine if a update is necessary. If your servers aren't allowed to 
 do a query, how should they get the SOA? And without a SOA, you don't have 
 the serial number of the zone, so you can't do IXFR.
 


Silly me... I forgot about the SOA requests triggered by a manual ixfr. :(


Ciao
Torsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec question. confused.

2011-09-28 Thread Steve Arntzen

Is your firewall Cisco based?

There is a known default setting in Cisco with respect to packet size
for DNS.  Our network guys run into this anytime they do an upgrade,
etc. and have to go in and update the setting.

Steve.



On Tue, 2011-09-27 at 15:45 -0500, Brad Bendily wrote:
 When trying the DNSSEC check command from:
 https://www.dns-oarc.net/oarc/services/replysizetest
 
 behind our corporate firewall, I get:
 rst.x476.rs.dns-oarc.net.
 rst.x485.x476.rs.dns-oarc.net.
 rst.x490.x485.x476.rs.dns-oarc.net.
 Tested at 2011-09-27 20:32:34 UTC
 205.172.49.177 sent EDNS buffer size 4096
 205.172.49.177 DNS reply size limit is at least 490
 
 
 Which, based on the website tells me our firewall is blocking 
 or filtering EDNS/DNSSEC packets.
 
 
 
 However, what I'm confused about is when I run this command:
 dig +dnssec eeoc.gov
 
 I get:
 
 ;  DiG 9.7.3-P1  +dnssec eeoc.gov
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR, id: 40572
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7
 
 ;; OPT PSEUDOSECTION:
 ; EDNS: version: 0, flags: do; udp: 4096
 ;; QUESTION SECTION:
 ;eeoc.gov.  IN  A
 
 ;; ANSWER SECTION:
 eeoc.gov.   19499   IN  A   64.94.64.52
 eeoc.gov.   19499   IN  RRSIG   A 7 2 21600 20111208014816 
 20110909014816 52909 eeoc.gov. 
 AW5Ny32xDP7+m4XxCSS7q/zuK8RBc+la70Zmg0A/Pe1+p0agkrzbxaHM 
 GgvKldSKCzVgo7XPGR3LqcGIFDl0CPaaSTxTntlZkdh6x2qS4mM/49+B 
 9podxzbV3V4LcNpR4c4jyteAa5Uxaz3WSRr1T69PpJyIZZ53JmexkMPi 
 yOjMcp1IqeSJ0P/06CuZccemo+f/fjGW8xfG/slOp2XJlmbPo1EfJnlw 
 i07YstZVszHxsgmRUXssEUmkWi3eqAw4Ug2QiRa+zz3JpmgBnC0G7Kxd 
 SXUJLuvfNdDrtJ9T5anNVRVxCVq499gaJQnWBXKKVVaC9w/BcPnGuSRy OZTyPg==
 
 ;; AUTHORITY SECTION:
 eeoc.gov.   66519   IN  NS  dnssec10.datamtn.com.
 eeoc.gov.   66519   IN  NS  dnssec14.datamtn.com.
 eeoc.gov.   66519   IN  NS  dnssec11.datamtn.com.
 eeoc.gov.   66519   IN  NS  dnssec12.datamtn.com.
 eeoc.gov.   66519   IN  NS  dnssec9.datamtn.com.
 
 ;; ADDITIONAL SECTION:
 dnssec9.datamtn.com.3114IN  2001:49f0:a02a:1000::238
 dnssec11.datamtn.com.   3114IN  2001:470:1:7a::147
 dnssec9.datamtn.com.3114IN  RRSIG    7 3 10800 2025185428 
 20110827185428 21352 datamtn.com. 
 Ngz7Bl2VWqhIY5Uh8bHJjwyAWQXcEM7qaAH8JSJ5VM5qMelfVA1pV+Y6 
 RltfXpACQxRpHsayiArGZulzp1XX4yW6+qsHiKLJOcRiS5kmjexBPUlK 
 zyU3cp7BC5dprHyPBpXKbHExuGlvqrg1aqRJtAmH6Q7tkp2wWqEuO3Ku 
 LBvvGXN46U+sYPsd98YixlLLTtj2qFo7/vhPN8ao2g6HuFBVIUTU4LuV 
 d7Wjz+r4Xj722w6RFgZFu9qFwYsOQwTGlon4zqDvflzESSWSjFdzHCZ0 
 prkagjXwcZYMlQGRMgnmHlEEvvg+lKMdl4imHLx/LKLD+feCzp2d4PFj 9byoYA==
 dnssec9.datamtn.com.3114IN  RRSIG    8 3 10800 2025185428 
 20110827185428 61898 datamtn.com. 
 NtPfKvEs6DF0Bac9ZbCfi0b0QdeVMSlaNXAyDFSjo4J8uQUYllDwt101 
 C78VAiXplumZRM/9Vv7fg1/Ds/qCd6wC6wdTR3S8mtDOpLHVhuZTSGI1 
 jBVBXYjzBdqIBitydwD6vs+VaPsfd352NBqE8teFQJhbVAI98+d9BO4x 
 /Qx+i2HJOPdQyVRq6dj2NYg1GT4ODDb6VmQUOb01XgIyX/pLt+7AdtId 
 1FFbA9LfO4xvYTCKAO3LbPvdU7nJ2+mCMu5CNQFNiwAbSHT3letupzpH 
 yLUNrjhcO0cj/vVf1YrrIzZXF69zKGYfsCP876zKoVtlrUe1dZ0bersP 4I9klg==
 dnssec11.datamtn.com.   3114IN  RRSIG    7 3 10800 2025185428 
 20110827185428 21352 datamtn.com. 
 Lgt6Wq5JvvAF6BKUUoPSiv6lx0yqQ3HAFoClEcg11V7XhIngeaTperu7 
 7lytmKl53yZUxarFbQdJ/NxwwNVl/F2Os5RkNHkAjVTkku1mjoMeqEhF 
 NDe+cvYOOo0EASc9LhmHo2qgkyhjGAt1FtbmrOG9Gwr5OdUM5l2EgcGj 
 bRvH1Sfv5le68ST1+74sQPKmp+3n0gopfKUlcYuDDw/mUKXR8lo3MCTv 
 xe6q6NbwHNHWBCgUw4rqX4ZdVArL4WumKvkufeieDJpMhKwHlWHyPvu9 
 pX1IsZRyQPo9RqnmSpG+yjR59ixbb23LyO6alrEDJTyaJZL8uHfwiTQ8 4V29tQ==
 dnssec11.datamtn.com.   3114IN  RRSIG    8 3 10800 2025185428 
 20110827185428 61898 datamtn.com. 
 vtFFEZbruIfnwSGAdlXukUn40SOEIZY9QXrHh6CfOl3WkQduSnbvgS5T 
 +e2QN6GDcZgigGON8yHHTS8DI8ld/tCxxVkwB3ISkqkQHrjyyRD6+8IR 
 J2BWsdMTyAhe9PygLR1FkfCt1JDaDnAbOKOniMT+6DRlnE7ZW7KfvZT/ 
 7j5qG+xDixCXUHyhnstbv9vmMPTxnK1ASy6nz7ErnA/DUMleO484xIgM 
 6Pc8uqy3Onw4Yfn4l5R66tQwC0yoSVwqmEyIWNWyx1SNQLFzUc1hySaF 
 aQs1L/Zyu9e/wSHdZUeGiOwx5cz3yWE2NsF3tagxukkL9vNu2s/nyjzR 3igT3g==
 
 ;; Query time: 1 msec
 ;; SERVER: 10.120.11.107#53(10.120.11.107)
 ;; WHEN: Tue Sep 27 15:34:07 2011
 ;; MSG SIZE  rcvd: 1726
 
 
 Which tells me my DNSSEC queries are working, right?
 I noticed in the OPT PSEUDOSECTION udp=4096.
 
 This started because, as the DNS admin, I was informed today that we could 
 not resolve
 this domain, eeoc.gov. Which was true. As I started digging into it, and 
 performing a
 dig from an offsite server which was working, I found that the domain 
 eeoc.gov is 
 running DNSSEC. So, I assumed the problem was with our firewall blocking or 
 filtering
 the DNSSEC traffic. But then after researching for a few hours, I found we 
 were able
 to resolve the domain, through no changes of DNS. 
 It could be that datamtn.com, their authoritative NS are performing

CNAME or A record?

2011-09-28 Thread feralert

Hi all,

I'm sure this has been asked trillions of times but since I couldn't
find any concrete answer/reference in google I am asking you guys in
this list. Sorry if anyone thinks this a dumb question or something
very obvious.

The thing is that i want users redirected to 'www.domain.com' even
when they just type the domain name 'domain.com'.
In order to do so I am not sure if its best to have one A RR for each
or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
for 'www.domain.com'.


domain.com   A1.1.1.1
www.domain.com   A1.1.1.1

OR

domain.com   A1.1.1.1
www.domain.com   CNAME  domain.com


Any help appreciated.


Thanks,
Fred
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread feralert

Thanks Jeff,

But I really only wrote that as an example :) . The real question is
what is best or what is recommended, two A RR (one for domain, one for
www) or a single A RR for domain and a CNAME RR for www, is one way
better than the other or can I choose either way?

Cheers!,
Fred.



On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff jlight...@water.com wrote:
 If you set your SOA properly to use @ (which means this zone) your A 
 records should be:

 domain.com.             A       1.1.1.1
 www                     A       1.1.1.1

 The SOA should append the domain.com to every record not terminated by a 
 dot so that www is read as www.domain.com.  Similarly you put a dot at 
 the end of domain.com A record to prevent it from being appended and read as 
 domain.com.domain.com.





 -Original Message-
 From: bind-users-bounces+jlightner=water@lists.isc.org 
 [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
 feralert
 Sent: Wednesday, September 28, 2011 10:20 AM
 To: bind-us...@isc.org
 Subject: CNAME or A record?

 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.


 domain.com           A            1.1.1.1
 www.domain.com   A            1.1.1.1

 OR

 domain.com           A            1.1.1.1
 www.domain.com   CNAME  domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 Athena(r), Created for the Cause(tm)
 Making a Difference in the Fight Against Breast Cancer

 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
 information and is for the sole use of the intended recipient(s). If you are 
 not the intended recipient, any disclosure, copying, distribution, or use of 
 the contents of this information is prohibited and may be unlawful. If you 
 have received this electronic transmission in error, please reply immediately 
 to the sender that you have received the message in error, and delete it. 
 Thank you.
 --


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

2011-09-28 Thread Lightner, Jeff

If you set your SOA properly to use @ (which means this zone) your A 
records should be:

domain.com. A   1.1.1.1
www A   1.1.1.1

The SOA should append the domain.com to every record not terminated by a dot 
so that www is read as www.domain.com.  Similarly you put a dot at the end 
of domain.com A record to prevent it from being appended and read as 
domain.com.domain.com.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
feralert
Sent: Wednesday, September 28, 2011 10:20 AM
To: bind-us...@isc.org
Subject: CNAME or A record?

Hi all,

I'm sure this has been asked trillions of times but since I couldn't
find any concrete answer/reference in google I am asking you guys in
this list. Sorry if anyone thinks this a dumb question or something
very obvious.

The thing is that i want users redirected to 'www.domain.com' even
when they just type the domain name 'domain.com'.
In order to do so I am not sure if its best to have one A RR for each
or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
for 'www.domain.com'.


domain.com   A1.1.1.1
www.domain.com   A1.1.1.1

OR

domain.com   A1.1.1.1
www.domain.com   CNAME  domain.com


Any help appreciated.


Thanks,
Fred
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread 风河

this is the stuff what should be done by webserver rather than by DNS. i,e,
Apache rewrite will do that.
在 2011-9-28 下午10:29，feralert feral...@gmail.com写道：
 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.


 domain.com A 1.1.1.1
 www.domain.com A 1.1.1.1

 OR

 domain.com A 1.1.1.1
 www.domain.com CNAME domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Ben Croswell

Either is fine. Using the cname would require a single update if your ip
changes, but prevents other records at the same level. So you couldn't
attach mx for instance at example.com and www.example.com if you wanted to.

Neither is wrong and both have pros and  cons

-Ben Croswell
On Sep 28, 2011 10:43 AM, feralert feral...@gmail.com wrote:
 Thanks Jeff,

 But I really only wrote that as an example :) . The real question is
 what is best or what is recommended, two A RR (one for domain, one for
 www) or a single A RR for domain and a CNAME RR for www, is one way
 better than the other or can I choose either way?

 Cheers!,
 Fred.



 On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff jlight...@water.com
wrote:
 If you set your SOA properly to use @ (which means this zone) your A
records should be:

 domain.com. A   1.1.1.1
 www A   1.1.1.1

 The SOA should append the domain.com to every record not terminated by
a dot so that www is read as www.domain.com.  Similarly you put a dot at
the end of domain.com A record to prevent it from being appended and read as
domain.com.domain.com.





 -Original Message-
 From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:
bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of feralert
 Sent: Wednesday, September 28, 2011 10:20 AM
 To: bind-us...@isc.org
 Subject: CNAME or A record?

 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.


 domain.com   A1.1.1.1
 www.domain.com   A1.1.1.1

 OR

 domain.com   A1.1.1.1
 www.domain.com   CNAME  domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 Athena(r), Created for the Cause(tm)
 Making a Difference in the Fight Against Breast Cancer

 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you have
received the message in error, and delete it. Thank you.
 --


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Peter Pauly

If you use two A records, your web server needs to be setup to handle both
names. If you use a CNAME, you only need to handle the single A record
name in the server.

On Wed, Sep 28, 2011 at 10:36 AM, feralert feral...@gmail.com wrote:

 Thanks Jeff,

 But I really only wrote that as an example :) . The real question is
 what is best or what is recommended, two A RR (one for domain, one for
 www) or a single A RR for domain and a CNAME RR for www, is one way
 better than the other or can I choose either way?

 Cheers!,
 Fred.



 On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff jlight...@water.com
 wrote:
  If you set your SOA properly to use @ (which means this zone) your A
 records should be:
 
  domain.com. A   1.1.1.1
  www A   1.1.1.1
 
  The SOA should append the domain.com to every record not terminated by
 a dot so that www is read as www.domain.com.  Similarly you put a dot
 at the end of domain.com A record to prevent it from being appended and
 read as domain.com.domain.com.
 
 
 
 
 
  -Original Message-
  From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:
 bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
 feralert
  Sent: Wednesday, September 28, 2011 10:20 AM
  To: bind-us...@isc.org
  Subject: CNAME or A record?
 
  Hi all,
 
  I'm sure this has been asked trillions of times but since I couldn't
  find any concrete answer/reference in google I am asking you guys in
  this list. Sorry if anyone thinks this a dumb question or something
  very obvious.
 
  The thing is that i want users redirected to 'www.domain.com' even
  when they just type the domain name 'domain.com'.
  In order to do so I am not sure if its best to have one A RR for each
  or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
  for 'www.domain.com'.
 
 
  domain.com   A1.1.1.1
  www.domain.com   A1.1.1.1
 
  OR
 
  domain.com   A1.1.1.1
  www.domain.com   CNAME  domain.com
 
 
  Any help appreciated.
 
 
  Thanks,
  Fred
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list
 
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 
 
  Athena(r), Created for the Cause(tm)
  Making a Difference in the Fight Against Breast Cancer
 
  -
  CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
 confidential information and is for the sole use of the intended
 recipient(s). If you are not the intended recipient, any disclosure,
 copying, distribution, or use of the contents of this information is
 prohibited and may be unlawful. If you have received this electronic
 transmission in error, please reply immediately to the sender that you have
 received the message in error, and delete it. Thank you.
  --
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

2011-09-28 Thread Lightner, Jeff

+1

All of our redirects are either done by rewrite rules in Apache or Jboss or on 
our load balancer.   We don’t do any in DNS.







From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of ??
Sent: Wednesday, September 28, 2011 10:43 AM
To: feralert
Cc: bind-us...@isc.org
Subject: Re: CNAME or A record?


this is the stuff what should be done by webserver rather than by DNS. i,e, 
Apache rewrite will do that.
在 2011-9-28 下午10:29，feralert 
feral...@gmail.commailto:feral...@gmail.com写道：
 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 
 'www.domain.comhttp://www.domain.com' even
 when they just type the domain name 'domain.comhttp://domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 
 'domain.comhttp://domain.com'
 for 'www.domain.comhttp://www.domain.com'.


 domain.comhttp://domain.com A 1.1.1.1
 www.domain.comhttp://www.domain.com A 1.1.1.1

 OR

 domain.comhttp://domain.com A 1.1.1.1
 www.domain.comhttp://www.domain.com CNAME domain.comhttp://domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Michael Graff

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2011-09-28 9:36 AM, feralert wrote:
 Thanks Jeff,
 
 But I really only wrote that as an example :) . The real question
 is what is best or what is recommended, two A RR (one for domain,
 one for www) or a single A RR for domain and a CNAME RR for www, is
 one way better than the other or can I choose either way?

Choose either way.  If they are in the same domain, in general it
won't matter all that much.

I personally prefer the address method so each DNS request is smaller
and absolute, but others prefer the CNAME method.

If you cross a zone, however, remember that the address method does
not require additional DNS queries to be sent, while the CNAME method
would.  That said, I believe most CDN type networks require a CNAME as
the addresses a specific user would get varies greatly, so that lookup
is not much of an impact it seems.

- -- 
- --Michael

ISC offers support on many of its products, including BIND 9.  If you
depend on it, depend on us!
See http://www.isc.org/support/ for all the details.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6DNCQACgkQLdqv0r6eD6a83gCdEFlS+pvqQPo8UKJfJPGD+d4T
xsMAnjusN2fMbBwfvXqhSD24peDH1r5D
=8rLm
-END PGP SIGNATURE-
attachment: mgraff.vcf___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Ben Croswell

That makes no sense.

If he didn't have a dns entry for both sites, how does the user get to site
without the dns entry to be rewritten by Apache?

-Ben Croswell
On Sep 28, 2011 10:52 AM, 风河 short...@gmail.com wrote:
 this is the stuff what should be done by webserver rather than by DNS.
i,e,
 Apache rewrite will do that.
 在 2011-9-28 下午10:29，feralert feral...@gmail.com写道：
 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.


 domain.com A 1.1.1.1
 www.domain.com A 1.1.1.1

 OR

 domain.com A 1.1.1.1
 www.domain.com CNAME domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

2011-09-28 Thread Lightner, Jeff

Right – for simple domains I think having separate A records is best as I 
wrote.  Many more complex domains (do digs on 
www.google.comhttp://www.google.com/, www.yahoo.comhttp://www.yahoo.com/ 
and www.microsoft.comhttp://www.microsoft.com/) use CNAME records but often 
enough it is because they aren’t actually using a 
www.example.comhttp://www.example.com/ pointing directly to example.com but 
rather to other servers in their domains.







From: Ben Croswell [mailto:ben.crosw...@gmail.com]
Sent: Wednesday, September 28, 2011 10:48 AM
To: feralert
Cc: bind-us...@isc.org; bind-users@lists.isc.org; Lightner, Jeff
Subject: Re: CNAME or A record?


Either is fine. Using the cname would require a single update if your ip 
changes, but prevents other records at the same level. So you couldn't attach 
mx for instance at example.comhttp://example.com and 
www.example.comhttp://www.example.com if you wanted to.

Neither is wrong and both have pros and  cons

-Ben Croswell
On Sep 28, 2011 10:43 AM, feralert 
feral...@gmail.commailto:feral...@gmail.com wrote:
 Thanks Jeff,

 But I really only wrote that as an example :) . The real question is
 what is best or what is recommended, two A RR (one for domain, one for
 www) or a single A RR for domain and a CNAME RR for www, is one way
 better than the other or can I choose either way?

 Cheers!,
 Fred.



 On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff 
 jlight...@water.commailto:jlight...@water.com wrote:
 If you set your SOA properly to use @ (which means this zone) your A 
 records should be:

 domain.comhttp://domain.com. A   1.1.1.1
 www A   1.1.1.1

 The SOA should append the domain.comhttp://domain.com to every record 
 not terminated by a dot so that www is read as 
 www.domain.comhttp://www.domain.com.  Similarly you put a dot at the end 
 of domain.comhttp://domain.com A record to prevent it from being appended 
 and read as domain.com.domain.comhttp://domain.com.domain.com.





 -Original Message-
 From: 
 bind-users-bounces+jlightner=water@lists.isc.orgmailto:water@lists.isc.org
  
 [mailto:bind-users-bounces+jlightnermailto:bind-users-bounces%2Bjlightner=water@lists.isc.orgmailto:water@lists.isc.org]
  On Behalf Of feralert
 Sent: Wednesday, September 28, 2011 10:20 AM
 To: bind-us...@isc.orgmailto:bind-us...@isc.org
 Subject: CNAME or A record?

 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 
 'www.domain.comhttp://www.domain.com' even
 when they just type the domain name 'domain.comhttp://domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 
 'domain.comhttp://domain.com'
 for 'www.domain.comhttp://www.domain.com'.


 domain.comhttp://domain.com   A1.1.1.1
 www.domain.comhttp://www.domain.com   A1.1.1.1

 OR

 domain.comhttp://domain.com   A1.1.1.1
 www.domain.comhttp://www.domain.com   CNAME  domain.comhttp://domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 Athena(r), Created for the Cause(tm)
 Making a Difference in the Fight Against Breast Cancer

 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
 information and is for the sole use of the intended recipient(s). If you are 
 not the intended recipient, any disclosure, copying, distribution, or use of 
 the contents of this information is prohibited and may be unlawful. If you 
 have received this electronic transmission in error, please reply 
 immediately to the sender that you have received the message in error, and 
 delete it. Thank you.
 --


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing list
 bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users





Athena®, Created for the Cause™

Making a Difference in the Fight Against Breast Cancer



-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have

Re: CNAME or A record?

2011-09-28 Thread Matus UHLAR - fantomas


 domain.com   A1.1.1.1
 www.domain.com   A1.1.1.1

 OR

 domain.com   A1.1.1.1
 www.domain.com   CNAME  domain.com


On 28.09.11 10:49, Peter Pauly wrote:

If you use two A records, your web server needs to be setup to handle both
names. If you use a CNAME, you only need to handle the single A record
name in the server.


No, web server setup has nothing to do with CNAME or A record types.

(Unless a web server is directed to behave differently, but I don't 
know why would anyone do that).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Jukka Pakkanen

I think it's splitting hair but cname might be a bit more efficient. At 
least in the webserver end.


In practise, I don't think there's a real difference. You can choose 
which ever feels better :)


Jukka

28.9.2011 17:36, feralert kirjoitti:

Thanks Jeff,

But I really only wrote that as an example :) . The real question is
what is best or what is recommended, two A RR (one for domain, one for
www) or a single A RR for domain and a CNAME RR for www, is one way
better than the other or can I choose either way?

Cheers!,
Fred.



On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeffjlight...@water.com  wrote:

If you set your SOA properly to use @ (which means this zone) your A 
records should be:

domain.com. A   1.1.1.1
www A   1.1.1.1

The SOA should append the domain.com to every record not terminated by a dot so that 
www is read as www.domain.com.  Similarly you put a dot at the end of domain.com A 
record to prevent it from being appended and read as domain.com.domain.com.





-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
feralert
Sent: Wednesday, September 28, 2011 10:20 AM
To: bind-us...@isc.org
Subject: CNAME or A record?

Hi all,

I'm sure this has been asked trillions of times but since I couldn't
find any concrete answer/reference in google I am asking you guys in
this list. Sorry if anyone thinks this a dumb question or something
very obvious.

The thing is that i want users redirected to 'www.domain.com' even
when they just type the domain name 'domain.com'.
In order to do so I am not sure if its best to have one A RR for each
or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
for 'www.domain.com'.


domain.com   A1.1.1.1
www.domain.com   A1.1.1.1

OR

domain.com   A1.1.1.1
www.domain.com   CNAME  domain.com


Any help appreciated.


Thanks,
Fred
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Jukka Pakkanen

Webserver still has to get the request, so one way or the other is 
required anyway :)



28.9.2011 17:43, ?? kirjoitti:


this is the stuff what should be done by webserver rather than by DNS. 
i,e, Apache rewrite will do that.


? 2011-9-28 ??10:29,feralert feral...@gmail.com 
mailto:feral...@gmail.com ??:

 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 'www.domain.com 
http://www.domain.com' even

 when they just type the domain name 'domain.com http://domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 
'domain.com http://domain.com'

 for 'www.domain.com http://www.domain.com'.


 domain.com http://domain.com A 1.1.1.1
 www.domain.com http://www.domain.com A 1.1.1.1

 OR

 domain.com http://domain.com A 1.1.1.1
 www.domain.com http://www.domain.com CNAME domain.com 
http://domain.com



 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


 bind-users mailing list
 bind-users@lists.isc.org mailto:bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Jan-Piet Mens

On Wed Sep 28 2011 at 16:43:17 CEST, 风河 wrote:

 this is the stuff what should be done by webserver rather than by DNS. i,e,
 Apache rewrite will do that.

That is incorrect. DNS is needed to find the Web server. Web server
rewriting/configuration is needed to find the site.

-JP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

True queries per second?

2011-09-28 Thread Baird, Josh

Hi,

I'm looking at the output from 9.7's rndc stats, and I see both
incoming and outgoing statistics.  I'm trying to get a true queries per
second stat from these numbers.  Wouldn't this be both incoming+outgoing
queries?  Or, from a performance standpoint should I only be concerned
about incoming queries?  In this case:

+++ Statistics Dump +++ (1317224125)
++ Incoming Requests ++
   43128 QUERY
++ Incoming Queries ++
   28719 A
 381 NS
  22 CNAME
  16 SOA
 811 PTR
5269 MX
 629 TXT
6721 
  15 SRV
 141 A6
   2 DS
 266 SPF
 136 ANY

The incoming requests (43128) number is the total number of
requests/queries.  So to get a TOTAL queries per second on all types of
queries, I would perform calculations on this number, correct?

Thanks,

Josh
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

2011-09-28 Thread Mark Elkins

On Wed, 2011-09-28 at 16:19 +0200, feralert wrote:

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.
 
 
 domain.com   A1.1.1.1
 www.domain.com   A1.1.1.1
 
 OR
 
 domain.com   A1.1.1.1
 www.domain.com   CNAME  domain.com

If named.conf is correctly set up with the domain name - then
you could use

$TTL 3600
@   IN  SOA ...the SOA info
IN  NS  Nameserver record lines
IN  A   1.1.1.1
www IN  A   1.1.1.1

Last line can be converted to a CNAME...
www IN  CNAME   domain.com.

When you include IPv6 addresses into the mix...
using a CNAME saves you entering the same IPv6 address twice - so then
there really is a saving - especially when you include other alternative
labels like 'mail', 'pop', 'smtp', 'ftp' - etc - do them all as CNAMES!

$TTL 3600
@   IN  SOA ...the SOA info
IN  NS  Nameserver record lines
IN  A   1.1.1.1
IN  2001:1:1::80
www IN  CNAME   domain.com

What I think is your real problem
Regardless of whatever which way you decide - apache will be given the
original name - DNS will not re-write that.. so you have to spell out
both names in your apache configuration files...

So (playing with virtual hosts)
NameVirtualHost 1.1.1.1

VirtualHost 1.1.1.1
  ServerName domain.com
  ServerAlias www.domain.com
  ...
/VirtualHost

-and later for IPv6 - duplicate the above...
(this line next to the other NameVirtualHost
NameVirtualHost [2001:1:1::80]

VirtualHost [2001:1:1::80]
  ServerName domain.com
  ServerAlias www.domain.com
  ...
/VirtualHost

-- 
Mark Elkins m...@posix.co.za
Posix Systems

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: True queries per second?

2011-09-28 Thread Chris Thompson


On Sep 28 2011, Baird, Josh wrote:


I'm looking at the output from 9.7's rndc stats, and I see both
incoming and outgoing statistics.  I'm trying to get a true queries per
second stat from these numbers.  Wouldn't this be both incoming+outgoing
queries?


That depends entirely on what you mean by a true queries per second stat.
Incoming queries are those sent by clients to the nameserver. Outgoing
queries are those the nameserver sent to other nameservers, in the course
of resolving the client queries, or for some other reason.


 Or, from a performance standpoint should I only be concerned
about incoming queries?  In this case:

+++ Statistics Dump +++ (1317224125)
++ Incoming Requests ++
  43128 QUERY
++ Incoming Queries ++
  28719 A
381 NS
 22 CNAME
 16 SOA
811 PTR
   5269 MX
629 TXT
   6721 
 15 SRV
141 A6
  2 DS
266 SPF
136 ANY

The incoming requests (43128) number is the total number of
requests/queries.


Just because in this case all the requests were queries. In general
there might be other types of request - e.g. IQUERY, NOTIFY, UPDATE.

The breakdown of queries by type is just that - the numbers in your
example do add up to 43128.


 So to get a TOTAL queries per second on all types of
queries, I would perform calculations on this number, correct?


If you are interested in queries per second sent to the nameserver,
yes. (This doesn't of course necessarily mean queries successfully
responded to from the client's point of view.)

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnssec question. confused.

2011-09-28 Thread michoski

On 9/28/11 5:32 AM, Steve Arntzen i...@arntzen.us wrote:
 Is your firewall Cisco based?
 
 There is a known default setting in Cisco with respect to packet size
 for DNS.  Our network guys run into this anytime they do an upgrade,
 etc. and have to go in and update the setting.

This bit me the first time I managed a PIX years ago (though, in fairness,
even then it was well documented on Cisco's site...I just had to read logs
and search), and now continues on the ASA it seems...  Once it's understood,
it really shouldn't bite again:

https://supportforums.cisco.com/thread/2013390

-- 
By nature, men are nearly alike;
by practice, they get to be wide apart.
-- Confucius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnssec question. confused.

2011-09-28 Thread Brad Bendily

 On 9/28/11 5:32 AM, Steve Arntzen i...@arntzen.us wrote:
  Is your firewall Cisco based?
Yes. The firewall is Cisco based. 
However, the main problem there is, there are several firewalls before
leaving our network and my dept doesn't manage all of them. 


  There is a known default setting in Cisco with respect to packet 
  size for DNS.  Our network guys run into this anytime they do an 
  upgrade, etc. and have to go in and update the setting.
 
 This bit me the first time I managed a PIX years ago (though, 
 in fairness, even then it was well documented on Cisco's 
 site...I just had to read logs and search), and now continues 
 on the ASA it seems...  Once it's understood, it really 
 shouldn't bite again:
 
 https://supportforums.cisco.com/thread/2013390

I have read this site before and I'm told the settings are there on
at least two of the firewalls, but yet we still have problems.

I think the problem is a combination of the fixup or policy-map settings
and ip fragmentation. I based this conclusion on details from this thread:
https://lists.dns-oarc.net/pipermail/dns-operations/2011-February/006896.html

I think there is some fragment IP settings on firewalls in between which
are causing problems.

Using Mark's test of:
dig edns-v4-ok.isc.org txt

I can't get a reply at all from this query.

I'm waiting to discuss this with the network guy and see if we can get all
the firewalls up the chain updated.

I will let everyone know how it goes.

Thanks for the assistance.
bb
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: if exists host-name for IPv6 DDNS?

2011-09-28 Thread WBrown

Jan-Piet wrote on 09/28/2011 02:16:53 AM:

  Yeah, I got hosed by that one by a consultant. 
 
 MCSE per chance? [Sorry; couldn't resist.]

After 15 years I don't recall.  Based on that advice, I have 10 servers 
with names containing underscores.  And Lotus Notes/Domino likes to look 
up the server name via DNS.  So I have to add the option to my name 
servers to allow it.  :(  Additionally, I have to have a second name 
registered so I can send email to picky sites.



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: CNAME or A record?

2011-09-28 Thread WBrown

All true, but if you don't have some sort of DNS record for both 
example.com and www.example.com, then all the rewrite rules in the world 
won't help.

For all we know, the web server doesn't care what the URL is since it is 
the only site hosted on that server and answers to all GETs.

Jeff wrote on 09/28/2011 10:51:08 AM:

 +1
 
 All of our redirects are either done by rewrite rules in Apache or 
 Jboss or on our load balancer.   We don’t do any in DNS.
 
 
 
 
 From: bind-users-bounces+jlightner=water@lists.isc.org [
 mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf 
Of ??
 Sent: Wednesday, September 28, 2011 10:43 AM
 To: feralert
 Cc: bind-us...@isc.org
 Subject: Re: CNAME or A record?
 
 this is the stuff what should be done by webserver rather than by 
 DNS. i,e, Apache rewrite will do that.
 在 2011-9-28 下午10:29，feralert feral...@gmail.com写道：
  Hi all,
  
  I'm sure this has been asked trillions of times but since I couldn't
  find any concrete answer/reference in google I am asking you guys in
  this list. Sorry if anyone thinks this a dumb question or something
  very obvious.
  
  The thing is that i want users redirected to 'www.domain.com' even
  when they just type the domain name 'domain.com'.
  In order to do so I am not sure if its best to have one A RR for each
  or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
  for 'www.domain.com'.
  
  
  domain.com A 1.1.1.1
  www.domain.com A 1.1.1.1
  
  OR
  
  domain.com A 1.1.1.1
  www.domain.com CNAME domain.com
  
  
  Any help appreciated.
  
  
  Thanks,
  Fred
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
  
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
 
 Athena®, Created for the Cause™ 
 Making a Difference in the Fight Against Breast Cancer
 
 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or 
 confidential information and is for the sole use of the intended 
 recipient(s). If you are not the intended recipient, any disclosure,
 copying, distribution, or use of the contents of this information is
 prohibited and may be unlawful. If you have received this electronic
 transmission in error, please reply immediately to the sender that 
 you have received the message in error, and delete it. Thank you.
 --
 
 
 Stream: WBROWN

 
 Spam
 Not spam
 Forget previous vote___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dnssec question. confused.

Re: if exists host-name for IPv6 DDNS?

Re: servfail are not cached!

Re: allow-transfer not covering ixfr requests?

Re: dnssec question. confused.

CNAME or A record?

Re: CNAME or A record?

RE: CNAME or A record?

Re: CNAME or A record?

Re: CNAME or A record?

Re: CNAME or A record?

RE: CNAME or A record?

Re: CNAME or A record?

Re: CNAME or A record?

RE: CNAME or A record?

Re: CNAME or A record?

Re: CNAME or A record?

Re: CNAME or A record?

Re: CNAME or A record?

True queries per second?

Re: CNAME or A record?

Re: True queries per second?

Re: dnssec question. confused.

RE: dnssec question. confused.

Re: if exists host-name for IPv6 DDNS?

RE: CNAME or A record?

26 matches

Site Navigation

Mail list logo

Footer information