Re: Syncing DNS zones with different names
Thanks for the advice guys. The DNAME record is something I'd never heard of, and is quite interesting. Unfortunately it does not quite fulfill my needs due to, as Chris pointed out, the inability to alias the records on the name itself. I think Barry's suggestion of a common zone file on the master server with relative names will be the best solution, as long as I can ensure all the zones will be mastered on the same server! Cheers, Chris -Original Message- From: Chris Thompson Sent: Tuesday, November 15, 2011 11:38 PM To: Bind Users Mailing List Subject: Re: Syncing DNS zones with different names On Nov 15 2011, Barry Margolin wrote: In article , "Chris Balmain" wrote: Let's say I have two domain names, d1.com and d2.com, and I want to synchronise all records underneath them (one-way sync, that is). So if I create an A record www.d1.com pointing at 1.2.3.4, www.d2.com is also automatically created, with the same value. So it's almost like a master/slave relationship, but the slave zone has a different name to the master. Let's assume the two zones will be hosted on the same set of nameservers, so even the SOA and NS records will be identical between them. I've been googling, but haven't found anything. Does anyone know if this is natively possible with Bind 9, or will I have to hack a script together to do a transfer from the d1.com zone and parse the data to build an equivalent zone file for d2.com? See the DNAME record. It's like a CNAME, but applies to the whole domain. But you need to put the DNAME in the zone where the domain is delegated; so in your case, you'd have to get the DNAME into the .COM zone. No, you don't need to put the DNAME in the parent zone. A zone with a DNAME at the apex works perfectly well, e.g. for d2.com @ SOA my-master-server.example. me.my-mail.example @ NS... some nameservers ... @ DNAME d1.com. But note that neither this nor the alternative of putting the DNAME in the parent zone will alias records with the name "d1.com" itself, only names under that. If, for example, "d1.com" itself had MX or address records, you would still need to reproduce them in the d2.com zone file. For a real-life example, see the way that that the TLD "xn--kprw13d" is made an alias of "xn--kpry57d", and note that the DNAME is in the "xn--kprw13d" xone, not in the root zone. Another way to do it is to use the same zone file for both zones on the master server. Make sure that you use unqualified names everywhere in the zone file that you're not referencing outside the zone. I think you mean "relative" (to the zone) or "non-absolute" rather than "unqualified" there. Also, don't do this if you are using dynamic updates on either zone, or the shared zone file will end up in a horrible mess. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed
To my surprise, I had several DNS servers running BIND 9.8.1 all fail at about the same time with this assertion failure in query.c, on line 1895. The only references I have found to this were from CVE-2009-0696 Dynamic Update DoS attack, which 9.8.1 surely should be immune to. Any suggestions as to possible cause are most welcome. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [META] Usenet cross-posting is back.
Dan Mahoney writes: > I'm happy to announce that as of today, with some help from Russ Alberry > and the fine people at Stanford University, we've restored this > functionality. >... thanks dan, thanks russ. -- Paul Vixie KI6YSY ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started several times at one time
In message <47085dc0.36001054.4ec2fd04.1d...@o2.pl>, =?UTF-8?Q?Aleksander_Kurcz yk?= writes: > Hello, > Is it possible to run named several times at one time on one computer on one > OS at different ports and with different config files? I would like to simula > te multiple servers on one PC. Yes, however it's much easier to run the on multiple address and the same port which is what the test suite does. The test suite uses 10.53.0.x but it is just as easy to run on 127.0.0.2, 127.0.0.3, 127.0.0.4, etc. listen-on, transfer-source, notify-source and query-source should be specified. If you don't want to run on port 53 then you should also specify "port". You can do it all on 127.0.0.1 if you want but the configuration will be more complicated and you won't be able to test acls easily. Mark > -- > Pozdrawiam, > Aleksander Kurczyk > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started several times at one time
On Tue, 2011-11-15 at 18:41 -0600, /dev/rob0 wrote: > On Tuesday 15 November 2011 18:19:22 Aleksander Kurczyk wrote: > > This will not be a server for public use. I just wan't to try make > > a configuration of two or more servers with zone transfers, > > master/slave, notify, etc. locally (on 127.0.0.1 but on different > > ports). How can I do that? I have to install named several times > > or just start it with some options? > > "man named" will show you the options, I think you want "named -c > /path/to/alternate/named.conf". > > Each instance will need a unique listen-on setting. If this is for experimentation, you'll probably also want to set up different logs, too. The neatest way to do this might be on virtuals, rather than on the same host. That way each will be completely separate from the others - addresses, ports, logs etc. And if/when you then want to put a configuration into production, you might even be able to just drop the virtual onto a suitable host, tweak the config for a real address, and off you go... Regards, K. -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/kauer/ +61-428-957160 (mob) GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156 signature.asc Description: This is a digitally signed message part ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started several times at one time
On Tuesday 15 November 2011 18:19:22 Aleksander Kurczyk wrote: > This will not be a server for public use. I just wan't to try make > a configuration of two or more servers with zone transfers, > master/slave, notify, etc. locally (on 127.0.0.1 but on different > ports). How can I do that? I have to install named several times > or just start it with some options? "man named" will show you the options, I think you want "named -c /path/to/alternate/named.conf". Each instance will need a unique listen-on setting. Only one can have the default, which is "0.0.0.0 port 53". You will probably also want different directory settings. See listen-on and directory in ARM chapter 6. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started several times at one time
On 11/15/2011 7:19 PM, Aleksander Kurczyk wrote:
> This will not be a server for public use. I just wan't to try make a
> configuration of two or more servers with zone transfers,
> master/slave, notify, etc. locally (on 127.0.0.1 but on different
> ports). How can I do that? I have to install named several times or
> just start it with some options?
It works fine.
Use multiple config files, each with a different
"listen-on [ port ip_port ] { address_match_list };".
Start each named instance with the "-c " option..
AlanC
--
a...@clegg.com | acl...@infoblox.com
1.919.355.8851
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started several times at one time
This will not be a server for public use. I just wan't to try make a configuration of two or more servers with zone transfers, master/slave, notify, etc. locally (on 127.0.0.1 but on different ports). How can I do that? I have to install named several times or just start it with some options? Dnia 16 listopada 2011 1:08 Chuck Swiger napisał(a): > On Nov 15, 2011, at 4:00 PM, Aleksander Kurczyk wrote: > > Is it possible to run named several times at one time on one computer on > > one OS at different ports and with different config files? I would like to > > simulate multiple servers on one PC. > > It's possible, but unlikely to be useful without a NAT firewall redirecting > connections from port 53 on different external IPs to different internal > ports that named is listening on. > > (Only one named can listen on port 53, which is the place that clients will > send DNS requests to.) > > Regards, > -- Pozdrawiam, Aleksander Kurczyk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND started several times at one time
On Nov 15, 2011, at 4:00 PM, Aleksander Kurczyk wrote: > Is it possible to run named several times at one time on one computer on one > OS at different ports and with different config files? I would like to > simulate multiple servers on one PC. It's possible, but unlikely to be useful without a NAT firewall redirecting connections from port 53 on different external IPs to different internal ports that named is listening on. (Only one named can listen on port 53, which is the place that clients will send DNS requests to.) Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND started several times at one time
Hello, Is it possible to run named several times at one time on one computer on one OS at different ports and with different config files? I would like to simulate multiple servers on one PC. -- Pozdrawiam, Aleksander Kurczyk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Turning log on bind for troubleshooting
Sebastian;
Thanks so much for that! I will try this at the slave server.
I already configured for the master and these are my first issues:
15-Nov-2011 13:40:58.312 general: warning:
/var/named/bonsi.org.external.hosts:15: ignoring out-of-zone data
(EduardoBonsi.45.200.63.in-addr.arpa)
15-Nov-2011 13:40:58.312 general: warning:
/var/named/bonsi.org.external.hosts:16: ignoring out-of-zone data
(ftp.45.200.63.in-addr.arpa)
15-Nov-2011 13:40:58.312 general: warning:
/var/named/bonsi.org.external.hosts:17: ignoring out-of-zone data
(mail.45.200.63.in-addr.arpa)
15-Nov-2011 13:40:58.312 general: warning:
/var/named/bonsi.org.external.hosts:18: ignoring out-of-zone data
(ns1.45.200.63.in-addr.arpa)
15-Nov-2011 13:40:58.312 general: warning:
/var/named/bonsi.org.external.hosts:19: ignoring out-of-zone data
(ns2.45.200.63.in-addr.arpa)
15-Nov-2011 13:40:58.312 general: warning:
/var/named/bonsi.org.external.hosts:20: ignoring out-of-zone data
(qtdss.45.200.63.in-addr.arpa)
15-Nov-2011 13:40:58.312 general: warning:
/var/named/bonsi.org.external.hosts:21: ignoring out-of-zone data
(www.45.200.63.in-addr.arpa)
15-Nov-2011 13:40:58.312 general: error: zone bonsi.org/IN/external: NS
'ns1.bonsi.org' has no address records (A or )
15-Nov-2011 13:40:58.312 general: error: zone bonsi.org/IN/external: NS
'ns2.bonsi.org' has no address records (A or )
15-Nov-2011 13:40:58.312 general: error: zone bonsi.org/IN/external:
bonsi.org/MX 'mail.bonsi.org' has no address records (A or )
I will fix these issues right the way.
For those out there interested to know how I did, here the steps:
1. inserted these at the end of named.conf
logging {
channel dnssec_log {
file "log/dnssec" size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
category dnssec {
dnssec_log;
default_syslog;
default_debug;
default_stderr;
};
//
channel "debug" {
file "/var/log/named/namedlogs" versions 2 size 50m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category "default" { "debug"; };
category "general" { "debug"; };
category "database" { "debug"; };
category "security" { "debug"; };
category "config" { "debug"; };
category "resolver" { "debug"; };
category "xfer-in" { "debug"; };
category "xfer-out" { "debug"; };
category "notify" { "debug"; };
category "client" { "debug"; };
category "unmatched" { "debug"; };
category "network" { "debug"; };
category "update" { "debug"; };
category "queries" { "debug"; };
category "dispatch" { "debug"; };
category "dnssec" { "debug"; };
category "lame-servers" { "debug"; };
};
2. You must create the path and the file using the terminal as "root"
just the way it show here:
[user:~] root# cd /var/log
[user:/var/log] root# mkdir named
[user:/var/log] root# cd
3. To create the file inside of the directory /var/log/named/, use nano;
[user:~] root# nano /var/log/named/namedlogs
On 11/15/11 1:41 PM, Sebastian Tymków wrote:
Hello,
Log statement is whole config block.
Probably this link help you better :
http://bec.at/support/bind9/Bv9ARM.ch06.html#AEN1566
Below I attach my example :
// declare log statement
logging {
// declare chanel log2messages
channel log2_s {
syslog daemon; // where logs should be directed
severity warning;
print-category no;
print-severity no;
print-time no;
};
//declare debug channel
channel log2_debug {
syslog daemon;
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
// declare /dev/null
channel log2_null {
null;
};
// declare which category should use which declaration
category default { log2_syslog; };
category config { log2_syslog; };
category queries { log2_syslog; };
category lame-servers { log2_syslog; };
category update { log2_debug; };
category xfer-in { log2_syslog; };
category xfer-out { log2_syslog; };
category notify { log2_syslog; };
category security { log2_null; ;
};
Best regards,
Sebastian
On Tue, Nov 15, 2011 at 8:49 PM, Eduardo Bonsi wrote:
Sebastian;
Thanks! I was looking at this log statement last night. I found two
statements: Not sure what is the best one to debug.
They are also not clear where to insert these statements:
On options or some place else in the end of named.conf.
http://www.zytrax.com/books/dns/ch7/logging.html
logging{
channel simple_log {
file "/var/log/named/bind.log" versions 3 size 5m;
severity warning;
print-time yes;
print-severity yes;
print-categ
Re: Turning log on bind for troubleshooting
Grab the BIND ARM for your version:
http://www.isc.org/software/bind/documentation
There it indirectly calls out that logging is it's own section (e.g. It
doesn't say "this is valid in options or views" like it does for many other
things)... It is it's own stanza:
options {
};
controls {
};
acl {
};
[...]
logging {
channel "config" {
file "/var/log/config" versions 3 size 10485760;
print-time yes;
print-category yes;
};
channel "messages" {
file "/var/log/messages" versions 3 size 10485760;
print-time yes;
print-category yes;
};
channel "security" {
file "/var/log/security" versions 3 size 10485760;
print-time yes;
print-category yes;
};
channel "xfer" {
file "/var/log/xfer" versions 3 size 10485760;
print-time yes;
print-category yes;
};
category "default" {
"messages";
};
category "general" {
"messages";
};
[...]
};
On 11/15/11 11:49 AM, "Eduardo Bonsi" wrote:
> Sebastian;
>
> Thanks! I was looking at this log statement last night. I found two
> statements: Not sure what is the best one to debug.
> They are also not clear where to insert these statements:
> On options or some place else in the end of named.conf.
>
> http://www.zytrax.com/books/dns/ch7/logging.html
>
> logging{
>channel simple_log {
> file "/var/log/named/bind.log" versions 3 size 5m;
> severity warning;
> print-time yes;
> print-severity yes;
> print-category yes;
>};
>category default{
> simple_log;
>};
> };
>
>
> http://www.netadmintools.com/art233.html
>
> logging {
> category "default" { "debug"; };
> category "general" { "debug"; };
> category "database" { "debug"; };
> category "security" { "debug"; };
> category "config" { "debug"; };
> category "resolver" { "debug"; };
> category "xfer-in" { "debug"; };
> category "xfer-out" { "debug"; };
> category "notify" { "debug"; };
> category "client" { "debug"; };
> category "unmatched" { "debug"; };
> category "network" { "debug"; };
> category "update" { "debug"; };
> category "queries" { "debug"; };
> category "dispatch" { "debug"; };
> category "dnssec" { "debug"; };
> category "lame-servers" { "debug"; };
> channel "debug" {
> file "/tmp/nameddbg" versions 2 size 50m;
> print-time yes;
> print-category yes;
> };
> };
>
>
>
> On 11/15/11 12:42 AM, Sebastian Tymków wrote:
>> Hi,
>>
>> Look at this : http://www.zytrax.com/books/dns/ch7/logging.html
>> For troubleshooting I suggest using debug mode.
>>
>> Best regards,
>> Sebastian
>>
>> On Tue, Nov 15, 2011 at 9:13 AM, Eduardo Bonsi wrote:
>>> What is the best statement to insert on name.conf to generate logs for
>>> troubleshooting bind 9.x?
>>>
>>> Thanks!
>>>
>>>
>>>
>>> --
>>> BEARTCOMMUNICATIONS
>>> Eduardo Bonsi
>>> System - Network Admin
>>> beart...@pacbell.net
>>> webmas...@beart.com
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>
--
By nature, men are nearly alike;
by practice, they get to be wide apart.
-- Confucius
https://opswiki.ironport.com/bin/view/Main/CoreServices
https://opswiki.ironport.com/bin/view/Main/IPv6OpsStrategy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Turning log on bind for troubleshooting
Sebastian;
Thanks! I was looking at this log statement last night. I found two
statements: Not sure what is the best one to debug.
They are also not clear where to insert these statements:
On options or some place else in the end of named.conf.
http://www.zytrax.com/books/dns/ch7/logging.html
logging{
channel simple_log {
file "/var/log/named/bind.log" versions 3 size 5m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category default{
simple_log;
};
};
http://www.netadmintools.com/art233.html
logging {
category "default" { "debug"; };
category "general" { "debug"; };
category "database" { "debug"; };
category "security" { "debug"; };
category "config" { "debug"; };
category "resolver" { "debug"; };
category "xfer-in" { "debug"; };
category "xfer-out" { "debug"; };
category "notify" { "debug"; };
category "client" { "debug"; };
category "unmatched" { "debug"; };
category "network" { "debug"; };
category "update" { "debug"; };
category "queries" { "debug"; };
category "dispatch" { "debug"; };
category "dnssec" { "debug"; };
category "lame-servers" { "debug"; };
channel "debug" {
file "/tmp/nameddbg" versions 2 size 50m;
print-time yes;
print-category yes;
};
};
On 11/15/11 12:42 AM, Sebastian Tymków wrote:
Hi,
Look at this : http://www.zytrax.com/books/dns/ch7/logging.html
For troubleshooting I suggest using debug mode.
Best regards,
Sebastian
On Tue, Nov 15, 2011 at 9:13 AM, Eduardo Bonsi wrote:
What is the best statement to insert on name.conf to generate logs for
troubleshooting bind 9.x?
Thanks!
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
BEARTCOMMUNICATIONS
Eduardo Bonsi
System - Network Admin
beart...@pacbell.net
webmas...@beart.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC external validation issues
Casey;
I do have the allow-query { any; }; statement posted in all zones;
The server is working fine! It has been serving the domain www.bonsi.org
and another FQDN with not problems. When I dig from the inside it show
that everything is ok.
; <<>> DiG 9.6-ESV-R4-P3 <<>> bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36063
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;bonsi.org. IN A
;; ANSWER SECTION:
bonsi.org. 3600IN A 63.200.45.21
;; AUTHORITY SECTION:
bonsi.org. 3600IN NS ns2.bonsi.org.
bonsi.org. 3600IN NS ns1.bonsi.org.
;; ADDITIONAL SECTION:
ns2.bonsi.org. 3600IN A 63.200.45.19
;; Query time: 4 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Tue Nov 15 11:10:07 2011
;; MSG SIZE rcvd: 95
*
; <<>> DiG 9.6-ESV-R4-P3 <<>> ns1.bonsi.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63734
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;ns1.bonsi.org. IN A
;; AUTHORITY SECTION:
ns1.bonsi.org. 3600 IN SOA ns1.bonsi.org. hostmaster.bonsi.org.
2011101403 10800 3600 604800 3600
;; Query time: 8 msec
;; SERVER: 63.200.45.18#53(63.200.45.18)
;; WHEN: Tue Nov 15 11:10:45 2011
;; MSG SIZE rcvd: 78
*
It just that people when querying from outside gets a "return refused"
or "server not found"
Here is a copy of my "named.conf"
The debug of named when checked showed;
Check BIND Config:
"No errors were found in the BIND configuration file named.conf or
referenced zone files."
//01
// Include keys file
key rndc-key {
algorithm hmac-md5;
secret "secret key";
};
//
//
// Declares control channels to be used by the rndc utility.
//10
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host
// to manage your name server.
//
// Default controls
controls {
inet 127.0.0.1 port 953 allow { localhost; } keys { rndc-key; };
};
//
//20
//21
//22
options {
directory "/var/named";
version "Undisclosed";
//26
// If there is a firewall between you and name servers you want
// to talk to, you might need to un-comment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 uses an unprivileged
// port by default.
//query-source address 192.168.1.2 port 53;
//33
dnssec-enable yes;
dnssec-validation yes;
forward first;
transfer-format one-answer;
forwarders {
68.94.156.1 port 53;
68.94.157.1 port 53; };
dnssec-lookaside . trust-anchor dlv.isc.org.;
};
//43
//44
//45
//46
statistics-channels {
inet * port 8053 allow { 127.0.0.1; };
};
//50
// ACL statement
//
acl trusted {
192.168.1.254;
192.168.1.0/24;
localhost;
localnets;
};
//59
view "internal" {
match-clients {
192.168.1.0/24;
192.168.1.2;
192.168.1.6;
192.168.1.10;
192.168.1.17;
192.168.1.18;
192.168.1.25;
};
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
//75
zone "localhost" IN {
type master;
allow-query { any; };
file "localhost.zone";
allow-update { none; };
};
//82
zone "0.0.127.in-addr.arpa" IN {
type master;
allow-query { any; };
file "named.local";
allow-update { none; };
allow-transfer { none; };
};
//90
//91
//92
// internal zones
//
zone "bonsi.org" IN {
type master;
allow-query { any; };
notify yes;
file "/var/named/db.bonsi.org";
also-notify {
192.168.1.10;
};
};
//104
zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query { any; };
notify no;
file "/var/named/db.192.168.1";
also-notify { 192.168.1.10;
};
};
//113
zone "168.192.in-addr.arpa" IN {
type master;
allow-query { any; };
file "/var/named/db.192.168";
also-notify { 192.168.1.10;
};
};
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.internal.hosts";
};
allow-query { any; };
also-notify { 192.168.1.10;
};
};
//130
// www.external zones
//
view "external" {
match-clients { any; };
recursion no;
zone "bonsi.org" {
type master;
allow-query { any; };
file "/var/named/bonsi.org.external.hosts";
notify yes;
also-notify { 192.168.1.10; };
};
//143
zone "sub1.bonsi.org" {
type master;
allow-query { any; };
file "sub1.bonsi.org.external.hosts";
};
//149
zone "domain2.com" {
type master;
allow-query { any; };
file "domain2.com.external.hosts";
};
//155
zone "45.200.63.in-addr.arpa" {
type master;
allow-query { any; };
file "63.200.45.e
Re: DNSSEC external validation issues
On Sun, Nov 13, 2011 at 1:50 PM, Eduardo Bonsi wrote:
> Mark and everybody, Thanks for the checking. I had a suspicion that was
> the issue but I need a second opinion since when I checked my DNS from the
> inside the "refused" status is not happening. Here is what I am getting:
>
>
What does your named.conf on ns1/ns2 look like? You should allowing
queries from "any" for bonsi.orgif you intend it to be advertised as an
authoritative server. Something like:
zone "bonsi.org" {
...
allow-query { any; };
};
Casey
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding dig output
On Tue, 15 Nov 2011, Gaurav Kansal wrote: When I am query through dig for nkn.in domain without any additional parameter, It is showing 3 ADDITIONAL records. And when I am query through dig for same nkn.in domain with +dnssec parameter, It is showing 4 ADDITIONAL records but there are only 3 answers in ;;ADDITIONAL SECTION. Why is it so??? [@gaurav ~]# dig @180.149.63.3 nkn.in I cannot reproduce that. Its the same output with or without +dnssec Paul ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Query regarding dig output
Hello, The fourth record in the ADDITIONAL section is the OPT EDNS0 record, returned by the server. You can see it displayed in the QUESTION SECTION: Also, try dig @180.149.63.3 nkn.in. +dnssec +bufsize=1024 (EDNS0, with D0, but payload of 1024) à in the reply the payload will be 4096 : so the server returns most of EDNS0 info in the query, but replaces the UDP payload size by what it accepts itself. (cfr recent posting of Mark Andrews in IETF dnsext mailing list about finding this out) Kind regards, Marc Lampo Security Officer EURid From: Gaurav Kansal [mailto:gaurav.kan...@nic.in] Sent: 15 November 2011 01:42 PM To: bind-users@lists.isc.org Subject: Query regarding dig output Dear Sir, When I am query through dig for nkn.in domain without any additional parameter, It is showing 3 ADDITIONAL records. And when I am query through dig for same nkn.in domain with +dnssec parameter, It is showing 4 ADDITIONAL records but there are only 3 answers in ;;ADDITIONAL SECTION. Why is it so??? [@gaurav ~]# [@gaurav ~]# dig @180.149.63.3 nkn.in ; <<>> DiG 9.3.3rc2 <<>> @180.149.63.3 nkn.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62605 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86400 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86400 IN NS ns3.nkn.in. nkn.in. 86400 IN NS ns2.nkn.in. nkn.in. 86400 IN NS ns1.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86400 IN A 180.149.63.3 ns2.nkn.in. 86400 IN A 180.149.63.66 ns3.nkn.in. 86400 IN 2405:8a00:1000::2 ;; Query time: 2 msec ;; SERVER: 180.149.63.3#53(180.149.63.3) ;; WHEN: Tue Nov 15 17:58:21 2011 ;; MSG SIZE rcvd: 154 [@gaurav ~]# [@gaurav ~]# [@gaurav ~]# dig @180.149.63.3 +dnssec nkn.in ; <<>> DiG 9.3.3rc2 <<>> @180.149.63.3 +dnssec nkn.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39199 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86400 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86400 IN NS ns1.nkn.in. nkn.in. 86400 IN NS ns3.nkn.in. nkn.in. 86400 IN NS ns2.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86400 IN A 180.149.63.3 ns2.nkn.in. 86400 IN A 180.149.63.66 ns3.nkn.in. 86400 IN 2405:8a00:1000::2 ;; Query time: 603 msec ;; SERVER: 180.149.63.3#53(180.149.63.3) ;; WHEN: Tue Nov 15 17:59:33 2011 ;; MSG SIZE rcvd: 165 [@gaurav ~]# Thanks and Regards, Gaurav Kansal 8860785630 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [Best practice] Internal zone
On 15/11/2011 12:50, Jeremy MAURO wrote: > I asking you all for you best practice regarding your internal DNS and > zones. > > I have a 2 DNS servers used as Internal DNS and Resolvers, here is the > dilemma, should I declare in each internal zone my NS with a glue record: > > $ORIGIN example.internal. > ; NS records > IN NS ns1 > IN NS ns2 > ns1 IN A10.10.10.10 > ns2 IN A10.10.10.11 > > > Or should I point toward the NS server from my principal zone: > > $ORIGIN example.internal. > ; NS records > IN NS ns1.principal.internal. > IN NS ns2.principal.internal. > > > Which one of those 2 samples is the best one and the closer from the > RFCs? As far as I know, the second sample should be the best one since > the RFC 1912 says "Some people get in the bad habit of putting in a glue > record whenever they add an NS record 'just to make sure'." > > Any opinion is approached. If you've already got A (and PTR) records set up for your nameservers, then there's no advantage to adding more A records in each zonefile. Especially given that all those zones are served from the same set of authoritative servers. Having one A record for each nameserver makes it much easier if you ever need to renumber the server. In a more complex setup with different zones distributed over various different sets of internal servers, having a unique A record for each server makes it much clearer which server is actually serving which zone. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
[Best practice] Internal zone
Hi everyone, I asking you all for you best practice regarding your internal DNS and zones. I have a 2 DNS servers used as Internal DNS and Resolvers, here is the dilemma, should I declare in each internal zone my NS with a glue record: $ORIGIN example.internal. ; NS records IN NS ns1 IN NS ns2 ns1 IN A10.10.10.10 ns2 IN A10.10.10.11 Or should I point toward the NS server from my principal zone: $ORIGIN example.internal. ; NS records IN NS ns1.principal.internal. IN NS ns2.principal.internal. Which one of those 2 samples is the best one and the closer from the RFCs? As far as I know, the second sample should be the best one since the RFC 1912 says "Some people get in the bad habit of putting in a glue record whenever they add an NS record 'just to make sure'." Any opinion is approached. -- Regards, JM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regarding dig output
On Tue, Nov 15, 2011 at 06:11:32PM +0530, Gaurav Kansal wrote a message of 415 lines which said: > And when I am query through dig for same nkn.in domain with +dnssec > parameter, Something that you did not post. Such a test does not appear in your original email. nkn.in is not signed and using +dnssec or no changes nothing. % dig nkn.in ; <<>> DiG 9.7.3 <<>> nkn.in ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38542 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86400 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86400 IN NS ns2.nkn.in. nkn.in. 86400 IN NS ns3.nkn.in. nkn.in. 86400 IN NS ns1.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86400 IN A 180.149.63.3 ns2.nkn.in. 86400 IN A 180.149.63.66 ns3.nkn.in. 86400 IN 2405:8a00:1000::2 ;; Query time: 492 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Nov 15 13:49:18 2011 ;; MSG SIZE rcvd: 165 % dig +dnssec nkn.in ; <<>> DiG 9.7.3 <<>> +dnssec nkn.in ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18735 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86392 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86392 IN NS ns2.nkn.in. nkn.in. 86392 IN NS ns3.nkn.in. nkn.in. 86392 IN NS ns1.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86392 IN A 180.149.63.3 ns2.nkn.in. 86392 IN A 180.149.63.66 ns3.nkn.in. 86392 IN 2405:8a00:1000::2 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Nov 15 13:49:26 2011 ;; MSG SIZE rcvd: 165 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Query regarding dig output
Dear Sir, When I am query through dig for nkn.in domain without any additional parameter, It is showing 3 ADDITIONAL records. And when I am query through dig for same nkn.in domain with +dnssec parameter, It is showing 4 ADDITIONAL records but there are only 3 answers in ;;ADDITIONAL SECTION. Why is it so??? [@gaurav ~]# [@gaurav ~]# dig @180.149.63.3 nkn.in ; <<>> DiG 9.3.3rc2 <<>> @180.149.63.3 nkn.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62605 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86400 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86400 IN NS ns3.nkn.in. nkn.in. 86400 IN NS ns2.nkn.in. nkn.in. 86400 IN NS ns1.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86400 IN A 180.149.63.3 ns2.nkn.in. 86400 IN A 180.149.63.66 ns3.nkn.in. 86400 IN 2405:8a00:1000::2 ;; Query time: 2 msec ;; SERVER: 180.149.63.3#53(180.149.63.3) ;; WHEN: Tue Nov 15 17:58:21 2011 ;; MSG SIZE rcvd: 154 [@gaurav ~]# [@gaurav ~]# [@gaurav ~]# dig @180.149.63.3 +dnssec nkn.in ; <<>> DiG 9.3.3rc2 <<>> @180.149.63.3 +dnssec nkn.in ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39199 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nkn.in.IN A ;; ANSWER SECTION: nkn.in. 86400 IN A 164.100.56.206 ;; AUTHORITY SECTION: nkn.in. 86400 IN NS ns1.nkn.in. nkn.in. 86400 IN NS ns3.nkn.in. nkn.in. 86400 IN NS ns2.nkn.in. ;; ADDITIONAL SECTION: ns1.nkn.in. 86400 IN A 180.149.63.3 ns2.nkn.in. 86400 IN A 180.149.63.66 ns3.nkn.in. 86400 IN 2405:8a00:1000::2 ;; Query time: 603 msec ;; SERVER: 180.149.63.3#53(180.149.63.3) ;; WHEN: Tue Nov 15 17:59:33 2011 ;; MSG SIZE rcvd: 165 [@gaurav ~]# Thanks and Regards, Gaurav Kansal 8860785630 9910118448 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syncing DNS zones with different names
On Nov 15 2011, Barry Margolin wrote: In article , "Chris Balmain" wrote: Let's say I have two domain names, d1.com and d2.com, and I want to synchronise all records underneath them (one-way sync, that is). So if I create an A record www.d1.com pointing at 1.2.3.4, www.d2.com is also automatically created, with the same value. So it's almost like a master/slave relationship, but the slave zone has a different name to the master. Let's assume the two zones will be hosted on the same set of nameservers, so even the SOA and NS records will be identical between them. I've been googling, but haven't found anything. Does anyone know if this is natively possible with Bind 9, or will I have to hack a script together to do a transfer from the d1.com zone and parse the data to build an equivalent zone file for d2.com? See the DNAME record. It's like a CNAME, but applies to the whole domain. But you need to put the DNAME in the zone where the domain is delegated; so in your case, you'd have to get the DNAME into the .COM zone. No, you don't need to put the DNAME in the parent zone. A zone with a DNAME at the apex works perfectly well, e.g. for d2.com @ SOA my-master-server.example. me.my-mail.example @ NS... some nameservers ... @ DNAME d1.com. But note that neither this nor the alternative of putting the DNAME in the parent zone will alias records with the name "d1.com" itself, only names under that. If, for example, "d1.com" itself had MX or address records, you would still need to reproduce them in the d2.com zone file. For a real-life example, see the way that that the TLD "xn--kprw13d" is made an alias of "xn--kpry57d", and note that the DNAME is in the "xn--kprw13d" xone, not in the root zone. Another way to do it is to use the same zone file for both zones on the master server. Make sure that you use unqualified names everywhere in the zone file that you're not referencing outside the zone. I think you mean "relative" (to the zone) or "non-absolute" rather than "unqualified" there. Also, don't do this if you are using dynamic updates on either zone, or the shared zone file will end up in a horrible mess. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help with dig to check NS servers for DNSSEC setup
In article , Mark Andrews wrote: > In message , Sam > Wilson writes: > > In article , > > Eduardo Bonsi wrote: > > > > > I am checking my DNS setup from inside using dig and I am getting > > > everything ok but I need a second opinion from outside of the server to > > > see if my ns1 and ns2 are responding ok to setup DNSSEC. > > > > Looks like you haven't put in any glue records for nsX.bonsi.org. > > The glue exists. The lookup of the address records fails the servers > at 63.200.45.18 and 63.200.45.19 return refused. Ah, OK. I hadn't clocked that the last part of the dig: > > bonsi.org. 86400 IN NS ns2.bonsi.org. > > bonsi.org. 86400 IN NS ns1.bonsi.org. > > ;; Received 95 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 230 > > ms > > > > dig: couldn't get address for 'ns2.bonsi.org': not found ... was a failure of the local resolver to find an authoritative A record for one of the NSs rather than a failure of b0.org.afilias-nst.org to provide glue. Thanks. Sam ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help with dig to check NS servers for DNSSEC setup
In message , Sam Wilson writes: > In article , > Eduardo Bonsi wrote: > > > I am checking my DNS setup from inside using dig and I am getting > > everything ok but I need a second opinion from outside of the server to > > see if my ns1 and ns2 are responding ok to setup DNSSEC. > > Looks like you haven't put in any glue records for nsX.bonsi.org. > > Sam > --- The glue exists. The lookup of the address records fails the servers at 63.200.45.18 and 63.200.45.19 return refused. > $ dig bonsi.org +trace > > ; <<>> DiG 9.3.6-APPLE-P2 <<>> bonsi.org +trace > ;; global options: printcmd > . 432891 IN NS g.root-servers.net. > . 432891 IN NS f.root-servers.net. > . 432891 IN NS d.root-servers.net. > . 432891 IN NS l.root-servers.net. > . 432891 IN NS c.root-servers.net. > . 432891 IN NS b.root-servers.net. > . 432891 IN NS m.root-servers.net. > . 432891 IN NS j.root-servers.net. > . 432891 IN NS e.root-servers.net. > . 432891 IN NS i.root-servers.net. > . 432891 IN NS a.root-servers.net. > . 432891 IN NS h.root-servers.net. > . 432891 IN NS k.root-servers.net. > ;; Received 512 bytes from 129.215.205.191#53(129.215.205.191) in 1 ms > > org.172800 IN NS b0.org.afilias-nst.org. > org.172800 IN NS c0.org.afilias-nst.info. > org.172800 IN NS a0.org.afilias-nst.info. > org.172800 IN NS b2.org.afilias-nst.org. > org.172800 IN NS a2.org.afilias-nst.info. > org.172800 IN NS d0.org.afilias-nst.org. > ;; Received 429 bytes from 192.112.36.4#53(g.root-servers.net) in 52 ms > > bonsi.org. 86400 IN NS ns2.bonsi.org. > bonsi.org. 86400 IN NS ns1.bonsi.org. > ;; Received 95 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 230 > ms > > dig: couldn't get address for 'ns2.bonsi.org': not found > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Help with dig to check NS servers for DNSSEC setup
In article , Eduardo Bonsi wrote: > I am checking my DNS setup from inside using dig and I am getting > everything ok but I need a second opinion from outside of the server to > see if my ns1 and ns2 are responding ok to setup DNSSEC. Looks like you haven't put in any glue records for nsX.bonsi.org. Sam --- $ dig bonsi.org +trace ; <<>> DiG 9.3.6-APPLE-P2 <<>> bonsi.org +trace ;; global options: printcmd . 432891 IN NS g.root-servers.net. . 432891 IN NS f.root-servers.net. . 432891 IN NS d.root-servers.net. . 432891 IN NS l.root-servers.net. . 432891 IN NS c.root-servers.net. . 432891 IN NS b.root-servers.net. . 432891 IN NS m.root-servers.net. . 432891 IN NS j.root-servers.net. . 432891 IN NS e.root-servers.net. . 432891 IN NS i.root-servers.net. . 432891 IN NS a.root-servers.net. . 432891 IN NS h.root-servers.net. . 432891 IN NS k.root-servers.net. ;; Received 512 bytes from 129.215.205.191#53(129.215.205.191) in 1 ms org.172800 IN NS b0.org.afilias-nst.org. org.172800 IN NS c0.org.afilias-nst.info. org.172800 IN NS a0.org.afilias-nst.info. org.172800 IN NS b2.org.afilias-nst.org. org.172800 IN NS a2.org.afilias-nst.info. org.172800 IN NS d0.org.afilias-nst.org. ;; Received 429 bytes from 192.112.36.4#53(g.root-servers.net) in 52 ms bonsi.org. 86400 IN NS ns2.bonsi.org. bonsi.org. 86400 IN NS ns1.bonsi.org. ;; Received 95 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 230 ms dig: couldn't get address for 'ns2.bonsi.org': not found ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Turning log on bind for troubleshooting
What is the best statement to insert on name.conf to generate logs for troubleshooting bind 9.x? Thanks! -- BEARTCOMMUNICATIONS Eduardo Bonsi System - Network Admin beart...@pacbell.net webmas...@beart.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Syncing DNS zones with different names
On 15/11/2011 07:19, Chris Balmain wrote: > Let's say I have two domain names, d1.com and d2.com, and I want to > synchronise all records underneath them (one-way sync, that is). So if I > create an A record www.d1.com pointing at 1.2.3.4, www.d2.com is also > automatically created, with the same value. So it's almost like a > master/slave relationship, but the slave zone has a different name to > the master. > > Let's assume the two zones will be hosted on the same set of > nameservers, so even the SOA and NS records will be identical between them. > > I've been googling, but haven't found anything. Does anyone know if this > is natively possible with Bind 9, or will I have to hack a script > together to do a transfer from the d1.com zone and parse the data to > build an equivalent zone file for d2.com? DNAME http://www.rfc-editor.org/rfc/rfc2672.txt It's like CNAME, but for whole domains. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
