date:20170823

dnssec validation issue

2017-08-23 Thread Ganga R. Dhungyel

Hi All

I am running a bind 9.9.4-50 resolver on CentOS 7 (kernel 
3.10.0-514.26.2.el7.x86_64). I have enabled dnssec and made it into a 
validating resolver but I am facing issues with some sites that use CNAME and 
getting SERVFAIL. Configs are pretty simple as given below:

**configs
options {
listen-on port 53 { 127.0.0.1; x.x.x.x; };
listen-on-v6 port 53 { ::1; ::::d; };
directory   "/var/named";
pid-file"/var/run/named/named.pid";
dump-file   "data/cache_dump.db";
empty-zones-enable yes;
   zone-statistics yes;
querylog yes;
recursion yes;
allow-recursion {localhost; my-net; };
statistics-file "data/named_stats.txt";
   memstatistics-file "data/named_mem_stats.txt";
allow-query {localhost; my-net; };
allow-query-cache {localhost; my-net; };
flush-zones-on-shutdown yes;
version "UNNECESSARY";
dnssec-enable yes;
dnssec-validation auto; ## tried with yes but no difference
random-device "/dev/urandom";
managed-keys-directory "/var/named/dynamic”;
};

// named.conf
//
include "/etc/named/acl.conf";
include "/etc/named/options.conf";
include "//etc/named/named-log.conf";
//include "/etc/named/named.rfc1912.zones";
include "/etc/rndc.key";
include "/etc/named.root.key";
zone "." IN {
type hint;
file "/var/named/data/named.root";
};
//
zone "0.0.127.in-addr.arpa" {
type master;
file "data/db.loopback.master";
notify no;
};
**end of configs
//
**dig results for A record of www.icann.org 

# dig @localhost www.icann.org . A +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org 
. A +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25178
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.icann.org . IN  A


*** Dig for CNAME works fine
# dig @localhost www.icann.org . cname  +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> @localhost www.icann.org 
. cname +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62144
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11

;www.icann.org . IN  CNAME

;; ANSWER SECTION:
www.icann.org .  1747IN  CNAME   
www.vip.icann.org .
www.icann.org .  1747IN  RRSIG   CNAME 7 
3 3600 20170830102924 20170809041125 56445 icann.org . 
VB1PWieuP3nZX9rpJ8WyA2G0DoV86NxkrgT6HNDsTHmDI0xLYdGvLPCj 
H4m3lRg1YVxmpwFEJPDHG9TRcqo39T4TDFe+SIyMI/2ERFRhgorggaok 
zATAs35lDiLpoO7S1LLSWl/L+QmT/bK/XXq1VP/ZUjX3t6belB/GBnZW ZsL/NAU=

;; AUTHORITY SECTION:
icann.org .  84541   IN  NS  
b.iana-servers.net .
icann.org .  84541   IN  NS  
c.iana-servers.net .
icann.org .  84541   IN  NS  ns.icann.org 
.
icann.org .  84541   IN  NS  
a.iana-servers.net .
icann.org .  84541   IN  RRSIG   NS 7 2 86400 
20170831033936 20170810001125 56445 icann.org . 
jylCSOpN18PNZcDYghGrYky8NsR1Pt7Rpm+c564QQobdd6u8Q1cQtVZZ 
a+m8wDQtgb0LQCQ9FEXT7Sm9+/p+hGottj4YUuv1TDnLSztSkUqV5DOV 
ptqG7TCFqsF482AMEmqW8OKNMiapAX6NAbO1hl5gDm+BX0ro2XrCaqzU 8RrdHNE=

;; ADDITIONAL SECTION:
a.iana-servers.net .170941  IN  A   
199.43.135.53
a.iana-servers.net .170941  IN  
2001:500:8f::53
b.iana-servers.net .170941  IN  A   
199.43.133.53
….
...
ns.icann.org .84541   IN  A   
199.4.138.53
ns.icann.org .84541   IN  
2001:500:89::53
ns.icann.org .1741IN  RRSIG   A 7 3 
3600 20170830005731 20170808155836 56445 icann.org . 
vcUjGAOoJj2nomVKLuigIJAYIOaauYWFN++wqcAYfwO6ayOXPxXMq4j6 
jvc8W5r+aLl4jQlHHTZ5L2TghdrH2ngFl5YlXKJSCjcAwifcvASrr5rv 
+5nmC41L66ueEafDLCBV1vUD2KlaHro1Om1vxZkl9zLCPQc3ESRkHE74 5Nr+nY8=
ns.icann.org .1741IN  RRSIG    7 
3 3600 20170830012209 20170809081125 56445 icann.org . 
rPURe+sfaBHZccMmpr1sqTzKgxnehYE5D4jt+ndGLKS0yq91EvX/Ktmk

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Grant Taylor

On 08/23/2017 08:26 PM, John Levine wrote:
> Only if you want your mail to mysteriously disappear.  There are a lot
> of perfectly legitimate ways to send and route mail that SPF cannot
> describe.  Unless your name is Paypal or you are otherwise a giant
> phish target, -all is not want you want.

Yes, there are a number of ways that SPF's -all can bite you if you're
not aware of them and / or don't account for them.

I've been using SPF's -all for about 10 years and have had extremely few
problems because of it.

I've had FAR (multiple orders of magnitude) more problems with other
people breaking their SPF record and not able to send me email because
my SPF filter honored what they published.

Despite the potential gotchas, I still believe that enabling SPF's -all
from the get go is a LOT easier than trying to retroactively enable it
after things are already in place.

-- 
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Grant Taylor

On 08/23/2017 07:50 PM, Reindl Harald wrote:
> which means again: additional dns lookups while ip-adresses and ranges
> are done with a single lookup

Yes, it does mean additional lookups, which there are a finite number of.

> besides it's not true because SPF has nothing to do with PTR and they
> won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
> how is that related to the topic at all?

It's my understanding that some SPF implementations will do a reverse
DNS lookup on the connecting IP and test the name from the PTR record
against the SPF record of the purported sending domain.

Thus the ability for Evil Spammer to arrange for the PTR record of their
server to return a name that is allowed via SPF.

-- 
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread John Levine

This has nothing to do with BIND, but anyway.

In article  you write:
>I would personally try to use -all for new domains from the word go.

Only if you want your mail to mysteriously disappear.  There are a lot
of perfectly legitimate ways to send and route mail that SPF cannot
describe.  Unless your name is Paypal or you are otherwise a giant
phish target, -all is not want you want.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Reindl Harald




Am 24.08.2017 um 03:31 schrieb bind-us...@gtaylor.tnetconsulting.net:

On 08/23/2017 05:47 PM, Reindl Harald wrote:
arrakis.thelounge.net.  86399   IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


prometheus.thelounge.net. 86399 IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


otherwise only @example.com *itself* is protected from forging, our 
homegrown DNS backend automatcially publishes SPF records for every 
hostname in every domain


This might be a case to use the include so that each host can include 
(read: pull in) the SPF record for the parent domain.


which means again: additional dns lookups while ip-adresses and ranges 
are done with a single lookup



Obviously it depends on how your infrastructure is configured.


in case that stuff is generated - see above


also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for 
free, the MX is not relevant on the destination server when receive 
email as long as you force the lookup by careless SPF records


I think that it may be possible for someone to publish a PTR record in 
their IP space that reverse resolves to a name of one of your MX 
servers.  There by allowing their bogus server to send email as you


besides it's not true because SPF has nothing to do with PTR and they 
won't get https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS 
how is that related to the topic at all?


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Grant Taylor


On 08/23/2017 07:31 PM, bind-us...@gtaylor.tnetconsulting.net wrote:
I think that it may be possible for someone to publish a PTR record in 
their IP space that reverse resolves to a name of one of your MX 
servers.  There by allowing their bogus server to send email as you.


It is conceptually possible for SPF filters to do a Forward Confirmation 
of a Reverse DNS lookup (a.k.a. FCrDNS), but I wouldn't hold my breath 
for such.




--
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread bind-users


On 08/23/2017 05:47 PM, Reindl Harald wrote:
arrakis.thelounge.net.  86399   IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


prometheus.thelounge.net. 86399 IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


otherwise only @example.com *itself* is protected from forging, our 
homegrown DNS backend automatcially publishes SPF records for every 
hostname in every domain


This might be a case to use the include so that each host can include 
(read: pull in) the SPF record for the parent domain.


Obviously it depends on how your infrastructure is configured.


also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for 
free, the MX is not relevant on the destination server when receive 
email as long as you force the lookup by careless SPF records


I think that it may be possible for someone to publish a PTR record in 
their IP space that reverse resolves to a name of one of your MX 
servers.  There by allowing their bogus server to send email as you.




--
Grant. . . .
unix || die




--
Grant. . . .
unix || die
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Reindl Harald




Am 23.08.2017 um 22:59 schrieb Tom Browder:

On Wed, Aug 23, 2017 at 2:28 PM, Tom Browder  wrote:
...

I have a single remote server with one IP address (142.54.186.2) I am using
it to host multiple, independent domains.  I am working on configuring a
single postfix instance to serve mail for all domains (assuming I can
successfully rewrite appropriate parts of mail in and out).

Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:


Based on all the comments, I've modified the OP list to this:

# For each domain X.TLD:
X.TLD.  IN   A   142.54.186.2.
*.X.TLD.IN   CNAME X.TLD.
X.TLD.  IN   MX10 X.TLD.
X.TLD.  IN   TXT   "v=spf1 mx ?all"

How's that set?


terrible - the wildcard would allow forged mail with "@a.x.tld", 
"@b.x.tld" and so on and the "?all" SPF is completly useless


why it is important to not allow random hostnames?

beause you should have SPF records for every valid hostname
http://www.openspf.org/FAQ/Common_mistakes
http://www.openspf.org/FAQ/Common_mistakes#helo

arrakis.thelounge.net.  86399   IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


prometheus.thelounge.net. 86399 IN  SPF "v=spf1 a 
ip4:91.118.73.0/24 ip4:95.129.202.170 -all"


otherwise only @example.com *itself* is protected from forging, our 
homegrown DNS backend automatcially publishes SPF records for every 
hostname in every domain


also avoid "v=spf1 mx" - why?
because it's a useless DNS lookup on the receiver
publish ip-adresses whenever possible - the connecting IP is known for 
free, the MX is not relevant on the destination server when receive 
email as long as you force the lookup by careless SPF records

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Reindl Harald



Am 23.08.2017 um 21:58 schrieb John Miller:

Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with.  What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail server to
send, you're better off with "~all" or "?all" to begin with


for the sake of god don't use "?all"
in that case you can skip SPF completly

why?

because a receiver can't use whitelist based on SPF because 
whitelist_auth in SpamAssassin just skip a "i do not care about SPF" 
record while "~all" qualifies for SPF_PASS and whitelisting while the 
scoring of a SPF_SOFT_FAIL is much lower than SPF_FAIL


"?all" is the same as not have a SPF record at all in reality

and in 2017 people *have* to use the submission server which belongs to 
a domain and not any random one while any random one should not allow to 
send mail with a foreign envelope to start with - all that crap sevrers 
shoukd be banned from the internet and spamfiltering would become so 
much easier

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

On Wed, Aug 23, 2017 at 17:32 Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
...

> I would encourage you to contemplate adding DNSSEC support.  DNSSEC will
> enable multiple other options down the road.


I plan to do all that, including running my own nameservers with bind. But
that is down the road a bit. This a hobby and I can only put so much time
in with each kitchen pass!

Thanks.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

On Wed, Aug 23, 2017 at 17:25 Alan Clegg  wrote:

> Now you broke the A record.  Get rid of the trailing dot.
>

Done.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Grant Taylor via bind-users


On 08/23/2017 01:28 PM, Tom Browder wrote:
Given such a configuration described in the first paragraph, does the 
following set of DNS records for a domain look look appropriate:


# For each domain X.TLD:
X.TLD.  INA 142.54.186.2.
*.X.TLD.IN   CNAME   X.TLD.
X.TLD.  INMX  10   142.54.186.2.
X.TLD.  INTXT "v=spf1 mx -all"


I would encourage you to contemplate adding DNSSEC support.  DNSSEC will 
enable multiple other options down the road.


Further, BIND makes it trivial to have it manage most of DNSSEC for you.

Don't forget your obligatory SOA and NS records for the zones themselves.

You may end up adding TXT records to authenticate your site for various 
Google services.


Depending on what you're doing for SSL certificates, you may be 
interested in CAA records to publish which CA is allowed to issue 
certificates for you.  Possibly DNS based authentication for Let's 
Encrypt via TXT records at the _acme-challenge.example.com name.


You may end up creating various additional TXT records for things like 
DMARC / DKIM.


Finally, I personally like to use Tarbaby from Junk Email Filter as a 
high order MX (99) to help cut down on spam.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Grant Taylor


On 08/23/2017 02:59 PM, Tom Browder wrote:

Based on all the comments, I've modified the OP list to this:

# For each domain X.TLD:
X.TLD.  IN   A   142.54.186.2.
*.X.TLD.IN   CNAME X.TLD.
X.TLD.  IN   MX10 X.TLD.
X.TLD.  IN   TXT   "v=spf1 mx ?all"

How's that set?


I would suggest that you point your MX record(s) to a hostname and not 
the domain name itself.


Using the hostname will allow you to move email if (read: when) you ever 
need to move it to another server.  -  I.e. you can move 
mail.example.com to a different server without having to worry about 
reconfiguring everything that was using example.com.


Similarly, I always used smtp.example.com for outgoing and 
pop3.example.com and / or imap.example.com for incoming email servers.


Start with something that will be flexible and allow you to change as 
you grow in the future.  -  Even if growth is simply replacing the aging 
server in five  years with it's new counterpart.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Grant Taylor via bind-users


On 08/23/2017 01:58 PM, John Miller wrote:

Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with.  What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail server to
send, you're better off with "~all" or "?all" to begin with.


I agree that ~all or ?all is good advice for existing domains.

I would personally try to use -all for new domains from the word go.

Band new domains give you the unique opportunity of doing things 
correctly without any legacy ... cruft ... to support / be compatible with.


So if you want to end up with a -all, I'd suggest starting with it.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread John Levine

In article  you write:
>> X.TLD   IN   MX   10 mail.example.com.
>>
>> is perfectly valid, and quite common for people who don't host their own 
>> e-mail.
>
>Okay, but for now each domain will have its one mail server.

If you have one host with one IP, I hope you have one mail server
since only one process can listen on port 25 on a single IP.  Any
normal mail server can host mail for many domains.  My little 1U
server handles 140 different mail domains and it certainly isn't
listening on 140 IPs.

>> Also, why the wildcard CNAME record?  It's definitely not essential to
>> your example.
>
>I believe it will be needed for my wild card TLS certificates.

Nope.  You can have a *.example.com certificate and set up your DNS
and web server for specific names foo.example.com and bar.example.com
and however many others you actually use.

Unless you have special coding in your web sites to handle arbitrary
random domain names, you will probably give people a lot of mysterious
404 pages when they try names you haven't configured.

>Good point, I'll change to "?all" instead.

Right, -all is asking for trouble.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

On Wed, Aug 23, 2017 at 2:28 PM, Tom Browder  wrote:
...
> I have a single remote server with one IP address (142.54.186.2) I am using
> it to host multiple, independent domains.  I am working on configuring a
> single postfix instance to serve mail for all domains (assuming I can
> successfully rewrite appropriate parts of mail in and out).
>
> Given such a configuration described in the first paragraph, does the
> following set of DNS records for a domain look look appropriate:

Based on all the comments, I've modified the OP list to this:

# For each domain X.TLD:
X.TLD.  IN   A   142.54.186.2.
*.X.TLD.IN   CNAME X.TLD.
X.TLD.  IN   MX10 X.TLD.
X.TLD.  IN   TXT   "v=spf1 mx ?all"

How's that set?

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

On Wed, Aug 23, 2017 at 2:58 PM, John Miller  wrote:
> Hi Tom,
>
> You'll want to change your MX records to point to the name, rather
> than the IP, of your mail server.  Note that your MX target does _not_
> have to be in the same domain as the one it's serving mail for.  For
> example:
>
> X.TLD   IN   MX   10 mail.example.com.
>
> is perfectly valid, and quite common for people who don't host their own 
> e-mail.

Okay, but for now each domain will have its one mail server.

> If you give us some specific domain names that you're hosting for,
> we'll be able to help further.

Okay, I'll do that if necessary.

> Also, why the wildcard CNAME record?  It's definitely not essential to
> your example.

I believe it will be needed for my wild card TLS certificates.

> Finally, be _very_ careful about using the SPF qualifier "-all" to
> start out with.  What you're saying there is that the only server
> authorized to _send_ mail for X.TLD is the one listed in the MX.
> Unless people are always logging directly into the mail server to
> send, you're better off with "~all" or "?all" to begin with.

Good point, I'll change to "?all" instead.

Thanks, John.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

On Wed, Aug 23, 2017 at 2:54 PM, Alan Clegg  wrote:
> MX record needs a name and not an IP address.  Beyond that, seems fine.

Thanks, Alan.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

On Wed, Aug 23, 2017 at 3:01 PM,   wrote:
> MX records cannot point to an IP address.  try this:
>
> x.tld   MX  10  x.tld.

Thanks, William!

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

On Wed, Aug 23, 2017 at 14:54 McDonald, Daniel (Dan)
 wrote:
>
> I don’t believe you can use an IP address in an MX record.  You should use 
> X.TLD instead, or more likely whatever the main address of the server is 
> (whatever the reverse address resolves to)'
...
> You don’t have an SOA record, or NS records.  Those are also required,

I should have been a little clearer about the DNS server: I'm using
Namecheap so some things like SOA and NS records are done using their
entry form.

I'll change the MX record.

Thanks, Dan!

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread wbrown

MX records cannot point to an IP address.  try this:

x.tld   MX  10  x.tld.

--
William Brown
Messaging Team
Technology Services, WNYRIC, Erie 1 BOCES
(716) 821-7285

"bind-users"  wrote on 08/23/2017 
03:28:12 PM:

> From: Tom Browder 
> To: bind-users@lists.isc.org
> Date: 08/23/2017 03:29 PM
> Subject: Need DNS records help for single server (and IP), and 
> multi-domain mail server.
> Sent by: "bind-users" 
> 
> I have a single remote server with one IP address (142.54.186.2) I 
> am using it to host multiple, independent domains.  I am working on 
> configuring a single postfix instance to serve mail for all domains 
> (assuming I can successfully rewrite appropriate parts of mail in and 
out).
> 
> From referring to "DNS and BIND" and previous discusssions here and 
> on the postfix users list I have re-examined my domain DNS records 
> to see if I can cover my requirements more easily.
> 
> Given such a configuration described in the first paragraph, does 
> the following set of DNS records for a domain look look appropriate:
> 
> # For each domain X.TLD:
> X.TLD.  INA 142.54.186.2. 
> *.X.TLD.IN   CNAME   X.TLD.
> X.TLD.  INMX  10   142.54.186.2.
> X.TLD.  INTXT "v=spf1 mx -all"
> 
> Thanks.
> 
> With warmest regards,
> 
> -Tom
> 
> Stream: WBROWN

> 
> Spam
> Not spam
> Forget previous vote___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread John Miller

Hi Tom,

You'll want to change your MX records to point to the name, rather
than the IP, of your mail server.  Note that your MX target does _not_
have to be in the same domain as the one it's serving mail for.  For
example:

X.TLD   IN   MX   10 mail.example.com.

is perfectly valid, and quite common for people who don't host their own e-mail.

If you give us some specific domain names that you're hosting for,
we'll be able to help further.

Also, why the wildcard CNAME record?  It's definitely not essential to
your example.

Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with.  What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail server to
send, you're better off with "~all" or "?all" to begin with.

John

On Wed, Aug 23, 2017 at 3:28 PM, Tom Browder  wrote:
> I have a single remote server with one IP address (142.54.186.2) I am using
> it to host multiple, independent domains.  I am working on configuring a
> single postfix instance to serve mail for all domains (assuming I can
> successfully rewrite appropriate parts of mail in and out).
>
> From referring to "DNS and BIND" and previous discusssions here and on the
> postfix users list I have re-examined my domain DNS records to see if I can
> cover my requirements more easily.
>
> Given such a configuration described in the first paragraph, does the
> following set of DNS records for a domain look look appropriate:
>
> # For each domain X.TLD:
> X.TLD.  INA 142.54.186.2.
> *.X.TLD.IN   CNAME   X.TLD.
> X.TLD.  INMX  10   142.54.186.2.
> X.TLD.  INTXT "v=spf1 mx -all"
>
> Thanks.
>
> With warmest regards,
>
> -Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Need DNS records help for single server (and IP), and multi-domain mail server.

2017-08-23 Thread Tom Browder

I have a single remote server with one IP address (142.54.186.2) I am using
it to host multiple, independent domains.  I am working on configuring a
single postfix instance to serve mail for all domains (assuming I can
successfully rewrite appropriate parts of mail in and out).

>From referring to "DNS and BIND" and previous discusssions here and on the
postfix users list I have re-examined my domain DNS records to see if I can
cover my requirements more easily.

Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:

# For each domain X.TLD:
X.TLD.  INA 142.54.186.2.
*.X.TLD.IN   CNAME   X.TLD.
X.TLD.  INMX  10   142.54.186.2.
X.TLD.  INTXT "v=spf1 mx -all"

Thanks.

With warmest regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dnssec validation issue

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Re: Need DNS records help for single server (and IP), and multi-domain mail server.

Need DNS records help for single server (and IP), and multi-domain mail server.

23 matches

Site Navigation

Mail list logo

Footer information