Re: DNAME usage?

2017-11-21 Thread Timothe Litt 
On 17-Nov-17 18:04, Mark Andrews wrote:
> DYN used to just require a TSIG signed update request set to a server 
> specified in
> a SRV record.
Depends on which service.  The one I referred to is the one that was
popular (free) for people who wanted to reach a machine on a dynamic IP
address.  Because it was popular, it was implemented in a number of
routers, including Linksys (low end) and Cisco (IOS).  I believe they
discontinued the free version, but the protocol lives on.

It's worse than DNS UPDATE in an number of respects - but is trivial to
implement in a router or script as the core is just an HTTP GET.
>
> We have a perfectly fine protocol for updating the DNS but DNS hosting 
> companies
> want to reinvent the wheel.
Agree. I wish that the DNS UPDATE protocol was the only one in the
wild.  Unfortunately, (non-jail broken) routers don't provide that
option, but do provide the http ("dyn") version.  So if you want to use
a service that requires it - or want to bridge a router that supports it
to DNS UPDATE, some invention is required.  I outlined an approach that
works for me.

For reference, cisco's IOS (now) supports both methods - to some extent.

See
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-sy/dns-15-sy-book/Dynamic-DNS-Support.html#GUID-DCA9088D-EB90-46DE-9E33-306C30BB79CE

And from that page, here's the reference to dyndns (you can change the
URI for other http services; it lists 6 others)

add

http://test:t...@members.dyndns.org/nic/update?system=dyndns==

I use https, of course.

Naturally, IOS doesn't support TSIG - so DNS UPDATE from it has to be
authorized by IP address. :-(

2136/7 have been around since 1997, so there's really no excuse for DNS
providers not tosupport them.

But we live in a world of excuses :-(



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: DNAME usage?

2017-11-17 Thread Jeff Sadowski 
On Fri, Nov 17, 2017 at 2:36 PM, Timothe Litt  wrote:
>
> On 17-Nov-17 14:48, Mark Andrews wrote:
>
> Alternatively use a http server that can update the records for the
> interfaces it is listening on.
>
> This sort of thing is possible. Named gets informed by the OS when addresses
> get added and removed. It currently just adds and removes listening sockets
> but you could trigger other actions like sending dynamic dns updates.
>
> Unless you ask for the functionality it won’t be added.
>
>
> --
> Mark Andrews
>
> On 18 Nov 2017, at 06:38, Mark Andrews  wrote:
>
> Just have the machine hosting the http server do a dynamic update of the A
> ana  records when they are assigned to the interface.
>
> It should be possible to get the os to run a program when this happens so it
> can perform a second dynamic update on a the different name.
>
> --
> Mark Andrews
>
> We don't have the whole story from the OP, but in the typical configuration
> that prompts this question, neither will solve the problem.  The problem is
> that the dhcp client and http server are likely not the same machine.
>
You are correct sir. :-)

> If you have a dynamic IP(v4) address & want to update DNS for a server, it's
> probably NATed (by a router) before the HTTP server sees it.
>
All clients accessing the web server are also in the nat so this
shouldn't matter

> The HTTP server always listens on the inside NAT address.  So it won't see
> an address change on its interface.
>
No it sees a change when rebooted. The other issue is when it is
cloned and renamed it is then two different machines that currently
have it autogen a new zone and dname with the windows 2008r2 method

> The router implementing NAT is what will get the dynamic address, from an
> ISP.  If it's a sealed box, it probably has support for updating DNS -
> though it's typically the dyndns protocol, not DNS update.  (Assuming the
> ISP hasn't disabled the feature.)  This is what dyndns, NO-IP, & others use.
> If you can modify the URL that it uses, you can point it to your own script,
> which then does a DNS UPDATE transaction.  I use this approach with Cisco
> IOS routers - though many others allow this - and still others can be fooled
> (e.g. with a HOSTS entry for one of the update servers).  What's nice about
> this is that you don't have to jailbreak or modify anything.  Just pretend
> to be an update service.
>
> If you're using a jailbroken or other Linux router, and it happens to be the
> same physical machine as HTTP server, it could look for routing updates on
> the external interface.  I don't think this is a common case (except for
> jailbroken routers - like OpenWRT).
>
> Most often, the HTTP server is on a separate machine and LAN - it can't see
> the external interface that gets the dynamic address.
>
> When the router won't notify someone about address changes, the usual
> solution is for something behind the NAT to poll an external public server
> for your IP address, then use the result to initiate a DNS UDPATE.  (e.g. A
> local script asks the external server to return the IP address that
> contacted it. (REMOTE_ADDR))  There are a bunch of services and scripts for
> this.  Most of the scripts update a DNS provider with the dyndns protocol
> (others use it).  The nicer "what's my IP address) scripts return json.  But
> changing them to do DNS UPDATE is pretty simple - See Net::DNS if you're a
> Perl person.
>
> If you have more than one site - or a friend - and prefer to be independent,
> you can easily write your own CGI scripts to return the other's IP address.
> echo "Content-Type: text/plain\nConnection:close\n\n$REMOTE_ADDR\n"; exit
> (If your friend doesn't have a static IP address, beware of deadlocks.)
>
> If you have access to the DHCP client's status (e.g. a leases file or some
> GUI or CLI on the router), you can sometimes get the external address from
> there.
>
> A web search for "dynamic IP update script" will turn up lots of resources -
> scripts & services.
>
> A drawback with polling solutions is that they're not instantaneous - you
> get the polling delay on top of whatever minimum TTL the DNS service
> imposes.  (And there are limits on how fast you can - or would want to -
> poll.)  That's fine for home hobbyists - especially since dynamic IP
> addresses are often stable for a VERY long time.  But I would be careful
> about running a business or other critical server where DNS updates lag
> address changes.
>
> So get a router that talks some dynamic update protocol and go from there.
> That minimizes the delay, and avoids having to retrieve your public address
> from an external source.
>
> https://help.dyn.com/remote-access-api/perform-update/ defines the dyndns
> update protocol - writing a server is straightforward.
>
> Of course if you have IPv6 - and are getting a dynamic address - you don't
> have to deal with NAT.  In that case, you can certainly have dhclient or
> RTNETLINK (see ip

Re: DNAME usage?

2017-11-17 Thread Jeff Sadowski 
Can you give me an example of how to do that?

On Fri, Nov 17, 2017 at 12:48 PM, Mark Andrews  wrote:
> Alternatively use a http server that can update the records for the 
> interfaces it is listening on.
>
> This sort of thing is possible. Named gets informed by the OS when addresses 
> get added and removed. It currently just adds and removes listening sockets 
> but you could trigger other actions like sending dynamic dns updates.
>
> Unless you ask for the functionality it won’t be added.
>
>
> --
> Mark Andrews
>
>> On 18 Nov 2017, at 06:38, Mark Andrews  wrote:
>>
>> Just have the machine hosting the http server do a dynamic update of the A 
>> ana  records when they are assigned to the interface.
>>
>> It should be possible to get the os to run a program when this happens so it 
>> can perform a second dynamic update on a the different name.
>>
>> --
>> Mark Andrews
>>
>>> On 18 Nov 2017, at 04:19, Jeff Sadowski  wrote:
>>>
>>> I am a bit confused by DNAME's
>>> I had used them before but I may have used them wrong.
>>>
>>> On windows 2008r2 I have some zone's where I create a DNAME for the
>>> root and point it to an A record.
>>>
>>> IE:
>>>
>>> zone bla.bla
>>> SOA 
>>> NS 
>>> DNAME www.bla.com
>>>
>>> where www.bla.com is an A record.
>>>
>>> the reason I was doing this is because www.bla.com has a dhcp assigned 
>>> address
>>>
>>> and I want bla.bla to always point to it.
>>> windows dns does not allow a cname at the root of a zone.
>>>
>>> as of 2012r2 with updates this no longer works.
>>>
>>> So I decided to see what bind would do with DNAME If I tried a similar
>>> experiment
>>> I have a db.self file I used when I want certain outside addresses to
>>> point back to my inside addresses.
>>>
>>> my db.self file looks like so
>>>
>>>
>>> $TTL 3D
>>> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>>> 2017081201 ;
>>> 3H ;
>>> 15 ;
>>> 1w ;
>>> 3h ;
>>>)
>>> @ IN NS ns
>>> ns IN A 192.168.1.252
>>> @ IN A 192.168.1.252
>>>
>>> And I wand similar for my DNAME so I created db.dname that looks like so
>>>
>>> $TTL 3D
>>> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>>> 2017081201 ;
>>> 3H ;
>>> 15 ;
>>> 1w ;
>>> 3h ;
>>>)
>>> @ IN NS ns
>>> ns IN A 192.168.1.252
>>> @ IN DNAME methanemaker.mooo.com
>>>
>>> then when I try and start bind I get error messages like so
>>>
>>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS
>>> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal)
>>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded
>>> due to errors.
>>>
>>> I tried without the NS likes and I get this message
>>>
>>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records
>>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded
>>> due to errors.
>>>
>>> If anyone has a better idea how to map to a dhcp addressed machine
>>> from a zone I'd like to know?
>>>
>>> I don't want to recreate the entire superdomain for just one record
>>> that needs changed
>>> IE:
>>> the super domain is managed by an outside service. I don't want to
>>> keep a second copy inside that has a few with different records.
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME usage?

2017-11-17 Thread Mark Andrews 
DYN used to just require a TSIG signed update request set to a server specified 
in
a SRV record.

We have a perfectly fine protocol for updating the DNS but DNS hosting companies
want to reinvent the wheel.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: DNAME usage?

2017-11-17 Thread Timothe Litt 

On 17-Nov-17 14:48, Mark Andrews wrote:
> Alternatively use a http server that can update the records for the 
> interfaces it is listening on. 
>
> This sort of thing is possible. Named gets informed by the OS when addresses 
> get added and removed. It currently just adds and removes listening sockets 
> but you could trigger other actions like sending dynamic dns updates.
>
> Unless you ask for the functionality it won’t be added.
>
>
> --
> Mark Andrews
>
>> On 18 Nov 2017, at 06:38, Mark Andrews  wrote:
>>
>> Just have the machine hosting the http server do a dynamic update of the A 
>> ana  records when they are assigned to the interface.
>>
>> It should be possible to get the os to run a program when this happens so it 
>> can perform a second dynamic update on a the different name. 
>>
>> -- 
>> Mark Andrews
We don't have the whole story from the OP, but in the typical
configuration that prompts this question, neither will solve the
problem.  The problem is that the dhcp client and http server are likely
not the same machine.

If you have a dynamic IP(v4) address & want to update DNS for a server,
it's probably NATed (by a router) before the HTTP server sees it.

The HTTP server always listens on the inside NAT address.  So it won't
see an address change on its interface.

The router implementing NAT is what will get the dynamic address, from
an ISP.  If it's a sealed box, it probably has support for updating DNS
- though it's typically the dyndns protocol, not DNS update.  (Assuming
the ISP hasn't disabled the feature.)  This is what dyndns, NO-IP, &
others use.  If you can modify the URL that it uses, you can point it to
your own script, which then does a DNS UPDATE transaction.  I use this
approach with Cisco IOS routers - though many others allow this - and
still others can be fooled (e.g. with a HOSTS entry for one of the
update servers).  What's nice about this is that you don't have to
jailbreak or modify anything.  Just pretend to be an update service. 

If you're using a jailbroken or other Linux router, and it happens to be
the same physical machine as HTTP server, it could look for routing
updates on the external interface.  I don't think this is a common case
(except for jailbroken routers - like OpenWRT).

Most often, the HTTP server is on a separate machine and LAN - it can't
see the external interface that gets the dynamic address.

When the router won't notify someone about address changes, the usual
solution is for something behind the NAT to poll an external public
server for your IP address, then use the result to initiate a DNS
UDPATE.  (e.g. A local script asks the external server to return the IP
address that contacted it. (REMOTE_ADDR))  There are a bunch of services
and scripts for this.  Most of the scripts update a DNS provider with
the dyndns protocol (others use it).  The nicer "what's my IP address)
scripts return json.  But changing them to do DNS UPDATE is pretty
simple - See Net::DNS if you're a Perl person.

If you have more than one site - or a friend - and prefer to be
independent, you can easily write your own CGI scripts to return the
other's IP address.  echo "Content-Type:
text/plain\nConnection:close\n\n$REMOTE_ADDR\n"; exit  (If your friend
doesn't have a static IP address, beware of deadlocks.)

If you have access to the DHCP client's status (e.g. a leases file or
some GUI or CLI on the router), you can sometimes get the external
address from there. 

A web search for "dynamic IP update script" will turn up lots of
resources - scripts & services.

A drawback with polling solutions is that they're not instantaneous -
you get the polling delay on top of whatever minimum TTL the DNS service
imposes.  (And there are limits on how fast you can - or would want to -
poll.)  That's fine for home hobbyists - especially since dynamic IP
addresses are often stable for a VERY long time.  But I would be careful
about running a business or other critical server where DNS updates lag
address changes.

So get a router that talks some dynamic update protocol and go from
there.  That minimizes the delay, and avoids having to retrieve your
public address from an external source.

https://help.dyn.com/remote-access-api/perform-update/ defines the
dyndns update protocol - writing a server is straightforward.

Of course if you have IPv6 - and are getting a dynamic address - you
don't have to deal with NAT.  In that case, you can certainly have
dhclient or RTNETLINK (see ip monitor) trigger a script.  

But note that in the problem statement is:
> the super domain is managed by an outside service. 
This probably makes the OP's life more difficult.  Those services tend
not to support DNS UPDATE (or even dyndns update).  In that case, you're
into  using curl/wget to forms to their web gui.   And tracking their
"improvements".

Grief like that is why I ended up running my own DNS master server...and
getting static IP addresses for my central site. 

I guess I

Re: DNAME usage?

2017-11-17 Thread Mark Andrews 
Alternatively use a http server that can update the records for the interfaces 
it is listening on. 

This sort of thing is possible. Named gets informed by the OS when addresses 
get added and removed. It currently just adds and removes listening sockets but 
you could trigger other actions like sending dynamic dns updates.

Unless you ask for the functionality it won’t be added.


--
Mark Andrews

> On 18 Nov 2017, at 06:38, Mark Andrews  wrote:
> 
> Just have the machine hosting the http server do a dynamic update of the A 
> ana  records when they are assigned to the interface.
> 
> It should be possible to get the os to run a program when this happens so it 
> can perform a second dynamic update on a the different name. 
> 
> -- 
> Mark Andrews
> 
>> On 18 Nov 2017, at 04:19, Jeff Sadowski  wrote:
>> 
>> I am a bit confused by DNAME's
>> I had used them before but I may have used them wrong.
>> 
>> On windows 2008r2 I have some zone's where I create a DNAME for the
>> root and point it to an A record.
>> 
>> IE:
>> 
>> zone bla.bla
>> SOA 
>> NS 
>> DNAME www.bla.com
>> 
>> where www.bla.com is an A record.
>> 
>> the reason I was doing this is because www.bla.com has a dhcp assigned 
>> address
>> 
>> and I want bla.bla to always point to it.
>> windows dns does not allow a cname at the root of a zone.
>> 
>> as of 2012r2 with updates this no longer works.
>> 
>> So I decided to see what bind would do with DNAME If I tried a similar
>> experiment
>> I have a db.self file I used when I want certain outside addresses to
>> point back to my inside addresses.
>> 
>> my db.self file looks like so
>> 
>> 
>> $TTL 3D
>> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>> 2017081201 ;
>> 3H ;
>> 15 ;
>> 1w ;
>> 3h ;
>>)
>> @ IN NS ns
>> ns IN A 192.168.1.252
>> @ IN A 192.168.1.252
>> 
>> And I wand similar for my DNAME so I created db.dname that looks like so
>> 
>> $TTL 3D
>> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>> 2017081201 ;
>> 3H ;
>> 15 ;
>> 1w ;
>> 3h ;
>>)
>> @ IN NS ns
>> ns IN A 192.168.1.252
>> @ IN DNAME methanemaker.mooo.com
>> 
>> then when I try and start bind I get error messages like so
>> 
>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS
>> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal)
>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded
>> due to errors.
>> 
>> I tried without the NS likes and I get this message
>> 
>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records
>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded
>> due to errors.
>> 
>> If anyone has a better idea how to map to a dhcp addressed machine
>> from a zone I'd like to know?
>> 
>> I don't want to recreate the entire superdomain for just one record
>> that needs changed
>> IE:
>> the super domain is managed by an outside service. I don't want to
>> keep a second copy inside that has a few with different records.
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME usage?

2017-11-17 Thread Mark Andrews 
Just have the machine hosting the http server do a dynamic update of the A ana 
 records when they are assigned to the interface.

It should be possible to get the os to run a program when this happens so it 
can perform a second dynamic update on a the different name. 

-- 
Mark Andrews

> On 18 Nov 2017, at 04:19, Jeff Sadowski  wrote:
> 
> I am a bit confused by DNAME's
> I had used them before but I may have used them wrong.
> 
> On windows 2008r2 I have some zone's where I create a DNAME for the
> root and point it to an A record.
> 
> IE:
> 
> zone bla.bla
> SOA 
> NS 
> DNAME www.bla.com
> 
> where www.bla.com is an A record.
> 
> the reason I was doing this is because www.bla.com has a dhcp assigned address
> 
> and I want bla.bla to always point to it.
> windows dns does not allow a cname at the root of a zone.
> 
> as of 2012r2 with updates this no longer works.
> 
> So I decided to see what bind would do with DNAME If I tried a similar
> experiment
> I have a db.self file I used when I want certain outside addresses to
> point back to my inside addresses.
> 
> my db.self file looks like so
> 
> 
> $TTL 3D
> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>  2017081201 ;
>  3H ;
>  15 ;
>  1w ;
>  3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN A 192.168.1.252
> 
> And I wand similar for my DNAME so I created db.dname that looks like so
> 
> $TTL 3D
> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>  2017081201 ;
>  3H ;
>  15 ;
>  1w ;
>  3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN DNAME methanemaker.mooo.com
> 
> then when I try and start bind I get error messages like so
> 
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS
> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal)
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded
> due to errors.
> 
> I tried without the NS likes and I get this message
> 
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded
> due to errors.
> 
> If anyone has a better idea how to map to a dhcp addressed machine
> from a zone I'd like to know?
> 
> I don't want to recreate the entire superdomain for just one record
> that needs changed
> IE:
> the super domain is managed by an outside service. I don't want to
> keep a second copy inside that has a few with different records.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME usage?

2017-11-17 Thread Chris Buxton 
A DNAME is a CNAME generator for subdomains of the DNAME record itself. That is:

example.com .  DNAME   example.net 
.

will result in any query for "foo.example.com " to be 
answered with a dynamically-generated CNAME record like this:

foo.example.com .  DNAME   foo.example.net 
.

It has no effect on the name of the DNAME record itself -- it is not a CNAME 
record for example.com , and doesn't do the same job. The 
use case you describe cannot be solved by RFC-compliant DNS -- the name of a 
zone cannot be an alias of some other name. Creating the parent zone and 
putting the CNAME in there will create more problems for you.

Regards,
Chris Buxton

> On Nov 17, 2017, at 9:19 AM, Jeff Sadowski  wrote:
> 
> I am a bit confused by DNAME's
> I had used them before but I may have used them wrong.
> 
> On windows 2008r2 I have some zone's where I create a DNAME for the
> root and point it to an A record.
> 
> IE:
> 
> zone bla.bla
> SOA 
> NS 
> DNAME www.bla.com
> 
> where www.bla.com is an A record.
> 
> the reason I was doing this is because www.bla.com has a dhcp assigned address
> 
> and I want bla.bla to always point to it.
> windows dns does not allow a cname at the root of a zone.
> 
> as of 2012r2 with updates this no longer works.
> 
> So I decided to see what bind would do with DNAME If I tried a similar
> experiment
> I have a db.self file I used when I want certain outside addresses to
> point back to my inside addresses.
> 
> my db.self file looks like so
> 
> 
> $TTL 3D
> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>  2017081201 ;
>  3H ;
>  15 ;
>  1w ;
>  3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN A 192.168.1.252
> 
> And I wand similar for my DNAME so I created db.dname that looks like so
> 
> $TTL 3D
> @  1D  IN  SOA ns jeffsadowski.gmail.com. (
>  2017081201 ;
>  3H ;
>  15 ;
>  1w ;
>  3h ;
> )
> @ IN NS ns
> ns IN A 192.168.1.252
> @ IN DNAME methanemaker.mooo.com
> 
> then when I try and start bind I get error messages like so
> 
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS
> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal)
> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded
> due to errors.
> 
> I tried without the NS likes and I get this message
> 
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records
> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded
> due to errors.
> 
> If anyone has a better idea how to map to a dhcp addressed machine
> from a zone I'd like to know?
> 
> I don't want to recreate the entire superdomain for just one record
> that needs changed
> IE:
> the super domain is managed by an outside service. I don't want to
> keep a second copy inside that has a few with different records.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME + DNSSEC

2016-10-20 Thread Marco Davids (SIDN) 


On 20/10/2016 14:41, Marco Davids (SIDN) wrote:

> For testing-purposes I tried to simulate the situation in sidnlabs.nl:
> 
> dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.sidnlabs.nl

ERROR!

That should be:

dig +dnssec -t ANY _sidn._dnssec-valcheck._1804289384.dname.sidnlabs.nl

--
Marco




smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Re: dname reverse delegation

2015-10-17 Thread Woodworth, John R 
> > On Tue, 13 Oct 2015 21:40:30 +0100,
> > Paul A wrote:
> > >
> > > I have a few /24 that I want to delegate using DNAME.
> >
> >
> >   Are you expecting to save yourself trouble by doing so?
> >   If not, you should probably reconsider.
> >
> >   If you decide DNAME is a useful trick, bear in mind that what DNAME
> >   does is not really delegation, but just a trick for the lazy.  I'm
> >   actually one of those lazy people, so please understand that I don't
> >   mean the word offensively. Besides, cleverer people than I have
> >   recognized laziness as a virtue.
> >
> >   I have persuaded the administrator of the
> >   1.0.0.7.7.0.1.0.0.2.ip6.arpa. zone to use a DNAME rather than a
> >   delegation for f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa.  Yes, this is for
> >   IPv6, but it's conveniently to hand, and the principles are the
> >   same. I have actually had second thoughts about this, and more than
> >   once, but never felt worried enough that making the change needed
> >   priority before the other things on my do-list.
> >
>
>
> Niall, apologies I am new to the mailing list and am still getting acclimated.
>
> I agree with the consensus a few /24s are handled much easier via standard
> delegation than via RFC2317.
>
> I am confused about your example.  It would seem a simple delegation would
> work in this scenario assuming you are running bind and are admin on the
> nameserver.  The way I see it appending '.arpa.' to the PTR's owner would
> negate the need for the DNAME style delegation but I confess my assumptions
> could be off.  Could you please explain your setup in more detail?


Niall, please disregard my previous email.  After giving this more thought it
would also require a second zone clause pointing to the same file and still
be treated (i.e. transfer) as separate zones which could get messy.


Thanks,
John


>
>
> Thanks,
> John
>
>
> >   The trouble I save by doing this is that of maintaining two zone
> >   files for my  and corresponding PTR records.  Instead, I can
> >   keep both together in one file, like this:
> >
> > $ORIGIN no8.be.
> > bode3600IN  2001:770:13f:0:5054:ff:fe00:d978
> > 8.7.9.d.0.0.e.f.f.f.0.0.4.5.0.5.0.0.0.0.f.3.1.0.0.7.7.0.1.0.0.2.ip6 3600 IN 
> > PTR
> > bode
> >
> >   Using 'dig', you can explore how it works, and what zones are
> >   involved, by using commands such as these:
> >
> > dig bode.no8.be 
> > dig -x 2001:770:13f:0:5054:ff:fe00:d978
> > dig +trace -x 2001:770:13f:0:5054:ff:fe00:d978
> > dig f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa ns
> > dig no8.be ns
> >
> >   You can do the same for your /24's, if the administrator of the
> >   parent reverse zone is minded to co-operate.  Alternatively,
> >   you can use a normal delegation and set up your zone as follows,
> >   filling in the gaps appropriately.
> >
> > $TTL 3600 ;; or whatever
> > $ORIGIN 13.168.192.in-addr.arpa.
> > @ IN SOA ...
> >   IN NS ...
> >   IN DNAME whatever.example.net.
> >
> >   Then, you populate the whatever.example.net. zone with the PTR records:
> >
> > $TTL 3600 ;; or whatever
> > $ORIGIN whatever.example.net.
> > @ IN SOA ...
> >   IN NS ...
> > 0 IN PTR base-addr.whatever-else.example.net.
> > 1 IN PTR some-host.whatever-else.example.net.
> > 2 IN PTR anor-host.whatever-else.example.net.
> > ;; and so on ...
> > 255 IN PTR bcast-addr.whatever-else.example.net.
> >
> > > Lets says I have 192.168.13.0/24 how would I go about doing reserve on
> > > the forwarding server using DNAME.
> > >
> > > Currently on the forwarding server I have
> > >
> > > NS ns.isp.com
> > >
> > > ;;
> > >
> > > DNAME 0/24
> >
> >   Don't be distracted by RFC2317.  It describes the trickery you need
> >   when you're dealing with a longer prefix (fewer addresses) than a
> >   /24.  If you have "a few /24", you can deal with them without
> >   needing any of that.
> >
> > > ;;
> > >
> > > ;;; delegate to server
> > >
> > > 0/24 NS ns.someserver.com.
> > >
> > > On the server handling the PTRs (ns.someserver.com) I have:
> > >
> > > zone "0/24.13.168.192.IN-ADDR.ARPA" {
> > >
> > > type master;
> > >
> > > file "/slvdb/db.13.168.192";
> > >
> > > };
> > >
> > > In the PTR server the zone file looks like a normal PTR file and when
> > > I query on this server its working, I get the DNAME/CNAME and PTR.
> > >
> > > However when I query on the forwarding server it's not working, I just
> > > keep getting the CNAME over and over again but not actual PTR.
> >
> >   I'm not sure what in what sense you're using the term "forwarding
> >   server".
> >
> >   If you mean the authoritative server where the DNAME record is sitting,
> >   then I believe that this is normal.  An authoritative server should
> >   return just the DNAME and synthesized CNAME, as it's not responsible
> >   for chasing down the CNAME reference.  That's the job of a recursive
> >   resolver.
> >
> > > Shouldn't the forwarding server query the PTR server since it has a
> > > 0/24 NS RR? It seems like because of the

Re: dname reverse delegation

2015-10-17 Thread Woodworth, John R 
> On Tue, 13 Oct 2015 21:40:30 +0100,
> Paul A wrote:
> >
> > I have a few /24 that I want to delegate using DNAME.
>
>
>   Are you expecting to save yourself trouble by doing so?
>   If not, you should probably reconsider.
>
>   If you decide DNAME is a useful trick, bear in mind that what DNAME
>   does is not really delegation, but just a trick for the lazy.  I'm
>   actually one of those lazy people, so please understand that I don't
>   mean the word offensively. Besides, cleverer people than I have
>   recognized laziness as a virtue.
>
>   I have persuaded the administrator of the
>   1.0.0.7.7.0.1.0.0.2.ip6.arpa. zone to use a DNAME rather than a
>   delegation for f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa.  Yes, this is for
>   IPv6, but it's conveniently to hand, and the principles are the
>   same. I have actually had second thoughts about this, and more than
>   once, but never felt worried enough that making the change needed
>   priority before the other things on my do-list.
>


Niall, apologies I am new to the mailing list and am still getting acclimated.

I agree with the consensus a few /24s are handled much easier via standard
delegation than via RFC2317.

I am confused about your example.  It would seem a simple delegation would
work in this scenario assuming you are running bind and are admin on the
nameserver.  The way I see it appending '.arpa.' to the PTR's owner would
negate the need for the DNAME style delegation but I confess my assumptions
could be off.  Could you please explain your setup in more detail?


Thanks,
John


>   The trouble I save by doing this is that of maintaining two zone
>   files for my  and corresponding PTR records.  Instead, I can
>   keep both together in one file, like this:
>
> $ORIGIN no8.be.
> bode3600IN  2001:770:13f:0:5054:ff:fe00:d978
> 8.7.9.d.0.0.e.f.f.f.0.0.4.5.0.5.0.0.0.0.f.3.1.0.0.7.7.0.1.0.0.2.ip6 3600 IN 
> PTR
> bode
>
>   Using 'dig', you can explore how it works, and what zones are
>   involved, by using commands such as these:
>
> dig bode.no8.be 
> dig -x 2001:770:13f:0:5054:ff:fe00:d978
> dig +trace -x 2001:770:13f:0:5054:ff:fe00:d978
> dig f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa ns
> dig no8.be ns
>
>   You can do the same for your /24's, if the administrator of the
>   parent reverse zone is minded to co-operate.  Alternatively,
>   you can use a normal delegation and set up your zone as follows,
>   filling in the gaps appropriately.
>
> $TTL 3600 ;; or whatever
> $ORIGIN 13.168.192.in-addr.arpa.
> @ IN SOA ...
>   IN NS ...
>   IN DNAME whatever.example.net.
>
>   Then, you populate the whatever.example.net. zone with the PTR records:
>
> $TTL 3600 ;; or whatever
> $ORIGIN whatever.example.net.
> @ IN SOA ...
>   IN NS ...
> 0 IN PTR base-addr.whatever-else.example.net.
> 1 IN PTR some-host.whatever-else.example.net.
> 2 IN PTR anor-host.whatever-else.example.net.
> ;; and so on ...
> 255 IN PTR bcast-addr.whatever-else.example.net.
>
> > Lets says I have 192.168.13.0/24 how would I go about doing reserve on
> > the forwarding server using DNAME.
> >
> > Currently on the forwarding server I have
> >
> > NS ns.isp.com
> >
> > ;;
> >
> > DNAME 0/24
>
>   Don't be distracted by RFC2317.  It describes the trickery you need
>   when you're dealing with a longer prefix (fewer addresses) than a
>   /24.  If you have "a few /24", you can deal with them without
>   needing any of that.
>
> > ;;
> >
> > ;;; delegate to server
> >
> > 0/24 NS ns.someserver.com.
> >
> > On the server handling the PTRs (ns.someserver.com) I have:
> >
> > zone "0/24.13.168.192.IN-ADDR.ARPA" {
> >
> > type master;
> >
> > file "/slvdb/db.13.168.192";
> >
> > };
> >
> > In the PTR server the zone file looks like a normal PTR file and when
> > I query on this server its working, I get the DNAME/CNAME and PTR.
> >
> > However when I query on the forwarding server it's not working, I just
> > keep getting the CNAME over and over again but not actual PTR.
>
>   I'm not sure what in what sense you're using the term "forwarding
>   server".
>
>   If you mean the authoritative server where the DNAME record is sitting,
>   then I believe that this is normal.  An authoritative server should
>   return just the DNAME and synthesized CNAME, as it's not responsible
>   for chasing down the CNAME reference.  That's the job of a recursive
>   resolver.
>
> > Shouldn't the forwarding server query the PTR server since it has a
> > 0/24 NS RR? It seems like because of the above DNAME RR it expects and
> > zone file for the 0/24. However I just want to forward this.
>
>   I'm sorry.  I don't understand what you think you're trying to achieve.
>
>   I hope this helps.
>
>   Best regards,
>   Niall O'Reilly
This communication is the property of CenturyLink and may contain confidential 
or privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful. If you have received this communication in 
error, please immediately

RE: dname reverse delegation

2015-10-14 Thread Paul A 
Yeah, it looks like I might have to give up on this.

paul

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR -
fantomas
Sent: Wednesday, October 14, 2015 10:29 AM
To: bind-users@lists.isc.org
Subject: Re: dname reverse delegation

On 14.10.15 10:11, Paul A wrote:
>Niall my problem is the name server that delegated the reserve does look up
the record correctly.
>
>I have this in the zone,
>
>DNAME 0/24
>;;
> delegate to server
>;;
>0/24NS  ns.someserver.com
>;;
>
>
>At the ns.someserver.com the looks ups work with no problems. However at
the main name server the PTR look up does not work.
>Not sure what im missing.

You have been already advised to avoid the ".0/24." NONSENSE.  You can
easily delegate x.x.x.IN-ADDR.ARPA without putting useless (and as you
report, problematic) subdomain ".0/24."  there...

>;; ANSWER SECTION:
>x.x.x.in-addr.arpa.   172800  IN  DNAME   0/24.x.x.x.IN-ADDR.ARPA.
>2.x.x.x.in-addr.arpa. 172800  IN  CNAME   2.0/24.x.x.x.IN-ADDR.ARPA.
>2.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN  CNAME
2.0/24.0/24.x.x.x.IN-ADDR.ARPA.
>2.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME
2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA.
>2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME
2.0/24.0/24.0/24.0/24.x.x.x.IN-ADDR...
>
>But the looking up the record on ns1.someserver.com works fine.
>
>;; ANSWER SECTION:
>13.7.69.in-addr.arpa.   172229  IN  DNAME   0/24.x.x.69.IN-ADDR.ARPA.
>2.13.7.69.in-addr.arpa. 172229  IN  CNAME   2.0/24.x.x.69.IN-ADDR.ARPA.
>2.0/24.13.7.69.IN-ADDR.ARPA. 172800 IN  PTR x-x-x-x.rev.XXX.com.


>On Tue, 13 Oct 2015 21:40:30 +0100,
>Paul A wrote:
>>
>> I have a few /24 that I want to delegate using DNAME.
>
>  Are you expecting to save yourself trouble by doing so?
>  If not, you should probably reconsider.
[...]
>  Don't be distracted by RFC2317.  It describes the trickery you need  
> when you're dealing with a longer prefix (fewer addresses) than a  
> /24.  If you have "a few /24", you can deal with them without  needing 
> any of that.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dname reverse delegation

2015-10-14 Thread Matus UHLAR - fantomas 

On 14.10.15 10:11, Paul A wrote:

Niall my problem is the name server that delegated the reserve does look up the 
record correctly.

I have this in the zone,

   DNAME 0/24
;;
;;; delegate to server
;;
0/24NS  ns.someserver.com
;;


At the ns.someserver.com the looks ups work with no problems. However at the 
main name server the PTR look up does not work.
Not sure what im missing.


You have been already advised to avoid the ".0/24." NONSENSE.  You can
easily delegate x.x.x.IN-ADDR.ARPA without putting useless (and as you
report, problematic) subdomain ".0/24."  there...


;; ANSWER SECTION:
x.x.x.in-addr.arpa.   172800  IN  DNAME   0/24.x.x.x.IN-ADDR.ARPA.
2.x.x.x.in-addr.arpa. 172800  IN  CNAME   2.0/24.x.x.x.IN-ADDR.ARPA.
2.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN  CNAME   2.0/24.0/24.x.x.x.IN-ADDR.ARPA.
2.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME 
2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA.
2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME 
2.0/24.0/24.0/24.0/24.x.x.x.IN-ADDR...

But the looking up the record on ns1.someserver.com works fine.

;; ANSWER SECTION:
13.7.69.in-addr.arpa.   172229  IN  DNAME   0/24.x.x.69.IN-ADDR.ARPA.
2.13.7.69.in-addr.arpa. 172229  IN  CNAME   2.0/24.x.x.69.IN-ADDR.ARPA.
2.0/24.13.7.69.IN-ADDR.ARPA. 172800 IN  PTR x-x-x-x.rev.XXX.com.




On Tue, 13 Oct 2015 21:40:30 +0100,
Paul A wrote:


I have a few /24 that I want to delegate using DNAME.


 Are you expecting to save yourself trouble by doing so?
 If not, you should probably reconsider.

[...]

 Don't be distracted by RFC2317.  It describes the trickery you need
 when you're dealing with a longer prefix (fewer addresses) than a
 /24.  If you have "a few /24", you can deal with them without
 needing any of that.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: dname reverse delegation

2015-10-14 Thread Paul A 
Niall my problem is the name server that delegated the reserve does look up the 
record correctly. 

I have this in the zone,

DNAME 0/24
;;
;;; delegate to server
;;
0/24NS  ns.someserver.com
;;


At the ns.someserver.com the looks ups work with no problems. However at the 
main name server the PTR look up does not work.
Not sure what im missing.


;; ANSWER SECTION:
x.x.x.in-addr.arpa.   172800  IN  DNAME   0/24.x.x.x.IN-ADDR.ARPA.
2.x.x.x.in-addr.arpa. 172800  IN  CNAME   2.0/24.x.x.x.IN-ADDR.ARPA.
2.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN  CNAME   2.0/24.0/24.x.x.x.IN-ADDR.ARPA.
2.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME 
2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA.
2.0/24.0/24.0/24.x.x.x.IN-ADDR.ARPA. 172800 IN CNAME 
2.0/24.0/24.0/24.0/24.x.x.x.IN-ADDR...

But the looking up the record on ns1.someserver.com works fine. 

;; ANSWER SECTION:
13.7.69.in-addr.arpa.   172229  IN  DNAME   0/24.x.x.69.IN-ADDR.ARPA.
2.13.7.69.in-addr.arpa. 172229  IN  CNAME   2.0/24.x.x.69.IN-ADDR.ARPA.
2.0/24.13.7.69.IN-ADDR.ARPA. 172800 IN  PTR x-x-x-x.rev.XXX.com.


Thanks, p
-Original Message-
From: Niall O'Reilly [mailto:niall.orei...@ucd.ie] 
Sent: Tuesday, October 13, 2015 6:29 PM
To: Paul A <ra...@meganet.net>
Cc: bind-users@lists.isc.org
Subject: Re: dname reverse delegation

On Tue, 13 Oct 2015 21:40:30 +0100,
Paul A wrote:
> 
> I have a few /24 that I want to delegate using DNAME.

  Are you expecting to save yourself trouble by doing so?
  If not, you should probably reconsider.

  If you decide DNAME is a useful trick, bear in mind that what DNAME
  does is not really delegation, but just a trick for the lazy.  I'm
  actually one of those lazy people, so please understand that I don't
  mean the word offensively. Besides, cleverer people than I have
  recognized laziness as a virtue.
  
  I have persuaded the administrator of the
  1.0.0.7.7.0.1.0.0.2.ip6.arpa. zone to use a DNAME rather than a
  delegation for f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa.  Yes, this is for
  IPv6, but it's conveniently to hand, and the principles are the
  same. I have actually had second thoughts about this, and more than
  once, but never felt worried enough that making the change needed
  priority before the other things on my do-list.

  The trouble I save by doing this is that of maintaining two zone
  files for my  and corresponding PTR records.  Instead, I can
  keep both together in one file, like this:

$ORIGIN no8.be.
bode3600IN  2001:770:13f:0:5054:ff:fe00:d978
8.7.9.d.0.0.e.f.f.f.0.0.4.5.0.5.0.0.0.0.f.3.1.0.0.7.7.0.1.0.0.2.ip6 3600 IN PTR 
bode

  Using 'dig', you can explore how it works, and what zones are
  involved, by using commands such as these:

dig bode.no8.be 
dig -x 2001:770:13f:0:5054:ff:fe00:d978
dig +trace -x 2001:770:13f:0:5054:ff:fe00:d978 dig 
f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa ns dig no8.be ns

  You can do the same for your /24's, if the administrator of the
  parent reverse zone is minded to co-operate.  Alternatively,
  you can use a normal delegation and set up your zone as follows,
  filling in the gaps appropriately.

$TTL 3600 ;; or whatever
$ORIGIN 13.168.192.in-addr.arpa.
@ IN SOA ...
  IN NS ...
  IN DNAME whatever.example.net.

  Then, you populate the whatever.example.net. zone with the PTR records:

$TTL 3600 ;; or whatever
$ORIGIN whatever.example.net.
@ IN SOA ...
  IN NS ...
0 IN PTR base-addr.whatever-else.example.net.
1 IN PTR some-host.whatever-else.example.net.
2 IN PTR anor-host.whatever-else.example.net.
;; and so on ...
255 IN PTR bcast-addr.whatever-else.example.net.

> Lets says I have 192.168.13.0/24 how would I go about doing reserve on 
> the forwarding server using DNAME.
> 
> Currently on the forwarding server I have
> 
> NS ns.isp.com
> 
> ;;
> 
> DNAME 0/24

  Don't be distracted by RFC2317.  It describes the trickery you need
  when you're dealing with a longer prefix (fewer addresses) than a
  /24.  If you have "a few /24", you can deal with them without
  needing any of that.

> ;;
> 
> ;;; delegate to server
> 
> 0/24 NS ns.someserver.com.
> 
> On the server handling the PTRs (ns.someserver.com) I have:
> 
> zone "0/24.13.168.192.IN-ADDR.ARPA" {
> 
> type master;
> 
> file "/slvdb/db.13.168.192";
> 
> };
> 
> In the PTR server the zone file looks like a normal PTR file and when 
> I query on this server its working, I get the DNAME/CNAME and PTR.
> 
> However when I query on the forwarding server it’s not working, I just 
> keep getting the CNAME over and over again but not actual PTR.

  I'm not sure what in what sense you're using the term "forwarding
  server".

  If you mean the authoritative server where the DNAME record is sitting,
  then I believe that this is normal.  An authoritative server should
  return just the DNA

Re: dname reverse delegation

2015-10-13 Thread Mark Andrews 

Why are you trying to complicate the lookup process unnecessarially?

Just delegate 13.168.192.IN-ADDR.ARPA.  People over use stuff that
really isn't needed and by doing so turn a relatively simple
proceedure into a complicated mess.

RFC 2317 delegation techniques really should only be used for /25
-> /32 sized address assignments.  Despite what RFC 2317 says,
you can delegate down to the individual reverse name.  RFC 2317
main purpose is reducing the number of delegations that need to
be made.

Forwarders are overused when a simple delegation is all that is
needed.

People forget that not all nameservers are configured to recurse
when testing.

In message <005001d105f7$664cdf70$32e69e50$@meganet.net>, "Paul A" writes:
> 
> I have a few /24 that I want to delegate using DNAME.
> 
> Lets says I have 192.168.13.0/24 how would I go about doing reserve on the
> forwarding server using DNAME.
> 
> Currently on the forwarding server I have 
> 
> NS ns.isp.com
> ;;
> DNAME 0/24
> ;;
> 
> ;;; delegate to server
> 
> 0/24NS  ns.someserver.com.

If the zone fragment above expands out to below then the NS record
is hidden by the DNAME record during normal resolution.

13.168.192.IN-ADDR.ARPA.NS ns.isp.com.
13.168.192.IN-ADDR.ARPA.DNAME 0/24.13.168.192.IN-ADDR.ARPA.
0/24.13.168.192.IN-ADDR.ARPA.   NS ns.someserver.com.

Looking up 1.13.168.192.IN-ADDR.ARPA will result in this set of
CNAMES.  I suspect you got away with this due to the local server
also serving 0/24.13.168.192.IN-ADDR.ARPA which resulted in you
hitting a different zone.

1.13.168.192.IN-ADDR.ARPA CNAME 1.0/24.13.168.192.IN-ADDR.ARPA
1.0/24.13.168.192.IN-ADDR.ARPA CNAME 1.0/24.0/24.13.168.192.IN-ADDR.ARPA
1.0/24.0/24.13.168.192.IN-ADDR.ARPA CNAME 
1.0/24.0/24.0/24.13.168.192.IN-ADDR.ARPA


> On the server handling the PTRs (ns.someserver.com) I have:
> 
> zone "0/24.13.168.192.IN-ADDR.ARPA" {
> type master;
> file "/slvdb/db.13.168.192";
> };
> 
> In the PTR server the zone file looks like a normal PTR file and when I
> query on this server its working, I get the DNAME/CNAME and PTR. 

See above about the local zone preventing the looping which would normally
happen.
 
> However when I query on the forwarding server it's not working, I just keep
> getting the CNAME over and over again but not actual PTR.

Which is what happens when you don't have the second zone.
 
> Shouldn't the forwarding server query the PTR server since it has a 0/24 NS
> RR? It seems like because of the above DNAME RR it expects and zone file for
> the 0/24. However I just want to forward this. 

No.
 
> I know I can probably just slave off the PTR server but I rather try and do
> it this way unless someone suggests otherwise. 
> 
> Any ideas, thanks Paul

Stop trying to be overly smart.  If you really must use a DNAME do something
like this.

13.168.192.IN-ADDR.ARPA. DNAME in-addr.arpa.example.net.

zone "in-addr.arpa.example.net" {
type master;
file "/masterdb/db.in-addr.arpa.example.net";
};

And don't forget to slave the zone with the DNAME record so that local
resolution works when the external network is down.

zone "13.168.192.IN-ADDR.ARPA" {
type slave;
masters { . };
file "/slvdb/db.13.168.192";
};

or

zone "168.192.IN-ADDR.ARPA" {
type slave;
masters { . };
file "/slvdb/db.168.192";
};

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dname reverse delegation

2015-10-13 Thread Tony Finch 
Paul A  wrote:

> I have a few /24 that I want to delegate using DNAME.
> Lets says I have 192.168.13.0/24 how would I go about doing reserve on the
> forwarding server using DNAME.

Coincidentally I just published this draft less than three hours ago, and
it describes how to use DNAME to reduce the need for delegations in the
reverse DNS. https://tools.ietf.org/html/draft-fanf-dnsop-rfc2317bis

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Rockall: Southerly 5 or 6, veering southwesterly 6 to gale 8 in northwest.
Rough or very rough. Rain in northwest. Good, occasionally poor in northwest.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dname reverse delegation

2015-10-13 Thread Niall O'Reilly 
On Tue, 13 Oct 2015 21:40:30 +0100,
Paul A wrote:
> 
> I have a few /24 that I want to delegate using DNAME.

  Are you expecting to save yourself trouble by doing so?
  If not, you should probably reconsider.

  If you decide DNAME is a useful trick, bear in mind that what DNAME
  does is not really delegation, but just a trick for the lazy.  I'm
  actually one of those lazy people, so please understand that I don't
  mean the word offensively. Besides, cleverer people than I have
  recognized laziness as a virtue.
  
  I have persuaded the administrator of the
  1.0.0.7.7.0.1.0.0.2.ip6.arpa. zone to use a DNAME rather than a
  delegation for f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa.  Yes, this is for
  IPv6, but it's conveniently to hand, and the principles are the
  same. I have actually had second thoughts about this, and more than
  once, but never felt worried enough that making the change needed
  priority before the other things on my do-list.

  The trouble I save by doing this is that of maintaining two zone
  files for my  and corresponding PTR records.  Instead, I can
  keep both together in one file, like this:

$ORIGIN no8.be.
bode3600IN  2001:770:13f:0:5054:ff:fe00:d978
8.7.9.d.0.0.e.f.f.f.0.0.4.5.0.5.0.0.0.0.f.3.1.0.0.7.7.0.1.0.0.2.ip6 3600 IN PTR 
bode

  Using 'dig', you can explore how it works, and what zones are
  involved, by using commands such as these:

dig bode.no8.be 
dig -x 2001:770:13f:0:5054:ff:fe00:d978
dig +trace -x 2001:770:13f:0:5054:ff:fe00:d978
dig f.3.1.0.0.7.7.0.1.0.0.2.ip6.arpa ns
dig no8.be ns

  You can do the same for your /24's, if the administrator of the
  parent reverse zone is minded to co-operate.  Alternatively,
  you can use a normal delegation and set up your zone as follows,
  filling in the gaps appropriately.

$TTL 3600 ;; or whatever
$ORIGIN 13.168.192.in-addr.arpa.
@ IN SOA ...
  IN NS ...
  IN DNAME whatever.example.net.

  Then, you populate the whatever.example.net. zone with the PTR records:

$TTL 3600 ;; or whatever
$ORIGIN whatever.example.net.
@ IN SOA ...
  IN NS ...
0 IN PTR base-addr.whatever-else.example.net.
1 IN PTR some-host.whatever-else.example.net.
2 IN PTR anor-host.whatever-else.example.net.
;; and so on ...
255 IN PTR bcast-addr.whatever-else.example.net.

> Lets says I have 192.168.13.0/24 how would I go about doing reserve on
> the forwarding server using DNAME.
> 
> Currently on the forwarding server I have 
> 
> NS ns.isp.com
> 
> ;;
> 
> DNAME 0/24

  Don't be distracted by RFC2317.  It describes the trickery you need
  when you're dealing with a longer prefix (fewer addresses) than a
  /24.  If you have "a few /24", you can deal with them without
  needing any of that.

> ;;
> 
> ;;; delegate to server
> 
> 0/24 NS ns.someserver.com.
> 
> On the server handling the PTRs (ns.someserver.com) I have:
> 
> zone "0/24.13.168.192.IN-ADDR.ARPA" {
> 
> type master;
> 
> file "/slvdb/db.13.168.192";
> 
> };
> 
> In the PTR server the zone file looks like a normal PTR file and when
> I query on this server its working, I get the DNAME/CNAME and PTR. 
> 
> However when I query on the forwarding server it’s not working, I just
> keep getting the CNAME over and over again but not actual PTR.

  I'm not sure what in what sense you're using the term "forwarding
  server".

  If you mean the authoritative server where the DNAME record is sitting,
  then I believe that this is normal.  An authoritative server should
  return just the DNAME and synthesized CNAME, as it's not responsible
  for chasing down the CNAME reference.  That's the job of a recursive
  resolver.

> Shouldn’t the forwarding server query the PTR server since it has a
> 0/24 NS RR? It seems like because of the above DNAME RR it expects and
> zone file for the 0/24. However I just want to forward this. 

  I'm sorry.  I don't understand what you think you're trying to achieve.

  I hope this helps.

  Best regards,
  Niall O'Reilly
  
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNAME?

2011-07-02 Thread Timothe Litt 
Agree that getting DNAME into the TLDs and served is a political issue
rather than a technical one.  However, that isn't much consolation;
political issues are less tractable than technical ones :-(  As a very small
player, dealing with retail registrars like godaddy, mydomain, and the like,
my leverage is zero.  (I was pretty happy with the days when an e-mail, or
just a phone call to Jon or Joyce would get a change made.  But those days
are gone.)

I found a draft of BNAME - while it seems workable, it's another solution
that would hit name servers, resolvers and take time to deploy -- and
require registants to get their registrars to put a special record into the
TLD.

I think my suggestion to do the work for aliasing in the name server is more
practical than BNAME.  The TLD would delegate in the familiar way to a
server; the server just has to fetch/translate the data from another zone
rather than a file.  And no impact on resolvers.  No new record types, and
the politics are limited to the domain getting the benefit.

Everyone would see the domain normally (as today); only the authoritative
server for the aliased domain would know that there's anything special about
it, and that server would do the extra work.  Since it's responsible for the
domain getting the benefit, it seems fair for it to do the work.  And since
named as a forwarder/resolver would have to know how to track down BNAMEs
under that proposal, asking named to track down aliases on the authoritative
side seems like no more (and probably less) work.

So, if I wanted to solve the problem that BNAME is trying to address (and my
orignal problem), I'd pursue a server solution rather than BNAME.

However, in the meantime it looks like I'll need to come up with some
solution on the back end to keep the aliased zones in sync.  Maybe just
AXFER the real zones periodically, run sed over them and write / sign
traditional zone files.  Yuck; another kludge that will not-quite-properly
paper over a problem.

-
This communication may not represent my employer's views,
if any, on the matters discussed. 
 
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org] 
Sent: Friday, July 01, 2011 21:58
To: Timothe Litt
Cc: 'Jon F.'; bind-us...@isc.org
Subject: Re: DNAME?


When DNAME was being developed the working group had to make a decision
about whether DNAME should redirect the node it was at or just the names
below it.  The decision was made to do the latter because it didn't require
TLD operators to know about DNAME at the cost of a little more work to keep
the apex records in sync.

In hindsight we should have done both as there are use cases for both.
Getting other types added to TLDs isn't a technical issue, its a political
issue.  There are TLDs that accept MX, A,  and I believe DNAME today
instead of NS records at what would be the delegation point.  It's just as
easy to serve these records as it is to serve a delegation.

Mark

In message 2fa4ed65dac044849aa3f57fbcfe2...@sb.litts.net, Timothe Litt
writ
es:
 This is a multi-part message in MIME format.
 
 --===7538508973042255473==
 Content-Type: multipart/alternative;
   boundary==_NextPart_000_000C_01CC37F1.C5C06C70
 
 This is a multi-part message in MIME format.
 
 --=_NextPart_000_000C_01CC37F1.C5C06C70
 Content-Type: text/plain;
   charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Yes, the example.us zone loads.  As I mentioned, no errors in 
 named.log, and the statistics webserver (in named) shows example.us as 
 active, albeit with '-' for the serial number instead of the number in the
zone file.
  
 How did you get a DNAME into .com? 
 
 I did make example.us a zone - it is one, isn't it?  If the DNAME has 
 to go in .us, I don't see making this scheme work.  As a practical 
 matter, registrars will put NS records into the TLDs, and some (with 
 encouragement) are starting to accept DNSSEC records for the TLDs).  
 But I've yet to see one that provides a means for a registrant to have a
DNAME inserted...
 Unless I'm missing something.  Did you actually manage to do this, or 
 is your setup working in third+-level domains?
  
 I was hoping/expecting that since my server is the authoritiative 
 server for example.us, the DNAME could go in the example.us zone.  I 
 expected that when, as the authoritative server, it was asked for 
 foo.example.us, it would respond with foo.example.net.  But the RFC 
 wasn't clear, which is why I asked.
  
 thanks.
 
 -
 This communication may not represent my employer's views, if any, on 
 the matters discussed.
   
 
  
 
   _
 
 From: Jon F. [mailto:pikel@gmail.com]
 Sent: Thursday, June 30, 2011 16:11
 To: Timothe Litt
 Cc: bind-users@lists.isc.org
 Subject: Re: DNAME?
 
 
 I have a similar set up to that and it works. Have you checked the 
 logs to make sure the zone properly loaded? I'm

Re: DNAME?

2011-07-01 Thread Matus UHLAR - fantomas 

In message banlktimxqxzfurpp9jggga9xvhsb72k...@mail.gmail.com, Jon F. 
writes:
You know I was thinking and I guess the original poster could 
actually do the zone mimicking by just adding the .us zone statement 
to named.conf but point it to the same zone name as the already 
built zone.  In the zone, just use the @ instead of pointing to an 
actual name.  Then it can be read for any domain pointing to that 
file.  I haven't tried that but it should work in theory I suppose. 
Certainly easier than playing with DNAME's.


On 01.07.11 11:42, Mark Andrews wrote:

That doesn't work for signed zones.


But I still find it more readable...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNAME?

2011-07-01 Thread Timothe Litt 
Yes, all my zones are (or will be) signed.  And all are dynamic update;
tricks like pointing all zones to the same zone files don't work.

So the bottom line is that either way I would somehow need to get my
registrar(s) to put special records  (DNAME or BNAME if it escapes the
politics) into the TLDs (.US, .INFO)?

Considering how hard it is just to get DNSSEC records installed, that
doesn't sound like a fun time.  I haven't seen a DNAME option in the GUI for
any of the registrars that I use.  And if I got a record in, I wonder (a) if
it would stay in and (b) if I could get it changed (or removed) when
circumstances change.  Does anyone have a real experience with this?
Especially someone who isn't a megacorp :-)?

Does the BNAME proposal address the MX/CNAME issues with DNAME?

Either way, having to put a record in the parent zone is no big deal -
except when registrars / TLDs are involved.

It seems to me that there's a more manageable approach than that described
for BNAME - that is solely under the control of named.

Given that my BIND servers are authoritative for the real (.net) and aliased
(.us, .info) zones (and, for the external views, properly delegated from the
TLDs), wouldn't it be more practical to have a named solution?  E.g. a
mechanism to tell named to respond authoritatively to all queries to aliased
zones (in my current case, .US, .INFO) as though it was resolving DNAME in
the parent zone?  Put another way: the aliased server is authoritative for
the aliased zone.  Where it gets the zone data from is a private matter.
Normally, it's a zone file.  But for an alias, it could simply query some
other real zone (it might even also be authoritative for that), substitute
the alias name for the real zone names, and serve the data as
authoritative.  (Signing as necessary.)

That would avoid doing anything in the TLD (parent in the general case), and
it would also make it easy to do more subtle things.  For example, put some
records in the aliased zone, and only go to the real zone if no record
matches a query.  Pretty much required for DNSSEC keys, so might as well
look for any record here first. That would seem very flexible.  And, since
it wouldn't need a new record type, no IETF politics!

It might look like
zone example.us {
type master;
alias-of example.net; # Zone to mirror, meaning reflect queries for
example.us to example.net; verify any signatures, then edit reply's
example.us strings = example.us, re-sign and respond as authoritative
file example.us.exceptions.db; # Required to contain (minimally)
.us DNSSEC keys
   # Optionally, look here
before the alias zone when resolving.
};
Of course, the synthesized data can be cached per the usual rules; think of
the alias-of zone as serving misses from the zone file.

I know I'm not the only user with this problem - many corporations get
theirname.{everything posible) and then try to make them look like
theirname.com.  Usually with http redirects - but that doesn't address all
the other services.

But I conclude that as of today, this is wishful thinking - there is no
practical approach.  Sigh.

-
This communication may not represent my employer's views,
if any, on the matters discussed. 
 
-Original Message-
From: Mark Andrews [mailto:ma...@isc.org] 
Sent: Thursday, June 30, 2011 20:58
To: Jon F.
Cc: Timothe Litt; bind-us...@isc.org
Subject: Re: DNAME?


In message BANLkTim=maau1y+xh7yzibmrznvx30z...@mail.gmail.com, Jon F.
write
s:
 I have a similar set up to that and it works. Have you checked the 
 logs to make sure the zone properly loaded? I'm assuming the zone data 
 you posted below is from the example.us zone but your first question 
 makes it sound like you put it in a seperate zone. That would explain 
 the SERVFAIL if the zone data never loaded but the server was 
 authoritative. It does need to be in the .us.
 
 
 ;; ANSWER SECTION:
 example.com.   60  IN  DNAME   example.net.
 test.example.com. 60  IN  CNAME   test.example.net.
 test.example.net.   60  IN  A   127.0.0.1
 
 
 
 And that's with zone data like this:
 example.com.  IN NS ns1.example.net.
 example.com.   IN NS ns2.example.net.
 example.com.  IN A 10.0.0.1
 example.com. IN DNAME example.net.
 
 
 Truthfully I haven't looked at DNAME's in a long time so I'm unsure 
 how to do it fully for a domain without adding an A record as well. 
 But what your doing works, it's just not very pretty. Someone may have a
better way.

There is an outstanding proposals for BNAME.  This would be added to the
parent zone instead of NS records and would synthesis CNAMEs records for the
domain and its children.

This has got bogged down in IETF politics over how to fix idn rather that be
allowed to stand on its own merits.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE

RE: DNAME?

2011-07-01 Thread Timothe Litt 
Yes, the example.us zone loads.  As I mentioned, no errors in named.log, and
the statistics webserver (in named) shows example.us as active, albeit with
'-' for the serial number instead of the number in the zone file.
 
How did you get a DNAME into .com? 

I did make example.us a zone - it is one, isn't it?  If the DNAME has to go
in .us, I don't see making this scheme work.  As a practical matter,
registrars will put NS records into the TLDs, and some (with encouragement)
are starting to accept DNSSEC records for the TLDs).  But I've yet to see
one that provides a means for a registrant to have a DNAME inserted...
Unless I'm missing something.  Did you actually manage to do this, or is
your setup working in third+-level domains?
 
I was hoping/expecting that since my server is the authoritiative server for
example.us, the DNAME could go in the example.us zone.  I expected that
when, as the authoritative server, it was asked for foo.example.us, it would
respond with foo.example.net.  But the RFC wasn't clear, which is why I
asked.
 
thanks.

-
This communication may not represent my employer's views,
if any, on the matters discussed.
  

 

  _  

From: Jon F. [mailto:pikel@gmail.com] 
Sent: Thursday, June 30, 2011 16:11
To: Timothe Litt
Cc: bind-users@lists.isc.org
Subject: Re: DNAME?


I have a similar set up to that and it works. Have you checked the logs to
make sure the zone properly loaded? I'm assuming the zone data you posted
below is from the example.us zone but your first question makes it sound
like you put it in a seperate zone. That would explain the SERVFAIL if the
zone data never loaded but the server was authoritative. It does need to be
in the .us.


;; ANSWER SECTION:
example.com.   60  IN  DNAME   example.net.
test.example.com. 60  IN  CNAME   test.example.net.
test.example.net.   60  IN  A   127.0.0.1



And that's with zone data like this:
example.com.  IN NS ns1.example.net.
example.com.   IN NS ns2.example.net.
example.com.  IN A 10.0.0.1
example.com. IN DNAME example.net.


Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to
do it fully for a domain without adding an A record as well. But what your
doing works, it's just not very pretty. Someone may have a better way.




On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt l...@acm.org wrote:


I have domain example.net in production, and have recently acquired
example.us and example.info.

For whatever reason, I want example.us to simply mirror example.net, which
is dynamically udpdated (and dnssec).  And I want example.us to be zero
maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want
to mirror every update made in .net to .us)

So, I add a zone to ns1.example.net that looks like:
(In view internal)
   zone example.us {
   auto-dnssec maintain;
   type master;
   allow-transfer { key TSIG_GLOBAL_KEY; };
   file EXAMPLE_US.DB;
   update-policy {
   grant TSIG_GLOBAL_KEY subdomain example.us. ANY ;
   };
};

$ORIGIN .
$TTL 600; 10 minutes
example.us.   IN SOA  ns1.example.net.
examplenetadmin.example.net. (
   2011063001 ; serial
   172800 ; refresh (2 days)
   600; retry (10 minutes)
   2419200; expire (4 weeks)
   600; minimum (10 minutes)
   )
example.us. IN DNAME example.net.
example.us. IN NS ns1.example.net.
example.us. IN NS ns2.example.net.

I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net
(www.example.net does exist).

I see nothing in the named.log, except the trace 99 /notrace commands
bracketing the dig, and if I turn on querylog:
client ns1 IP#33256: view internal: query: www.example.us IN A + (ns1
IP).

If I look at the named statistics channel, I see that example.us is being
served, but the zone serial is '-', not '2011063001'.

Questions:
   o Am I confused about DNAME placement - would it have to go in .US?
If so, is this possible?  (I don't mean technically possible - I mean
practically - e.g. thru a registrar such as godaddy, enom, etc).  If not,
what explains the SERVFAIL?
 o Why is '-' reported for the zone serial?
   o I understand that DNAME and MX don't play well together (DNAME is
essentially CNAME, and MX doesn't allow
 CNAMEs).  I suspect I'd have to live with that - unless there are
wiser heads?
   o Is there a better approach?  (Assume that I'll also want to do the
same thing to example.info...)

Thanks.

-
This communication may not represent my employer's views,
if any, on the matters discussed.


___
Please visit https://lists.isc.org/mailman/listinfo/bind

Re: DNAME?

2011-07-01 Thread Doug Barton 

On 07/01/2011 10:03, Timothe Litt wrote:

Yes, all my zones are (or will be) signed.  And all are dynamic update;


Then the answer is simple, have a front end that allows you to make the 
edits in one place and have them updated in both zones.


--

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME?

2011-07-01 Thread Mark Andrews 

When DNAME was being developed the working group had to make a
decision about whether DNAME should redirect the node it was at or
just the names below it.  The decision was made to do the latter
because it didn't require TLD operators to know about DNAME at the
cost of a little more work to keep the apex records in sync.

In hindsight we should have done both as there are use cases for
both.  Getting other types added to TLDs isn't a technical issue,
its a political issue.  There are TLDs that accept MX, A,  and
I believe DNAME today instead of NS records at what would be the
delegation point.  It's just as easy to serve these records as it
is to serve a delegation.

Mark

In message 2fa4ed65dac044849aa3f57fbcfe2...@sb.litts.net, Timothe Litt writ
es:
 This is a multi-part message in MIME format.
 
 --===7538508973042255473==
 Content-Type: multipart/alternative;
   boundary==_NextPart_000_000C_01CC37F1.C5C06C70
 
 This is a multi-part message in MIME format.
 
 --=_NextPart_000_000C_01CC37F1.C5C06C70
 Content-Type: text/plain;
   charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Yes, the example.us zone loads.  As I mentioned, no errors in named.log, and
 the statistics webserver (in named) shows example.us as active, albeit with
 '-' for the serial number instead of the number in the zone file.
  
 How did you get a DNAME into .com? 
 
 I did make example.us a zone - it is one, isn't it?  If the DNAME has to go
 in .us, I don't see making this scheme work.  As a practical matter,
 registrars will put NS records into the TLDs, and some (with encouragement)
 are starting to accept DNSSEC records for the TLDs).  But I've yet to see
 one that provides a means for a registrant to have a DNAME inserted...
 Unless I'm missing something.  Did you actually manage to do this, or is
 your setup working in third+-level domains?
  
 I was hoping/expecting that since my server is the authoritiative server for
 example.us, the DNAME could go in the example.us zone.  I expected that
 when, as the authoritative server, it was asked for foo.example.us, it would
 respond with foo.example.net.  But the RFC wasn't clear, which is why I
 asked.
  
 thanks.
 
 -
 This communication may not represent my employer's views,
 if any, on the matters discussed.
   
 
  
 
   _  
 
 From: Jon F. [mailto:pikel@gmail.com] 
 Sent: Thursday, June 30, 2011 16:11
 To: Timothe Litt
 Cc: bind-users@lists.isc.org
 Subject: Re: DNAME?
 
 
 I have a similar set up to that and it works. Have you checked the logs to
 make sure the zone properly loaded? I'm assuming the zone data you posted
 below is from the example.us zone but your first question makes it sound
 like you put it in a seperate zone. That would explain the SERVFAIL if the
 zone data never loaded but the server was authoritative. It does need to be
 in the .us.
 
 
 ;; ANSWER SECTION:
 example.com.   60  IN  DNAME   example.net.
 test.example.com. 60  IN  CNAME   test.example.net.
 test.example.net.   60  IN  A   127.0.0.1
 
 
 
 And that's with zone data like this:
 example.com.  IN NS ns1.example.net.
 example.com.   IN NS ns2.example.net.
 example.com.  IN A 10.0.0.1
 example.com. IN DNAME example.net.
 
 
 Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to
 do it fully for a domain without adding an A record as well. But what your
 doing works, it's just not very pretty. Someone may have a better way.
 
 
 
 
 On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt l...@acm.org wrote:
 
 
 I have domain example.net in production, and have recently acquired
 example.us and example.info.
 
 For whatever reason, I want example.us to simply mirror example.net, which
 is dynamically udpdated (and dnssec).  And I want example.us to be zero
 maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want
 to mirror every update made in .net to .us)
 
 So, I add a zone to ns1.example.net that looks like:
 (In view internal)
zone example.us {
auto-dnssec maintain;
type master;
allow-transfer { key TSIG_GLOBAL_KEY; };
file EXAMPLE_US.DB;
update-policy {
grant TSIG_GLOBAL_KEY subdomain example.us. ANY ;
};
 };
 
 $ORIGIN .
 $TTL 600; 10 minutes
 example.us.   IN SOA  ns1.example.net.
 examplenetadmin.example.net. (
2011063001 ; serial
172800 ; refresh (2 days)
600; retry (10 minutes)
2419200; expire (4 weeks)
600; minimum (10 minutes)
)
 example.us. IN DNAME example.net.
 example.us. IN NS ns1.example.net.
 example.us. IN NS ns2.example.net.
 
 I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net

Re: DNAME?

2011-06-30 Thread Jon F. 
I have a similar set up to that and it works. Have you checked the logs to
make sure the zone properly loaded? I'm assuming the zone data you posted
below is from the example.us zone but your first question makes it sound
like you put it in a seperate zone. That would explain the SERVFAIL if the
zone data never loaded but the server was authoritative. It does need to be
in the .us.


;; ANSWER SECTION:
example.com.   60  IN  DNAME   example.net.
test.example.com. 60  IN  CNAME   test.example.net.
test.example.net.   60  IN  A   127.0.0.1



And that's with zone data like this:
example.com.  IN NS ns1.example.net.
example.com.   IN NS ns2.example.net.
example.com.  IN A 10.0.0.1
example.com. IN DNAME example.net.


Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to
do it fully for a domain without adding an A record as well. But what your
doing works, it's just not very pretty. Someone may have a better way.



On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt l...@acm.org wrote:

 I have domain example.net in production, and have recently acquired
 example.us and example.info.

 For whatever reason, I want example.us to simply mirror example.net, which
 is dynamically udpdated (and dnssec).  And I want example.us to be zero
 maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want
 to mirror every update made in .net to .us)

 So, I add a zone to ns1.example.net that looks like:
 (In view internal)
zone example.us {
auto-dnssec maintain;
type master;
allow-transfer { key TSIG_GLOBAL_KEY; };
file EXAMPLE_US.DB;
update-policy {
grant TSIG_GLOBAL_KEY subdomain example.us. ANY ;
};
 };

 $ORIGIN .
 $TTL 600; 10 minutes
 example.us.   IN SOA  ns1.example.net.
 examplenetadmin.example.net. (
2011063001 ; serial
172800 ; refresh (2 days)
600; retry (10 minutes)
2419200; expire (4 weeks)
600; minimum (10 minutes)
)
 example.us. IN DNAME example.net.
 example.us. IN NS ns1.example.net.
 example.us. IN NS ns2.example.net.

 I get SERVFAIL with dig if I ask about, say www.example.us @
 ns1.example.net
 (www.example.net does exist).

 I see nothing in the named.log, except the trace 99 /notrace commands
 bracketing the dig, and if I turn on querylog:
 client ns1 IP#33256: view internal: query: www.example.us IN A + (ns1
 IP).

 If I look at the named statistics channel, I see that example.us is being
 served, but the zone serial is '-', not '2011063001'.

 Questions:
o Am I confused about DNAME placement - would it have to go in .US?
 If so, is this possible?  (I don't mean technically possible - I mean
 practically - e.g. thru a registrar such as godaddy, enom, etc).  If not,
 what explains the SERVFAIL?
  o Why is '-' reported for the zone serial?
o I understand that DNAME and MX don't play well together (DNAME is
 essentially CNAME, and MX doesn't allow
  CNAMEs).  I suspect I'd have to live with that - unless there are
 wiser heads?
o Is there a better approach?  (Assume that I'll also want to do the
 same thing to example.info...)

 Thanks.

 -
 This communication may not represent my employer's views,
 if any, on the matters discussed.


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
Jonathan French
pikel@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME?

2011-06-30 Thread Mark Andrews 

In message BANLkTim=maau1y+xh7yzibmrznvx30z...@mail.gmail.com, Jon F. write
s:
 I have a similar set up to that and it works. Have you checked the logs to
 make sure the zone properly loaded? I'm assuming the zone data you posted
 below is from the example.us zone but your first question makes it sound
 like you put it in a seperate zone. That would explain the SERVFAIL if the
 zone data never loaded but the server was authoritative. It does need to be
 in the .us.
 
 
 ;; ANSWER SECTION:
 example.com.   60  IN  DNAME   example.net.
 test.example.com. 60  IN  CNAME   test.example.net.
 test.example.net.   60  IN  A   127.0.0.1
 
 
 
 And that's with zone data like this:
 example.com.  IN NS ns1.example.net.
 example.com.   IN NS ns2.example.net.
 example.com.  IN A 10.0.0.1
 example.com. IN DNAME example.net.
 
 
 Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to
 do it fully for a domain without adding an A record as well. But what your
 doing works, it's just not very pretty. Someone may have a better way.

There is an outstanding proposals for BNAME.  This would be added
to the parent zone instead of NS records and would synthesis CNAMEs
records for the domain and its children.

This has got bogged down in IETF politics over how to fix idn rather
that be allowed to stand on its own merits.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME?

2011-06-30 Thread Jon F. 
You know I was thinking and I guess the original poster could actually do
the zone mimicking by just adding the .us zone statement to named.conf but
point it to the same zone name as the already built zone. In the zone, just
use the @ instead of pointing to an actual name. Then it can be read for any
domain pointing to that file. I haven't tried that but it should work in
theory I suppose. Certainly easier than playing with DNAME's. I haven't
heard of a BNAME though, news to me.



On Thu, Jun 30, 2011 at 7:58 PM, Mark Andrews ma...@isc.org wrote:


 In message BANLkTim=maau1y+xh7yzibmrznvx30z...@mail.gmail.com, Jon F.
 write
 s:
  I have a similar set up to that and it works. Have you checked the logs
 to
  make sure the zone properly loaded? I'm assuming the zone data you posted
  below is from the example.us zone but your first question makes it sound
  like you put it in a seperate zone. That would explain the SERVFAIL if
 the
  zone data never loaded but the server was authoritative. It does need to
 be
  in the .us.
 
 
  ;; ANSWER SECTION:
  example.com.   60  IN  DNAME   example.net.
  test.example.com. 60  IN  CNAME   test.example.net.
  test.example.net.   60  IN  A   127.0.0.1
 
 
 
  And that's with zone data like this:
  example.com.  IN NS ns1.example.net.
  example.com.   IN NS ns2.example.net.
  example.com.  IN A 10.0.0.1
  example.com. IN DNAME example.net.
 
 
  Truthfully I haven't looked at DNAME's in a long time so I'm unsure how
 to
  do it fully for a domain without adding an A record as well. But what
 your
  doing works, it's just not very pretty. Someone may have a better way.

 There is an outstanding proposals for BNAME.  This would be added
 to the parent zone instead of NS records and would synthesis CNAMEs
 records for the domain and its children.

 This has got bogged down in IETF politics over how to fix idn rather
 that be allowed to stand on its own merits.

 Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org




-- 
Jonathan French
pikel@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME?

2011-06-30 Thread Mark Andrews 

In message banlktimxqxzfurpp9jggga9xvhsb72k...@mail.gmail.com, Jon F. write
s:
 You know I was thinking and I guess the original poster could actually do
 the zone mimicking by just adding the .us zone statement to named.conf but
 point it to the same zone name as the already built zone. In the zone, just
 use the @ instead of pointing to an actual name. Then it can be read for any
 domain pointing to that file. I haven't tried that but it should work in
 theory I suppose. Certainly easier than playing with DNAME's.

That doesn't work for signed zones.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNAME?

2011-06-30 Thread Jon F. 
Ah. Good point. My bad.

On Thu, Jun 30, 2011 at 8:42 PM, Mark Andrews ma...@isc.org wrote:


 In message banlktimxqxzfurpp9jggga9xvhsb72k...@mail.gmail.com, Jon F.
 write
 s:
  You know I was thinking and I guess the original poster could actually do
  the zone mimicking by just adding the .us zone statement to named.conf
 but
  point it to the same zone name as the already built zone. In the zone,
 just
  use the @ instead of pointing to an actual name. Then it can be read for
 any
  domain pointing to that file. I haven't tried that but it should work in
  theory I suppose. Certainly easier than playing with DNAME's.

 That doesn't work for signed zones.

 Mark
 --
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org




-- 
Jonathan French
pikel@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users