So PDNS is reporting these CNAMEs as errors/being out of zone root@nspower:~# pdnsutil check-zone icfd3.org Dec 05 09:42:24 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed [Error] Record 'enterpriseenrollment.icdf3.org IN CNAME enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'enterpriseregistration.icdf3.org IN CNAME enterpriseregistration.windows.net' in zone 'icfd3.org' is out-of-zone. [Error] Record 'lyncdiscover.icdf3.org IN CNAME webdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'selector1._domainkey.icdf3.org IN CNAME selector1-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'selector2._domainkey.icdf3.org IN CNAME selector2-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'sip.icdf3.org IN CNAME sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. [Error] Record '_sip._tls.icdf3.org IN SRV 100 1 443 sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. [Error] Record '_sipfederationtls._tcp.icdf3.org IN SRV 100 1 5061 sipfed.online.lync.com' in zone 'icfd3.org' is out-of-zone. Checked 31 records of 'icfd3.org', 8 errors, 0 warnings.
So how do I tell PDNS to allow out-of-zone CNAME (and SRV) records? From: Pdns-users <pdns-users-boun...@mailman.powerdns.com> on behalf of Markus Ehrlicher via Pdns-users <pdns-users@mailman.powerdns.com> Date: Monday, December 5, 2022 at 3:36 AM To: 'pdns-users@mailman.powerdns.com' <pdns-users@mailman.powerdns.com> Subject: Re: [Pdns-users] CNAME Resoluion Hello, what does „pdnsutil check-zone icfd3.org“ on the Master say? best regards, Markus Von: Pdns-users <pdns-users-boun...@mailman.powerdns.com> Im Auftrag von Tony Annese via Pdns-users Gesendet: Montag, 5. Dezember 2022 12:20 An: pdns-users@mailman.powerdns.com Betreff: Re: [Pdns-users] CNAME Resoluion Externe E-Mail Vorsicht! Links und Anhänge können Schadcode enthalten oder nachladen. Auffällige E-Mails als Anhang bitte an virench...@komsa.de<mailto:virench...@komsa.de> zur Prüfung weiterleiten. Those were wildcard entries for the whole domain icfd3.org. I’ve removed those and get the same behavior. It also doesn’t explain why barracuda058130353572.icfd3.org does resolve. PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. I just added testing.icfd3.org and it was pushed out to the 2 slaves but the CNAME for sip.icfd3.org isn’t even being pushed out to the slaves. From: Brian Candler <b.cand...@pobox.com<mailto:b.cand...@pobox.com>> Date: Sunday, December 4, 2022 at 11:20 PM To: Tony Annese <tony.ann...@whidbeytel.com<mailto:tony.ann...@whidbeytel.com>>, pdns-users@mailman.powerdns.com<mailto:pdns-users@mailman.powerdns.com> <pdns-users@mailman.powerdns.com<mailto:pdns-users@mailman.powerdns.com>> Subject: Re: [Pdns-users] CNAME Resoluion On 05/12/2022 05:03, Tony Annese via Pdns-users wrote: Here is the unobfuscated data. Thank you, because that now makes it possible to help you: $ dig +norec @ns.whidbey.net. sip.icfd3.org. any ... ;; ANSWER SECTION: sip.icfd3.org. 3600 IN TXT "v=spf1 mx include:ess.barracudanetworks.com include:spf.protection.outlook.com ~all" sip.icfd3.org. 3600 IN MX 0 d227914a.ess.barracudanetworks.com. sip.icfd3.org. 3600 IN MX 10 d227914b.ess.barracudanetworks.com. You cannot have other resource records alongside a CNAME. That's a requirement of the DNS, not of Powerdns specifically. You should put A/AAAA records there. Or if you want to avoid the duplication of information, you can look into ALIAS records which do this for you.
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
