Re: why one shouldn't use relative hostnames

[lst_hoe02]

Zitat von Maria Iano bind-li...@iano.org:

We are working with a software vendor whose software only works with  
relative hostnames - they say it can't cope with a fully-qualified  
domain name. They want us to make sure the necessary domain is in  
all clients' search lists. Does anyone have any good references for  
me to explanations of why this is a very bad thing. I would find  
quick access to thoughtful well-phrased arguments very useful right  
now.


Basically its like sending a letter only to a name without address and  
hope the postal service will do the right thing.


Regards

Andreas


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Could DNS help solve this?

[Sten Carlsen]

Hi

Yes, I do use whois, my problem is which of the many dozens of whois
servers to ask.

E.g. if you want to know who owns telephone.com(random example), do you
ask whois.moniker.com, whois.markmonitor.com, whois.enum.com or ???.

If you don't know who to ask, it can take maybe 20 attempts before you
find a whois server tha gives some helpful info. In some cases looking
at the NS records helps

Somebody put up the whois.uwhois.net, but that rarely gives an answer.

How do you determine where to ask?


On 11/11/10 4:07, Ian Manners wrote:
 Hi Sten,

 With the growing number of registrars of e.g. .com domains, it becomes
 difficult or even almost impossible to figure out which whois server you
 should ask for information about a domain name.
 Use Whois (first under the 'Other software:' heading) from
 the command prompt.

 http://www.linux.it/~md/software/

 Even compiles ok under OS/2.

 Cheers
 Ian Manners
 http://www.os2site.com/

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   MALE BOVINE MANURE!!! 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Could DNS help solve this?

[Torsten]

Ian was propably talking about jwhois which is part of almost all Linux
distibutions.
This whois client automagically selects the correct whois server for
you. It comes with a configuration file with lots of known tld = whois
server pairs. For .com/.net domains it selects the whois server by
first asking whois.internic.net. 

Maybe you should give it a try


Ciao
Torsten


Am Thu, 11 Nov 2010 09:59:25 +0100
schrieb Sten Carlsen st...@s-carlsen.dk:

 Hi
 
 Yes, I do use whois, my problem is which of the many dozens of whois
 servers to ask.
 
 E.g. if you want to know who owns telephone.com(random example), do
 you ask whois.moniker.com, whois.markmonitor.com, whois.enum.com
 or ???.
 
 If you don't know who to ask, it can take maybe 20 attempts before you
 find a whois server tha gives some helpful info. In some cases looking
 at the NS records helps
 
 Somebody put up the whois.uwhois.net, but that rarely gives an answer.
 
 How do you determine where to ask?
 
 
 On 11/11/10 4:07, Ian Manners wrote:
  Hi Sten,
 
  With the growing number of registrars of e.g. .com domains, it
  becomes difficult or even almost impossible to figure out which
  whois server you should ask for information about a domain name.
  Use Whois (first under the 'Other software:' heading) from
  the command prompt.
 
  http://www.linux.it/~md/software/
 
  Even compiles ok under OS/2.
 
  Cheers
  Ian Manners
  http://www.os2site.com/
 
  ___
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND View Option

[J. Thomsen]

If your main concern is resource consumption, maybe you should focus on 
developing some clever algorithm by which named could keep track of 
multiple references to the same data, without actually having to make 
separate copies of the data. Kind of a specialized compression 
algorithm. But, all of that could be done behind the scenes without 
introducing a new layer of configuration complexity.


Well, there is a simple wellknown solution without thinking in duplicates. 
That solution is called searching for the data.
It is even already partly implemented as views are searched for, so that 
concept is known
within bind except that currently the search stops at the first matching view.

For finding a zone no extra configuration is needed, as currently several 
matching views
must be considered a configuration error.

For finding a missing resource record a single parameter may be needed to allow 
searches
to continue after the zone has been found. 

It is conceptually very simple and backwards compatible.

If used, this may have performance implications, but what doesn't have that.
 
- Jørgen Thomsen
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: why one shouldn't use relative hostnames

[Stacey Jonathan Marshall]

Additionally a wildcard record in one of the the searched domains would 
cause a false positive to be returned causing an outage to the 
service/services.  And if your not in control of the zone or the search 
order it could be difficult to rectify.


-Stacey

On 11/11/2010 00:30, Kevin Darcy wrote:

On 11/10/2010 1:19 PM, Maria Iano wrote:
We are working with a software vendor whose software only works with 
relative hostnames - they say it can't cope with a fully-qualified 
domain name. They want us to make sure the necessary domain is in all 
clients' search lists. Does anyone have any good references for me to 
explanations of why this is a very bad thing. I would find quick 
access to thoughtful well-phrased arguments very useful right now.



I've looked for such a thing from time to time, with no success.

Maybe I need to compose something like that.

Main reasons for not using shortnames:
a) Security. The problem cited way back in RFC 1535 still exists, in a 
slightly different form, with respect to shortnames, i.e. they're 
ambiguous and can cause names to resolve unexpectedly, thus causing 
connections to be made to unexpected hosts, which might not be 
trusted. E.g. we have multiple DNS names with the first label of 
mailroom, one could potentially connect to the wrong mailroom 
server, depending on the (somewhat arbitrary) ordering of one's 
searchlist. A less-trusted mailroom server could trojan the 
more-trusted one.
b) Capacity and performance (specifically, query latency). Each 
searchlist element magnifies query volume, and increases query latency 
for all queries which don't happen to resolve with the first element 
in the searchlist. Names which don't resolve at all (typos, obsolete 
references, etc.) exhaust the *entire* searchlist, which has maximum 
latency to the invoking application, and uses maximum 
nameservice-infrastructure, network, logging and/or server resources.
c) Undesired dependencies and co-ordination challenges. Shortname 
resolution depends on the precise configuration of searchlists, but in 
many organizations the DNS infrastructure experts are not in the same 
department as those who control the configuration of searchlists 
(which are often client OS experts rather than in the server or 
networking areas), so there can be co-ordination challenges between 
the departments. When using FQDNs, searchlists are unnecessary and 
therefore the dependencies and co-ordination challenges are minimized
d) Inconsistency between internal and Internet environments; 
future-proofing. Shortnames are, by and large, not used on the 
Internet, because of the foregoing reasons, writ large because of the 
sheer scale and diversity of the Internet and its DNS namespace. If 
shortnames are used on an internal network, there is an inconsistency 
between the the two environments, internal and Internet, which may 
cause confusion and interoperability challenges, should a particular 
function or subsystem be out-hosted and/or attached to an 
Internet-accessible cloud at some point in the future. Under this 
heading, it should be noted that some Internet-oriented technologies 
absolutely require FQDNs as part of their formal specification. To my 
knowledge, no formal specifications (other than WINS/NETBIOS perhaps) 
require shortnames. Therefore, to be most flexible and accommodating 
to changing technologies and environments, it is best to use the 
naming format -- FQDNs -- which is most likely to be compatible and 
interoperable going forward.



- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RES: BIND View Option

[Stéphanas Schaden]

Hi all,

Could any one give me an example of this configuration using
$include ?

What would be the content of the include file ?

Thank you very much.

Stéphanas Schaden
stephan...@ctbc.com.br
Uberlândia - MG - Brazil

-Mensagem original-
De: bind-users-bounces+stephanass=ctbc.com...@lists.isc.org
[mailto:bind-users-bounces+stephanass=ctbc.com...@lists.isc.org] Em nome de
Barry Margolin
Enviada em: quarta-feira, 10 de novembro de 2010 23:14
Para: comp-protocols-dns-b...@isc.org
Assunto: Re: BIND View Option

In article mailman.695.1289418925.555.bind-us...@lists.isc.org,
 Stiphanas Schaden stephan...@ctbc.com.br wrote:

 Hi all,
 
  
 
 we are in a situation here in our company that is: we need to send a 
 internal IP address in a answer of a query when the source is a specific
IP.
 So we created a new view and put the source address of this IP and 
 configured the internal zone file on this view and this is working well.
 But, this same source address must resolve all the other entrys that 
 exist today on this same zone using the external IPs. We would not 
 like to replicate all the entrys of the external zone file to the 
 internal zone file because in this model every time that we did change 
 an entry on the external zone file we will have to configure this same 
 entry in the internal zone file.
 
  
 
 Is there a way or option to configure bind to do the following logic: 
 If the bind didnt find a entry in a view 1 (internal view) it will 
 search this entry on the view 2 (external view) ?

This is a perfect use for $INCLUDE.  Put all the common entries in one file,
and put

$INCLUDE myzone.common.db

in the internal and external zone files.

Memory is cheap.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Could DNS help solve this?

[Robert Spangler]

On Thursday 11 November 2010 03:59, Sten Carlsen wrote:

  Yes, I do use whois, my problem is which of the many dozens of whois
  servers to ask.

  E.g. if you want to know who owns telephone.com(random example), do you
  ask whois.moniker.com, whois.markmonitor.com, whois.enum.com or ???.

Why make things so difficult?  How about a simple 'whois domain'?  That 
should get you the information you are looking for.

  If you don't know who to ask, it can take maybe 20 attempts before you
  find a whois server tha gives some helpful info. In some cases looking
  at the NS records helps

If the domain is registered properly then the above will get you your answer 
on the first attempt.

  Somebody put up the whois.uwhois.net, but that rarely gives an answer.

Then logic would tell you not to use this server.

  How do you determine where to ask?

I don't, I allow whois to do that for me.

Using your example:

whois telephone.com
[Querying whois.verisign-grs.com]
[Redirected to whois.tucows.com]
[Querying whois.tucows.com]
[whois.tucows.com]

Please provide a real world example where you cannot get the whois 
information.


-- 

Regards
Robert

Linux
The adventure of a life time.

Linux User #296285
Get Counted
http://counter.li.org/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Could DNS help solve this?

[Ian Manners]

Hi Sten,

Yes, I do use whois, my problem is which of the many dozens of whois
servers to ask.

Apologies, sometimes I can be a bit short in my answers.

 http://www.linux.it/~md/software/

The whois command line utility I pointed you to comes with
a lot of Linux distro's, and it trys a variety of domain information
sources to return the whois information in a domain or IP address.
ie, its does what you want. 

E.g. if you want to know who owns telephone.com(random example), do you
ask whois.moniker.com, whois.markmonitor.com, whois.enum.com or ???.

the 'whois' commandline utility tells me Registrar, Admin contact, Tech
contact,
DNS servers, Domain Status etc.

Cheers
Ian Manners

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Rules against links or certain links?

[Lightner, Jeff]

I've noticed a couple of times on this list that if I post links for
certain on line sites with free tools like whois that they never seem to
make it to the list.

 

Is there some prohibition against posting those links that would cause
them to be filtered out?  I know at least one of them also has pay
services but it does provide free services including whois.  Today I
specifically didn't post that one but another one that (so far as I
know) is all free yet it hasn't appeared here either.

 


__

Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc |
5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 
*: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 |
*:jlight...@water.com
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Rules against links or certain links?

[Torsten]

Do you refer to this posting?

Am Thu, 11 Nov 2010 07:35:51 -0500
schrieb Lightner, Jeff jlight...@water.com:

 +2 on this - I use the Linux based whois every time I need to search a
 domain.   Also there are some web sites that you can use for this
 general kind of search such as:
 http://www.iptools.com/



Ciao
Torsten



Am Thu, 11 Nov 2010 09:07:19 -0500
schrieb Lightner, Jeff jlight...@water.com:

 I've noticed a couple of times on this list that if I post links for
 certain on line sites with free tools like whois that they never seem
 to make it to the list.
 
  
 
 Is there some prohibition against posting those links that would cause
 them to be filtered out?  I know at least one of them also has pay
 services but it does provide free services including whois.  Today I
 specifically didn't post that one but another one that (so far as I
 know) is all free yet it hasn't appeared here either.
 
  
 
 
 __
 
 Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc |
 5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 
 *: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 |
 *:jlight...@water.com
  
 Proud partner. Susan G. Komen for the Cure.
  
 Please consider our environment before printing this e-mail or
 attachments. --
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
 confidential information and is for the sole use of the intended
 recipient(s). If you are not the intended recipient, any disclosure,
 copying, distribution, or use of the contents of this information is
 prohibited and may be unlawful. If you have received this electronic
 transmission in error, please reply immediately to the sender that
 you have received the message in error, and delete it. Thank you.
 --
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Rules against links or certain links?

[Lightner, Jeff]

D'oh - I realize now that the reply ONLY went to you and not to the
list.  

Trying to send it to list with this reply.

-Original Message-
From: Lightner, Jeff 
Sent: Thursday, November 11, 2010 9:21 AM
To: 'Torsten'
Subject: RE: Rules against links or certain links?

Yes.  

I think you got it because I did a reply to your email so it included
your address not just the bind address.   So far as I can tell it never
appeared in the list.

However, the one where I asked the question about links appeared in the
list (i.e. sent email back to me from bind list) almost immediately.

-Original Message-
From: Torsten [mailto:t...@the-damian.de] 
Sent: Thursday, November 11, 2010 9:13 AM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: Rules against links or certain links?

Do you refer to this posting?

Am Thu, 11 Nov 2010 07:35:51 -0500
schrieb Lightner, Jeff jlight...@water.com:

 +2 on this - I use the Linux based whois every time I need to search a
 domain.   Also there are some web sites that you can use for this
 general kind of search such as:
 http://www.iptools.com/



Ciao
Torsten



Am Thu, 11 Nov 2010 09:07:19 -0500
schrieb Lightner, Jeff jlight...@water.com:

 I've noticed a couple of times on this list that if I post links for
 certain on line sites with free tools like whois that they never seem
 to make it to the list.
 
  
 
 Is there some prohibition against posting those links that would cause
 them to be filtered out?  I know at least one of them also has pay
 services but it does provide free services including whois.  Today I
 specifically didn't post that one but another one that (so far as I
 know) is all free yet it hasn't appeared here either.
 
  
 


 __
 
 Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc |
 5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 
 *: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 |
 *:jlight...@water.com
  
 Proud partner. Susan G. Komen for the Cure.
  
 Please consider our environment before printing this e-mail or
 attachments. --
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
 confidential information and is for the sole use of the intended
 recipient(s). If you are not the intended recipient, any disclosure,
 copying, distribution, or use of the contents of this information is
 prohibited and may be unlawful. If you have received this electronic
 transmission in error, please reply immediately to the sender that
 you have received the message in error, and delete it. Thank you.
 --
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND View Option

[Kevin Darcy]

On 11/11/2010 7:55 AM, J. Thomsen wrote:

If your main concern is resource consumption, maybe you should focus on
developing some clever algorithm by which named could keep track of
multiple references to the same data, without actually having to make
separate copies of the data. Kind of a specialized compression
algorithm. But, all of that could be done behind the scenes without
introducing a new layer of configuration complexity.


Well, there is a simple wellknown solution without thinking in duplicates.
That solution is called searching for the data.
It is even already partly implemented as views are searched for, so that 
concept is known
within bind except that currently the search stops at the first matching view.
From a nameserver implementation and maintenance perspective, it's even 
simpler for the data to already be present in the first view that 
matches. Why complicate things more than that? Different people have 
different definitions of what not found means, so you're never going 
to get a solid consensus on when searches should stop, and when they 
should keep on going to the next view.


If by not found you mean anything and/or everything that a stub 
resolver would pass back to its invoker without an answer, then that 
includes not only NXDOMAIN, but also NODATA, referrals, CNAME-only 
responses, etc. Should *all* of those results cause this searching 
algorithm to continue to the next view? You're opening up a huge can of 
worms there. You're going to have to carefully consider each one of the 
cases to see if it does or does not qualify as a _bona_fide_ not found.


There might be DNSSEC-validation repercussions too, but I'll let others 
who are more versed in such things speak to those.



- Kevin



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND View Option

[J. Thomsen]

 From a nameserver implementation and maintenance perspective, it's even 
simpler for the data to already be present in the first view that 
matches. Why complicate things more than that? 

Because there is a need for it especially in large installations with a large 
number of
zones.

Different people have 
different definitions of what not found means, so you're never going 
to get a solid consensus on when searches should stop, and when they 
should keep on going to the next view.

At the zone level, which is what we need, there cannot be any doubt.
Once a zonefile of the zone is found, the searching stops.

If by not found you mean anything and/or everything that a stub 
resolver would pass back to its invoker without an answer, then that 
includes not only NXDOMAIN, but also NODATA, referrals, CNAME-only 
responses, etc. Should *all* of those results cause this searching 
algorithm to continue to the next view?

At the record level there might be different opinions, but basically my opinion 
is,
that a response should be returned as soon as it can be based on data/rules 
positively
found. Absent data would then only be covered by a NXDOMAIN rule when the 
search is
exhausted without anything found.

I do not see any big can of worms here.

- Jørgen Thomsen



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND View Option

[Kevin Darcy]

On 11/11/2010 1:22 PM, J. Thomsen wrote:

 From a nameserver implementation and maintenance perspective, it's even
simpler for the data to already be present in the first view that
matches. Why complicate things more than that?

Because there is a need for it especially in large installations with a large 
number of
zones.


Different people have
different definitions of what not found means, so you're never going
to get a solid consensus on when searches should stop, and when they
should keep on going to the next view.

At the zone level, which is what we need, there cannot be any doubt.
Yes, but the fallacy there is that records and zones are somehow 
inseparable. You can't know what the closest-enclosing-zone for a given 
QNAME is, until you search for that particular RRset within the 
namespace hierarchy. And in the course of that search, one may encounter 
CNAMEs, DNAMEs, wildcards, referrals, etc. before you can even determine 
what zone is ultimately involved.



Just because you can't see the can of worms doesn't mean it isn't there.


- Kevin


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RES: BIND View Option

[Barry Margolin]

In article mailman.722.1289487596.555.bind-us...@lists.isc.org,
 Stacey Jonathan Marshall stacey.marsh...@oracle.com wrote:

 On 11/11/2010 13:57, Stéphanas Schaden wrote:
  Hi all,
 
  Could any one give me an example of this configuration using
  $include ?
 
  What would be the content of the include file ?
 
 Anything that is allowed in named.conf at the point the included 
 statement is used.

He doesn't need include in the named.conf file, he needs $INCLUDE in the 
zone file.

myzone.internal.db:
-
$INCLUDE myzone.common.db

specialhost IN A 1.1.1.1
-

myzone.external.db:
-
$INCLUDE myzone.common.db

specialhost IN A 2.2.2.2
-

myzone.common.db:
-
@ IN SOA ...
  IN NS ...

host1 IN A 10.1.2.3
host2 IN A 10.4.5.6
.
.
.
-

Then in your named.conf file you configure an internal view that uses 
myzone.internal.db, and an external view that uses myzone.external.db.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users