Re: why one shouldn't use relative hostnames
Zitat von Maria Iano bind-li...@iano.org: We are working with a software vendor whose software only works with relative hostnames - they say it can't cope with a fully-qualified domain name. They want us to make sure the necessary domain is in all clients' search lists. Does anyone have any good references for me to explanations of why this is a very bad thing. I would find quick access to thoughtful well-phrased arguments very useful right now. Basically its like sending a letter only to a name without address and hope the postal service will do the right thing. Regards Andreas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Could DNS help solve this?
Hi Yes, I do use whois, my problem is which of the many dozens of whois servers to ask. E.g. if you want to know who owns telephone.com(random example), do you ask whois.moniker.com, whois.markmonitor.com, whois.enum.com or ???. If you don't know who to ask, it can take maybe 20 attempts before you find a whois server tha gives some helpful info. In some cases looking at the NS records helps Somebody put up the whois.uwhois.net, but that rarely gives an answer. How do you determine where to ask? On 11/11/10 4:07, Ian Manners wrote: Hi Sten, With the growing number of registrars of e.g. .com domains, it becomes difficult or even almost impossible to figure out which whois server you should ask for information about a domain name. Use Whois (first under the 'Other software:' heading) from the command prompt. http://www.linux.it/~md/software/ Even compiles ok under OS/2. Cheers Ian Manners http://www.os2site.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Could DNS help solve this?
Ian was propably talking about jwhois which is part of almost all Linux distibutions. This whois client automagically selects the correct whois server for you. It comes with a configuration file with lots of known tld = whois server pairs. For .com/.net domains it selects the whois server by first asking whois.internic.net. Maybe you should give it a try Ciao Torsten Am Thu, 11 Nov 2010 09:59:25 +0100 schrieb Sten Carlsen st...@s-carlsen.dk: Hi Yes, I do use whois, my problem is which of the many dozens of whois servers to ask. E.g. if you want to know who owns telephone.com(random example), do you ask whois.moniker.com, whois.markmonitor.com, whois.enum.com or ???. If you don't know who to ask, it can take maybe 20 attempts before you find a whois server tha gives some helpful info. In some cases looking at the NS records helps Somebody put up the whois.uwhois.net, but that rarely gives an answer. How do you determine where to ask? On 11/11/10 4:07, Ian Manners wrote: Hi Sten, With the growing number of registrars of e.g. .com domains, it becomes difficult or even almost impossible to figure out which whois server you should ask for information about a domain name. Use Whois (first under the 'Other software:' heading) from the command prompt. http://www.linux.it/~md/software/ Even compiles ok under OS/2. Cheers Ian Manners http://www.os2site.com/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND View Option
If your main concern is resource consumption, maybe you should focus on developing some clever algorithm by which named could keep track of multiple references to the same data, without actually having to make separate copies of the data. Kind of a specialized compression algorithm. But, all of that could be done behind the scenes without introducing a new layer of configuration complexity. Well, there is a simple wellknown solution without thinking in duplicates. That solution is called searching for the data. It is even already partly implemented as views are searched for, so that concept is known within bind except that currently the search stops at the first matching view. For finding a zone no extra configuration is needed, as currently several matching views must be considered a configuration error. For finding a missing resource record a single parameter may be needed to allow searches to continue after the zone has been found. It is conceptually very simple and backwards compatible. If used, this may have performance implications, but what doesn't have that. - Jørgen Thomsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: why one shouldn't use relative hostnames
Additionally a wildcard record in one of the the searched domains would cause a false positive to be returned causing an outage to the service/services. And if your not in control of the zone or the search order it could be difficult to rectify. -Stacey On 11/11/2010 00:30, Kevin Darcy wrote: On 11/10/2010 1:19 PM, Maria Iano wrote: We are working with a software vendor whose software only works with relative hostnames - they say it can't cope with a fully-qualified domain name. They want us to make sure the necessary domain is in all clients' search lists. Does anyone have any good references for me to explanations of why this is a very bad thing. I would find quick access to thoughtful well-phrased arguments very useful right now. I've looked for such a thing from time to time, with no success. Maybe I need to compose something like that. Main reasons for not using shortnames: a) Security. The problem cited way back in RFC 1535 still exists, in a slightly different form, with respect to shortnames, i.e. they're ambiguous and can cause names to resolve unexpectedly, thus causing connections to be made to unexpected hosts, which might not be trusted. E.g. we have multiple DNS names with the first label of mailroom, one could potentially connect to the wrong mailroom server, depending on the (somewhat arbitrary) ordering of one's searchlist. A less-trusted mailroom server could trojan the more-trusted one. b) Capacity and performance (specifically, query latency). Each searchlist element magnifies query volume, and increases query latency for all queries which don't happen to resolve with the first element in the searchlist. Names which don't resolve at all (typos, obsolete references, etc.) exhaust the *entire* searchlist, which has maximum latency to the invoking application, and uses maximum nameservice-infrastructure, network, logging and/or server resources. c) Undesired dependencies and co-ordination challenges. Shortname resolution depends on the precise configuration of searchlists, but in many organizations the DNS infrastructure experts are not in the same department as those who control the configuration of searchlists (which are often client OS experts rather than in the server or networking areas), so there can be co-ordination challenges between the departments. When using FQDNs, searchlists are unnecessary and therefore the dependencies and co-ordination challenges are minimized d) Inconsistency between internal and Internet environments; future-proofing. Shortnames are, by and large, not used on the Internet, because of the foregoing reasons, writ large because of the sheer scale and diversity of the Internet and its DNS namespace. If shortnames are used on an internal network, there is an inconsistency between the the two environments, internal and Internet, which may cause confusion and interoperability challenges, should a particular function or subsystem be out-hosted and/or attached to an Internet-accessible cloud at some point in the future. Under this heading, it should be noted that some Internet-oriented technologies absolutely require FQDNs as part of their formal specification. To my knowledge, no formal specifications (other than WINS/NETBIOS perhaps) require shortnames. Therefore, to be most flexible and accommodating to changing technologies and environments, it is best to use the naming format -- FQDNs -- which is most likely to be compatible and interoperable going forward. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RES: BIND View Option
Hi all, Could any one give me an example of this configuration using $include ? What would be the content of the include file ? Thank you very much. Stéphanas Schaden stephan...@ctbc.com.br Uberlândia - MG - Brazil -Mensagem original- De: bind-users-bounces+stephanass=ctbc.com...@lists.isc.org [mailto:bind-users-bounces+stephanass=ctbc.com...@lists.isc.org] Em nome de Barry Margolin Enviada em: quarta-feira, 10 de novembro de 2010 23:14 Para: comp-protocols-dns-b...@isc.org Assunto: Re: BIND View Option In article mailman.695.1289418925.555.bind-us...@lists.isc.org, Stiphanas Schaden stephan...@ctbc.com.br wrote: Hi all, we are in a situation here in our company that is: we need to send a internal IP address in a answer of a query when the source is a specific IP. So we created a new view and put the source address of this IP and configured the internal zone file on this view and this is working well. But, this same source address must resolve all the other entrys that exist today on this same zone using the external IPs. We would not like to replicate all the entrys of the external zone file to the internal zone file because in this model every time that we did change an entry on the external zone file we will have to configure this same entry in the internal zone file. Is there a way or option to configure bind to do the following logic: If the bind didnt find a entry in a view 1 (internal view) it will search this entry on the view 2 (external view) ? This is a perfect use for $INCLUDE. Put all the common entries in one file, and put $INCLUDE myzone.common.db in the internal and external zone files. Memory is cheap. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Could DNS help solve this?
On Thursday 11 November 2010 03:59, Sten Carlsen wrote: Yes, I do use whois, my problem is which of the many dozens of whois servers to ask. E.g. if you want to know who owns telephone.com(random example), do you ask whois.moniker.com, whois.markmonitor.com, whois.enum.com or ???. Why make things so difficult? How about a simple 'whois domain'? That should get you the information you are looking for. If you don't know who to ask, it can take maybe 20 attempts before you find a whois server tha gives some helpful info. In some cases looking at the NS records helps If the domain is registered properly then the above will get you your answer on the first attempt. Somebody put up the whois.uwhois.net, but that rarely gives an answer. Then logic would tell you not to use this server. How do you determine where to ask? I don't, I allow whois to do that for me. Using your example: whois telephone.com [Querying whois.verisign-grs.com] [Redirected to whois.tucows.com] [Querying whois.tucows.com] [whois.tucows.com] Please provide a real world example where you cannot get the whois information. -- Regards Robert Linux The adventure of a life time. Linux User #296285 Get Counted http://counter.li.org/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Could DNS help solve this?
Hi Sten, Yes, I do use whois, my problem is which of the many dozens of whois servers to ask. Apologies, sometimes I can be a bit short in my answers. http://www.linux.it/~md/software/ The whois command line utility I pointed you to comes with a lot of Linux distro's, and it trys a variety of domain information sources to return the whois information in a domain or IP address. ie, its does what you want. E.g. if you want to know who owns telephone.com(random example), do you ask whois.moniker.com, whois.markmonitor.com, whois.enum.com or ???. the 'whois' commandline utility tells me Registrar, Admin contact, Tech contact, DNS servers, Domain Status etc. Cheers Ian Manners ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Rules against links or certain links?
I've noticed a couple of times on this list that if I post links for certain on line sites with free tools like whois that they never seem to make it to the list. Is there some prohibition against posting those links that would cause them to be filtered out? I know at least one of them also has pay services but it does provide free services including whois. Today I specifically didn't post that one but another one that (so far as I know) is all free yet it hasn't appeared here either. __ Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc | 5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 *: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 | *:jlight...@water.com Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Rules against links or certain links?
Do you refer to this posting? Am Thu, 11 Nov 2010 07:35:51 -0500 schrieb Lightner, Jeff jlight...@water.com: +2 on this - I use the Linux based whois every time I need to search a domain. Also there are some web sites that you can use for this general kind of search such as: http://www.iptools.com/ Ciao Torsten Am Thu, 11 Nov 2010 09:07:19 -0500 schrieb Lightner, Jeff jlight...@water.com: I've noticed a couple of times on this list that if I post links for certain on line sites with free tools like whois that they never seem to make it to the list. Is there some prohibition against posting those links that would cause them to be filtered out? I know at least one of them also has pay services but it does provide free services including whois. Today I specifically didn't post that one but another one that (so far as I know) is all free yet it hasn't appeared here either. __ Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc | 5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 *: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 | *:jlight...@water.com Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Rules against links or certain links?
D'oh - I realize now that the reply ONLY went to you and not to the list. Trying to send it to list with this reply. -Original Message- From: Lightner, Jeff Sent: Thursday, November 11, 2010 9:21 AM To: 'Torsten' Subject: RE: Rules against links or certain links? Yes. I think you got it because I did a reply to your email so it included your address not just the bind address. So far as I can tell it never appeared in the list. However, the one where I asked the question about links appeared in the list (i.e. sent email back to me from bind list) almost immediately. -Original Message- From: Torsten [mailto:t...@the-damian.de] Sent: Thursday, November 11, 2010 9:13 AM To: Lightner, Jeff Cc: bind-users@lists.isc.org Subject: Re: Rules against links or certain links? Do you refer to this posting? Am Thu, 11 Nov 2010 07:35:51 -0500 schrieb Lightner, Jeff jlight...@water.com: +2 on this - I use the Linux based whois every time I need to search a domain. Also there are some web sites that you can use for this general kind of search such as: http://www.iptools.com/ Ciao Torsten Am Thu, 11 Nov 2010 09:07:19 -0500 schrieb Lightner, Jeff jlight...@water.com: I've noticed a couple of times on this list that if I post links for certain on line sites with free tools like whois that they never seem to make it to the list. Is there some prohibition against posting those links that would cause them to be filtered out? I know at least one of them also has pay services but it does provide free services including whois. Today I specifically didn't post that one but another one that (so far as I know) is all free yet it hasn't appeared here either. __ Jeff Lightner | UNIX/Linux Administrator | DS Waters of America, Inc | 5660 New Northside Drive, Ste 250 | Atlanta, GA 30328 *: (Direct Dial) 770-486-3516 |*: (Cell) 678-772-0018 | *:jlight...@water.com Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND View Option
On 11/11/2010 7:55 AM, J. Thomsen wrote: If your main concern is resource consumption, maybe you should focus on developing some clever algorithm by which named could keep track of multiple references to the same data, without actually having to make separate copies of the data. Kind of a specialized compression algorithm. But, all of that could be done behind the scenes without introducing a new layer of configuration complexity. Well, there is a simple wellknown solution without thinking in duplicates. That solution is called searching for the data. It is even already partly implemented as views are searched for, so that concept is known within bind except that currently the search stops at the first matching view. From a nameserver implementation and maintenance perspective, it's even simpler for the data to already be present in the first view that matches. Why complicate things more than that? Different people have different definitions of what not found means, so you're never going to get a solid consensus on when searches should stop, and when they should keep on going to the next view. If by not found you mean anything and/or everything that a stub resolver would pass back to its invoker without an answer, then that includes not only NXDOMAIN, but also NODATA, referrals, CNAME-only responses, etc. Should *all* of those results cause this searching algorithm to continue to the next view? You're opening up a huge can of worms there. You're going to have to carefully consider each one of the cases to see if it does or does not qualify as a _bona_fide_ not found. There might be DNSSEC-validation repercussions too, but I'll let others who are more versed in such things speak to those. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND View Option
From a nameserver implementation and maintenance perspective, it's even simpler for the data to already be present in the first view that matches. Why complicate things more than that? Because there is a need for it especially in large installations with a large number of zones. Different people have different definitions of what not found means, so you're never going to get a solid consensus on when searches should stop, and when they should keep on going to the next view. At the zone level, which is what we need, there cannot be any doubt. Once a zonefile of the zone is found, the searching stops. If by not found you mean anything and/or everything that a stub resolver would pass back to its invoker without an answer, then that includes not only NXDOMAIN, but also NODATA, referrals, CNAME-only responses, etc. Should *all* of those results cause this searching algorithm to continue to the next view? At the record level there might be different opinions, but basically my opinion is, that a response should be returned as soon as it can be based on data/rules positively found. Absent data would then only be covered by a NXDOMAIN rule when the search is exhausted without anything found. I do not see any big can of worms here. - Jørgen Thomsen ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND View Option
On 11/11/2010 1:22 PM, J. Thomsen wrote: From a nameserver implementation and maintenance perspective, it's even simpler for the data to already be present in the first view that matches. Why complicate things more than that? Because there is a need for it especially in large installations with a large number of zones. Different people have different definitions of what not found means, so you're never going to get a solid consensus on when searches should stop, and when they should keep on going to the next view. At the zone level, which is what we need, there cannot be any doubt. Yes, but the fallacy there is that records and zones are somehow inseparable. You can't know what the closest-enclosing-zone for a given QNAME is, until you search for that particular RRset within the namespace hierarchy. And in the course of that search, one may encounter CNAMEs, DNAMEs, wildcards, referrals, etc. before you can even determine what zone is ultimately involved. Just because you can't see the can of worms doesn't mean it isn't there. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RES: BIND View Option
In article mailman.722.1289487596.555.bind-us...@lists.isc.org, Stacey Jonathan Marshall stacey.marsh...@oracle.com wrote: On 11/11/2010 13:57, Stéphanas Schaden wrote: Hi all, Could any one give me an example of this configuration using $include ? What would be the content of the include file ? Anything that is allowed in named.conf at the point the included statement is used. He doesn't need include in the named.conf file, he needs $INCLUDE in the zone file. myzone.internal.db: - $INCLUDE myzone.common.db specialhost IN A 1.1.1.1 - myzone.external.db: - $INCLUDE myzone.common.db specialhost IN A 2.2.2.2 - myzone.common.db: - @ IN SOA ... IN NS ... host1 IN A 10.1.2.3 host2 IN A 10.4.5.6 . . . - Then in your named.conf file you configure an internal view that uses myzone.internal.db, and an external view that uses myzone.external.db. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users