Re: Adding CNAME for the root domain issue
In article , Sam Wilson wrote: > In article , > "Baird, Josh" wrote: > > > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > > > [1] > > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cname > > s-at-a-domains-root/ > > > Does anyone else find themselves mentally yelling "apex!" whenever they > read the word "root" in that document? > I've long since stopped getting bothered by sloppy language like this, ever since people started using "IP" as short for "IP address", or using "class A, B, C" to refer to /8, /6, and /24 prefixes, rather than the original address ranges. The context always makes it clear when root == apex. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On Wed, Apr 27, 2016 at 11:39 AM, John R. Levine wrote: > At the same time, the browser developers, almost without exception, refuse >> to implement SRV because they don't like the idea that they might have to >> do another DNS lookup prior to displaying a web page. And they lobby the >> W3C pretty hard to not standardize SRV for HTTP. >> >> That's a pretty serious impasse .. and one that I think is only going to >> be >> overcome by an equally strong lobbying movement from the DNS hosting >> industry, when we get tired of trying to educate end users on why CNAME at >> apex won't work (end users who don't–and shouldn't need to–care), and get >> tired of maintaining messy record synthesis processes. >> > > I don't think that's a fight you're going to win. The ANAME kludge is > ugly, but it's straightforward and a whole lot of DNS operators (including > me) do it. > > R's, > john > > I realize that ANAME seems like a kludge, but if we could make it a standard, and get the various DNS software (auth, resolvers, and clients) to understand it, it would solve a major limitation in DNS. -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding CNAME for the root domain issue
Baird, Josh wrote:
> Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
>
> [1]
> https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/
Run a command like this from cron
aname example.com www.example.com | nsupdate -l
Using the aname script below...
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
Biscay: North or northeast 4 or 5. Slight or moderate. Showers. Good.
#!/usr/bin/perl
use warnings;
use strict;
sub dig {
my $domain = shift;
my $type = shift;
my $ttl;
my @answer;
my $qd = quotemeta $domain;
my $qt = quotemeta $type;
my @dig = qx{dig +norec $qd IN $qt};
die "dig $domain IN $type: no reply\n"
unless @dig;
while (@dig) {
if ($dig[0] =~
m{^;; ->>HEADER<<- opcode: QUERY, status: (\w+)}) {
die "dig $domain IN $type: $1\n"
unless $1 eq 'NOERROR';
last;
}
shift @dig;
}
die "dig $domain IN $type: no header\n"
unless @dig;
while (@dig) {
if ($dig[0] =~ m{^;; ANSWER SECTION:}) {
last;
}
shift @dig;
}
die "dig $domain IN $type: no answer\n"
unless @dig;
while (@dig) {
if ($dig[0] =~ m{^\S+\s+(\d+)\s+IN\s+$qt\s+(\S+)}) {
$ttl = $1;
push @answer, $2;
}
if ($dig[0] =~ m{^;; AUTHORITY SECTION:}) {
last;
}
shift @dig;
}
die "dig $domain IN $type: no authority\n"
unless @dig;
return ($ttl, @answer);
}
sub nsupdate {
my $domain = shift;
my $type = shift;
my $ttl = shift;
print "update delete $domain IN $type\n";
for (@_) {
print "update add $domain $ttl IN $type $_\n";
}
}
if (@ARGV != 2) {
print STDERR "usage: aname \n"
}
my ($alias,$target) = @ARGV;
my @A = dig $target, 'A';
my @ = dig $target, '';
nsupdate $alias, 'A', @A;
nsupdate $alias, '', @;
print "show\nsend\nanswer\n";
exit;
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling BIND9 on CentOS 7
On Wed, Apr 27, 2016 at 11:52 AM, Sean Son wrote:
> Thank you for your responses guys. Here is a n00b question: Because this
> new server will be a slave DNS server, do I have to manually copy the zone
> files from the current slave DNS server (The CentOS 5.11) one, or does the
> new server automatically get the zones from the master DNS server?
>
>
> Thanks again!
>
>
It is automatic, and if it does not work, something is wrong. Copying the
files will only make it harder to debug. (Unless you have a lot of files
and just want to speed up the process. But not recommended.)
--
Bob Harold
> On Wed, Apr 27, 2016 at 11:50 AM, Reindl Harald
> wrote:
>
>>
>>
>> Am 27.04.2016 um 17:45 schrieb Matthew Pounsett:
>>
>>> rndc is the command line interface to a running BIND server. (BIND ==
>>> berkeley internet name domain, rndc == remote name domain controller (or
>>> something to that effect)). The rndc.conf file must agree with the
>>> named.conf file on where BIND's controller interface is (the controls{};
>>> clause in named.conf) and what key to use for authentication, if any.
>>>
>>> For example, named.conf might have something like this:
>>> controls {
>>> inet 192.0.2.1 port 953 allow { 192.0.2.100; } keys {"rndc-key"; };
>>> };
>>> While your rndc.conf might have:
>>> options {
>>> default-key "rndc-key";
>>> default-server 192.0.2.1;
>>> default-source-address 192.0.2.100;
>>> default-port 953;
>>> };
>>>
>>> It sounds to me like the named.service file you mention is probably
>>> generating a default rndc.conf file if one doesn't already exist
>>>
>>
>> no it don't and you don't need to setup rndc at all just for
>> start/stop/reload named, systemd knows the PID and so can send a SIGHUP,
>> works like a charme for many year on nameservers hosting hundrets of zones
>> and running with controls { }; since nobody but the maintaining scripts
>> have a business mangle with named and after that issue "systemctl reload"
>>
>> ExecStart=/usr/sbin/named -4 -f -u named
>>
>> ExecReload=/usr/bin/kill -HUP $MAINPID
>> ExecStop=/usr/bin/kill -TERM $MAINPID
>>
>>
>>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
In article , "Baird, Josh" wrote: > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > [1] > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ Does anyone else find themselves mentally yelling "apex!" whenever they read the word "root" in that document? Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling BIND9 on CentOS 7
Thank you for your responses guys. Here is a n00b question: Because this
new server will be a slave DNS server, do I have to manually copy the zone
files from the current slave DNS server (The CentOS 5.11) one, or does the
new server automatically get the zones from the master DNS server?
Thanks again!
On Wed, Apr 27, 2016 at 11:50 AM, Reindl Harald
wrote:
>
>
> Am 27.04.2016 um 17:45 schrieb Matthew Pounsett:
>
>> rndc is the command line interface to a running BIND server. (BIND ==
>> berkeley internet name domain, rndc == remote name domain controller (or
>> something to that effect)). The rndc.conf file must agree with the
>> named.conf file on where BIND's controller interface is (the controls{};
>> clause in named.conf) and what key to use for authentication, if any.
>>
>> For example, named.conf might have something like this:
>> controls {
>> inet 192.0.2.1 port 953 allow { 192.0.2.100; } keys {"rndc-key"; };
>> };
>> While your rndc.conf might have:
>> options {
>> default-key "rndc-key";
>> default-server 192.0.2.1;
>> default-source-address 192.0.2.100;
>> default-port 953;
>> };
>>
>> It sounds to me like the named.service file you mention is probably
>> generating a default rndc.conf file if one doesn't already exist
>>
>
> no it don't and you don't need to setup rndc at all just for
> start/stop/reload named, systemd knows the PID and so can send a SIGHUP,
> works like a charme for many year on nameservers hosting hundrets of zones
> and running with controls { }; since nobody but the maintaining scripts
> have a business mangle with named and after that issue "systemctl reload"
>
> ExecStart=/usr/sbin/named -4 -f -u named
>
> ExecReload=/usr/bin/kill -HUP $MAINPID
> ExecStop=/usr/bin/kill -TERM $MAINPID
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
>> You would only be able to do this if you could put the CNAME record >> in the parent domain, instead of delegating domain.com to your own >> server. But do any domain registrars support that option? > >And would the registry (here, Verisign) accept it? As far as I know, >no. This smells a lot like the bundled variant problem, in which you register one name but get a bunch of lexically related names along with it, and in some cases the related names are active. For example, if you register ex�mple.cat, you also get example.cat without the accent. Their implementation is terrible, a DNAME at the 2LD. There's been a lot of discussion about how you might make this work better, such as BNAME which is supposed to combine CNAME and DNAME. There's better places to discuss this, of course, since I think we can assume that should such features be standardized, BIND will implement them. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling BIND9 on CentOS 7
On 27 April 2016 at 08:34, Sean Son
wrote:
> Thank you for your response. Basically what I am trying to do is migrate
> the BIND server from a Centos 5.11 machine to a CentOS 7.2 machine. The
> BIND on CentOS 5.11 was compiled manually by source and its named.conf file
> looks very different than what CentOS/Red Hat provides in the RPM package
> named.conf file. Any tips on how I should go about migrating successfully
> from the 5.11 machine to the 7.2 machine?
>
Your best approach is to have a careful look at the named.conf you're
migrating from and understand what options are required by your DNS needs,
and which are just related to how the Centos 5 machine is organized. You
can then merge the former set (your requirements) into the default config
of the Centos 7 machine.
>
>
> As for the named.service unit file that Reindl provided, will I need to
> call upon any RNDC services? I saw that in the named.service file that
> comes with the RPM/YUM package contains a call to some RNDC service which
> calls up some generate-rndc-key.sh script.. I am not too sure of what the
> names of the files are.
>
rndc is the command line interface to a running BIND server. (BIND ==
berkeley internet name domain, rndc == remote name domain controller (or
something to that effect)). The rndc.conf file must agree with the
named.conf file on where BIND's controller interface is (the controls{};
clause in named.conf) and what key to use for authentication, if any.
For example, named.conf might have something like this:
controls {
inet 192.0.2.1 port 953 allow { 192.0.2.100; } keys {"rndc-key"; };
};
While your rndc.conf might have:
options {
default-key "rndc-key";
default-server 192.0.2.1;
default-source-address 192.0.2.100;
default-port 953;
};
It sounds to me like the named.service file you mention is probably
generating a default rndc.conf file if one doesn't already exist.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
At the same time, the browser developers, almost without exception, refuse to implement SRV because they don't like the idea that they might have to do another DNS lookup prior to displaying a web page. And they lobby the W3C pretty hard to not standardize SRV for HTTP. That's a pretty serious impasse .. and one that I think is only going to be overcome by an equally strong lobbying movement from the DNS hosting industry, when we get tired of trying to educate end users on why CNAME at apex won't work (end users who don't–and shouldn't need to–care), and get tired of maintaining messy record synthesis processes. I don't think that's a fight you're going to win. The ANAME kludge is ugly, but it's straightforward and a whole lot of DNS operators (including me) do it. R's, john___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compiling BIND9 on CentOS 7
Thank you for your response. Basically what I am trying to do is migrate the BIND server from a Centos 5.11 machine to a CentOS 7.2 machine. The BIND on CentOS 5.11 was compiled manually by source and its named.conf file looks very different than what CentOS/Red Hat provides in the RPM package named.conf file. Any tips on how I should go about migrating successfully from the 5.11 machine to the 7.2 machine? As for the named.service unit file that Reindl provided, will I need to call upon any RNDC services? I saw that in the named.service file that comes with the RPM/YUM package contains a call to some RNDC service which calls up some generate-rndc-key.sh script.. I am not too sure of what the names of the files are. Thanks for all of your help! On Mon, Apr 25, 2016 at 3:52 PM, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Mon, 2016-04-25 at 13:54 -0400, Sean Son wrote: > > Reindl > > > Thank you for your response. Let me see if what you provided will > > work > > with what I am trying to do. > > If you are compiling any source code for rpm based distributions like > RedHat, you really want to look at the rpm packaging. RedHat has an rpm > spec file for their older bind on RHEL7/Centos7. I modified that for the > latest bind. > > http://www.five-ten-sg.com/mapper/bind > > That builds the latest version of Bind from ISC, in a manner compatible > with stock bind installs from the Centos7 distribution. The files are > installed into the same locations. > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlcedWkACgkQL6j7milTFsEoRgCfY41g6L65iylYWrZvDA5cYRf1 > TmcAmwbSQ1VhpmWSyj7mRGQViIFKpaaC > =M7y/ > -END PGP SIGNATURE- > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
> But this is getting way off topic for BIND-users, and should probably be > moved to dns-operati...@dns-oarc.net if we want to continue. Much obliged! John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
In article , "Baird, Josh" wrote: > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > [1] > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames- > at-a-domains-root/ Akamai has had a similar feature in their EDNS service for years. One problem that features like this have is that they don't play nice with CDN's, because the query for the target name comes from the auth server for the domain rather than the original resolver. When I was at Akamai, we only allowed this to be used to point to a server that immediately sent an HTTP redirect to the subdomain, which could then be managed using the normal load balancing algorithms. That was 5 years ago, they may have since integrated the two services, so that when resolving the CNAME it hooks into the CDN algorithms. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On 27 April 2016 at 07:40, Stephane Bortzmeyer wrote: > On Wed, Apr 27, 2016 at 07:32:48AM -0700, > Matthew Pounsett wrote > a message of 49 lines which said: > > > One of these days I'd like to lead a serious lobbying effort against > > the browser developers at the W3C to have SRV records for HTTP > > standardized. > > I fully agree and, if you're brave enough to propose it to the DNSOP > working group at IETF, I volunteer for reviewing/etc. > > There is a starting point: > > https://datatracker.ietf.org/doc/draft-andrews-http-srv/ Unfortunately, the problem is not one that can be easily fixed at the IETF. I'll go have a look at Mark's draft, but here's the core problem as I see it: RFC 2782 (SRV) says: Applicability Statement In general, it is expected that SRV records will be used by clients for applications where the relevant protocol specification indicates that clients should use the SRV record. Such specification MUST define the symbolic name to be used in the Service field of the SRV record as described below. It also MUST include security considerations. Service SRV records SHOULD NOT be used in the absence of such specification. This means that SRV records will not (can not) be used for the web until the HTTP spec says they can. This requires W3C action. At the same time, the browser developers, almost without exception, refuse to implement SRV because they don't like the idea that they might have to do another DNS lookup prior to displaying a web page. And they lobby the W3C pretty hard to not standardize SRV for HTTP. That's a pretty serious impasse .. and one that I think is only going to be overcome by an equally strong lobbying movement from the DNS hosting industry, when we get tired of trying to educate end users on why CNAME at apex won't work (end users who don't–and shouldn't need to–care), and get tired of maintaining messy record synthesis processes. But this is getting way off topic for BIND-users, and should probably be moved to dns-operati...@dns-oarc.net if we want to continue. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On 27 April 2016 at 07:42, Baird, Josh wrote: > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? > > [1] > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ It's possible. We do a similar thing at eNom... we allow end-users to insert CNAME records at the apex of the zone in the UI, but then we replace those with synthesized records. It's far from ideal, however. It means you've either got to act partly like a recursive server and do back-end lookups every time a CNAME query comes in, or you have to periodically re-query every authoritative CNAME at the apex of your zones in order to refresh the synthesized replacement records before the queries come in. The former introduces latency, and the latter risks serving out-of-date records and is a huge workload when you're our size.. or worse.. Cloudflare's size. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
Assuming you mean this (notice the dots): Domain.com. CNAME x.y.com. www CNAME x.y.com. No, this does not work. You're forgetting what goes around the example records: domain.com. IN SOA ... domain.com IN CNAME x.y.com. domain.com IN NS ... www.domain.com. IN CNAME x.y.com. Oh, right, duh. Sorry about that. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding CNAME for the root domain issue
Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]? [1] https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/ -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stephane Bortzmeyer Sent: Wednesday, April 27, 2016 10:36 AM To: Daniel Dawalibi Cc: comp-protocols-dns-b...@isc.org; 'Barry Margolin' Subject: Re: Adding CNAME for the root domain issue On Wed, Apr 27, 2016 at 05:26:53PM +0300, Daniel Dawalibi wrote a message of 50 lines which said: > DNS registrar that can offer this option by using apex/naked/root > domain redirection Sorry, but I cannot parse this sentence. Also, as I said, this is not about the root, it is about your ourweddingaccount.com and its parent (.com). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On Wed, Apr 27, 2016 at 07:32:48AM -0700, Matthew Pounsett wrote a message of 49 lines which said: > One of these days I'd like to lead a serious lobbying effort against > the browser developers at the W3C to have SRV records for HTTP > standardized. I fully agree and, if you're brave enough to propose it to the DNSOP working group at IETF, I volunteer for reviewing/etc. There is a starting point: https://datatracker.ietf.org/doc/draft-andrews-http-srv/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On Wed, Apr 27, 2016 at 10:23:19AM -0400, Barry Margolin wrote a message of 28 lines which said: > You would only be able to do this if you could put the CNAME record > in the parent domain, instead of delegating domain.com to your own > server. But do any domain registrars support that option? And would the registry (here, Verisign) accept it? As far as I know, no. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On Wed, Apr 27, 2016 at 05:26:53PM +0300, Daniel Dawalibi wrote a message of 50 lines which said: > DNS registrar that can offer this option by using apex/naked/root > domain redirection Sorry, but I cannot parse this sentence. Also, as I said, this is not about the root, it is about your ourweddingaccount.com and its parent (.com). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On 27 April 2016 at 07:26, Stephane Bortzmeyer wrote: > On Wed, Apr 27, 2016 at 05:05:50PM +0300, > Daniel Dawalibi wrote > a message of 52 lines which said: > > > our setup requires a CNAME record. > > Bad setup. (And has always been bad.) > > This isn't really his fault. The OP's goal should be achievable (using the apex domain name to reach a host that is not an A/ record at the apex), it just can't be done with CNAME. One of these days I'd like to lead a serious lobbying effort against the browser developers at the W3C to have SRV records for HTTP standardized. That would completely fix this problem. The end user gets to do what they want to do, and the DNS standards aren't violated. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
If your domain is ourweddingaccount.com, and you're looking to have the apex record ourweddingaccount.com.CNAME some.other.domain. but still host other records in the ourweddingaccount.com zone, you can't. That's not how CNAME records work. A CNAME record is an alias for a particular _label_ within a zone. It's meant to do things like myserver.ourweddingaccount.com. CNAME some.other.domain. What you're saying here is that the name "myserver" will always point to "some.other.domain" __regardless_of_record_type__. If you're trying to do this for the __apex_record__ of your zone (just your domain name, no hostname), you're saying that you don't need SOA or NS records for your zone--it's a contradiction in terms. You _must_ use an A or record. Period. If you're running a web site on a host whose IP address changes frequently, may I suggest that you let someone else manage your DNS for you? Plenty of DNS companies do this: https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RFC-compliant-support-for-CNAME-at-the-root http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53-zoneapex-elb.html https://devcenter.heroku.com/articles/apex-domains https://blog.dnsimple.com/2014/01/why-alias-record/ Otherwise, I suggest that you read http://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain If you want to manage your own DNS, you need to understand how DNS works and what its limitations are. John On Wed, Apr 27, 2016 at 10:05 AM, Daniel Dawalibi wrote: > Hello John > > The below is not working on our BIND version BIND 9.10.0-P2 unless it is > working on other version > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > Errors returned when adding these records: > > general: dns_master_load: ourweddingaccount.com.db.inter:13: > ourweddingaccount.com: CNAME and other data > > > If we proceed with the below work around by replacing the CNAME with A > record, It will resolve but our setup requires a CNAME record. > > Domain.com. A IPaddress > www CNAME x.y.com. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On Wed, Apr 27, 2016 at 05:05:50PM +0300, Daniel Dawalibi wrote a message of 52 lines which said: > our setup requires a CNAME record. Bad setup. (And has always been bad.) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On Wed, Apr 27, 2016 at 01:56:27PM -, John Levine wrote a message of 23 lines which said: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > it should work. I disagree. I have the same experience as Daniel Dawalibi, it does not work (BIND 9.10.3-P4): 27-Apr-2016 16:22:43.351 dns_master_load: foobar.example:15: foobar.example: CNAME and other data And if I delete the "other data" (the NS and the SOA records), it also fails: 27-Apr-2016 16:24:16.410 zone foobar.example/IN: has 0 SOA records 27-Apr-2016 16:24:16.410 zone foobar.example/IN: has no NS records 27-Apr-2016 16:24:16.410 zone foobar.example/IN: not loaded due to errors. > Some people believe that you can't have other records at names below > a name with a CNAME, but they are mistaken. But that's not the problem, the problem is that you can alias a domain name with CNAME but not a zone name. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding CNAME for the root domain issue
Hello Barry DNS registrar that can offer this option by using apex/naked/root domain redirection Regards Daniel -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin Sent: 27 April, 2016 5:23 PM To: comp-protocols-dns-b...@isc.org Subject: Re: Adding CNAME for the root domain issue In article , "John Levine" wrote: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > it should work. Some people believe that you can't have other records > at names below a name with a CNAME, but they are mistaken. The problem isn't with names *below* the CNAME, it's with other records with the same name as the CNAME. In particular, the SOA record for domain.com. You would only be able to do this if you could put the CNAME record in the parent domain, instead of delegating domain.com to your own server. But do any domain registrars support that option? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
In article , "John Levine" wrote: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > it should work. Some people believe that you can't have other records > at names below a name with a CNAME, but they are mistaken. The problem isn't with names *below* the CNAME, it's with other records with the same name as the CNAME. In particular, the SOA record for domain.com. You would only be able to do this if you could put the CNAME record in the parent domain, instead of delegating domain.com to your own server. But do any domain registrars support that option? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On 27 April 2016 at 06:56, John Levine wrote: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > No, this does not work. You're forgetting what goes around the example records: domain.com. IN SOA ... domain.com IN CNAME x.y.com. domain.com IN NS ... www.domain.com. IN CNAME x.y.com. This is not only against the standards, but is nonsensical when you consider the semantic meaning of CNAME "for all data related to domain.com, please see x.y.com". That doesn't make sense when there are also other records present at that owner name. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding CNAME for the root domain issue
Hello John The below is not working on our BIND version BIND 9.10.0-P2 unless it is working on other version Domain.com. CNAME x.y.com. www CNAME x.y.com. Errors returned when adding these records: general: dns_master_load: ourweddingaccount.com.db.inter:13: ourweddingaccount.com: CNAME and other data If we proceed with the below work around by replacing the CNAME with A record, It will resolve but our setup requires a CNAME record. Domain.com. A IPaddress www CNAME x.y.com. Regards Daniel -Original Message- From: John Levine [mailto:jo...@iecc.com] Sent: 27 April, 2016 4:56 PM To: bind-users@lists.isc.org Cc: daniel.dawal...@idm.net.lb Subject: Re: Adding CNAME for the root domain issue Assuming you mean this (notice the dots): Domain.com. CNAME x.y.com. www CNAME x.y.com. it should work. Some people believe that you can't have other records at names below a name with a CNAME, but they are mistaken. On the other hand, this will not work. domain.com. CNAME x.y.com. domain.com. MX 10 server.somewhere To make this work, you need Stephane's hack of copying the A and records. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
Assuming you mean this (notice the dots): Domain.com. CNAME x.y.com. www CNAME x.y.com. it should work. Some people believe that you can't have other records at names below a name with a CNAME, but they are mistaken. On the other hand, this will not work. domain.com. CNAME x.y.com. domain.com. MX 10 server.somewhere To make this work, you need Stephane's hack of copying the A and records. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?
On Wed, Apr 27, 2016, at 06:30 AM, Matthew Pounsett wrote: > > Actually it is normal for privsep processes to chroot themselves, usually > > to /var/empty - e.g. > > Right, so "no chroot necessary" (which is what I was responding to) isn't > accurate. Oh. That's not what I got out of your comment. >From this end-user's perspective, there's a pretty big difference from a user >perspective of (1) "it" uses privsep, and takes care of the chroot for you -- i.e., you don't mess with it, and it's all in a documented, predictable package and (2) you have to monkey with all of it yourself. It's either easy & insecure, or secure but 'good luck with it'. Jason ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?
On 27 April 2016 at 03:07, Tony Finch wrote: > Matthew Pounsett wrote: > > > > Privsep doesn't actually fix the same problem chroot does. As I > > understand it, privsep reduces the attack surface for remote execution > > exploits by shuffling off privileged operations to a separate process, > but > > if that process isn't chrooted and it has a remote code execution flaw > then > > your entire system is opened up to attack. > > Actually it is normal for privsep processes to chroot themselves, usually > to /var/empty - e.g. > Right, so "no chroot necessary" (which is what I was responding to) isn't accurate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
On Wed, Apr 27, 2016 at 02:55:18PM +0300, Daniel Dawalibi wrote a message of 99 lines which said: > We are facing a resolving problem on BIND DNS when adding a CNAME RR > for root domain and other records. I don't think that you manage the root domain so you probably mean that you want to add a CNAME to *your* domain? > Domain.com CNAME x.y.com Short answer: don't do it. Bad idea. And unecessary since all Internet protocols (with one big exception) allow you to separate the domain from the server gosting the domain. Long answer: the unfortunate exception is HTTP :-( A possible solution is to add address records (A and ) to domain.com. (don't forget the dot at the end). True, it requires that you keep track of the changes in x.y.com., but this is the only clean solution. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding CNAME for the root domain issue
Hello We are facing a resolving problem on BIND DNS when adding a CNAME RR for root domain and other records. Do you have any work around since it is not feasible as per the following article http://www.faqs.org/rfcs/rfc1034.html RFC1034 section 3.6.2? Example: Domain.com CNAME x.y.com www CNAME x.y.com Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?
Matthew Pounsett wrote: > > Privsep doesn't actually fix the same problem chroot does. As I > understand it, privsep reduces the attack surface for remote execution > exploits by shuffling off privileged operations to a separate process, but > if that process isn't chrooted and it has a remote code execution flaw then > your entire system is opened up to attack. Actually it is normal for privsep processes to chroot themselves, usually to /var/empty - e.g. https://github.com/openssh/openssh-portable/blob/master/sshd.c#l642 https://github.com/openntpd-portable/openntpd-openbsd/blob/master/src/usr.sbin/ntpd/ntp.c#l130 Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Biscay: North 4 or 5. Slight or moderate. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
