Re: Adding CNAME for the root domain issue

2016-04-27 Thread Barry Margolin 
In article ,
 Sam Wilson  wrote:

> In article ,
>  "Baird, Josh"  wrote:
> 
> > Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
> > 
> > [1] 
> > https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cname
> > s-at-a-domains-root/
> 
> 
> Does anyone else find themselves mentally yelling "apex!" whenever they 
> read the word "root" in that document?
> 

I've long since stopped getting bothered by sloppy language like this, 
ever since people started using "IP" as short for "IP address", or using 
"class A, B, C" to refer to /8, /6, and /24 prefixes, rather than the 
original address ranges.

The context always makes it clear when root == apex.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Bob Harold 
On Wed, Apr 27, 2016 at 11:39 AM, John R. Levine  wrote:

> At the same time, the browser developers, almost without exception, refuse
>> to implement SRV because they don't like the idea that they might have to
>> do another DNS lookup prior to displaying a web page.  And they lobby the
>> W3C pretty hard to not standardize SRV for HTTP.
>>
>> That's a pretty serious impasse .. and one that I think is only going to
>> be
>> overcome by an equally strong lobbying movement from the DNS hosting
>> industry, when we get tired of trying to educate end users on why CNAME at
>> apex won't work (end users who don't–and shouldn't need to–care), and get
>> tired of maintaining messy record synthesis processes.
>>
>
> I don't think that's a fight you're going to win.  The ANAME kludge is
> ugly, but it's straightforward and a whole lot of DNS operators (including
> me) do it.
>
> R's,
> john
>
>
I realize that ANAME seems like a kludge, but if we could make it a
standard, and get the various DNS software (auth, resolvers, and clients)
to understand it, it would solve a major limitation in DNS.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Adding CNAME for the root domain issue

2016-04-27 Thread Tony Finch 
Baird, Josh  wrote:

> Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
>
> [1] 
> https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/

Run a command like this from cron

aname example.com www.example.com | nsupdate -l

Using the aname script below...

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Biscay: North or northeast 4 or 5. Slight or moderate. Showers. Good.


#!/usr/bin/perl

use warnings;
use strict;

sub dig {
my $domain = shift;
my $type = shift;
my $ttl;
my @answer;
my $qd = quotemeta $domain;
my $qt = quotemeta $type;
my @dig = qx{dig +norec $qd IN $qt};
die "dig $domain IN $type: no reply\n"
unless @dig;
while (@dig) {
if ($dig[0] =~
m{^;; ->>HEADER<<- opcode: QUERY, status: (\w+)}) {
die "dig $domain IN $type: $1\n"
unless $1 eq 'NOERROR';
last;
}
shift @dig;
}
die "dig $domain IN $type: no header\n"
unless @dig;
while (@dig) {
if ($dig[0] =~ m{^;; ANSWER SECTION:}) {
last;
}
shift @dig;
}
die "dig $domain IN $type: no answer\n"
unless @dig;
while (@dig) {
if ($dig[0] =~ m{^\S+\s+(\d+)\s+IN\s+$qt\s+(\S+)}) {
$ttl = $1;
push @answer, $2;
}
if ($dig[0] =~ m{^;; AUTHORITY SECTION:}) {
last;
}
shift @dig;
}
die "dig $domain IN $type: no authority\n"
unless @dig;
return ($ttl, @answer);
}

sub nsupdate {
my $domain = shift;
my $type = shift;
my $ttl = shift;
print "update delete $domain IN $type\n";
for (@_) {
print "update add $domain $ttl IN $type $_\n";
}
}

if (@ARGV != 2) {
print STDERR "usage: aname  \n"
}

my ($alias,$target) = @ARGV;

my @A = dig $target, 'A';
my @ = dig $target, '';

nsupdate $alias, 'A', @A;
nsupdate $alias, '', @;
print "show\nsend\nanswer\n";

exit;

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

2016-04-27 Thread Bob Harold 
On Wed, Apr 27, 2016 at 11:52 AM, Sean Son  wrote:

> Thank you for your responses guys.  Here is a n00b question: Because this
> new server will be a slave DNS server, do I have to manually copy the zone
> files from the current slave DNS server (The CentOS 5.11) one, or does the
> new server automatically get the zones from the master DNS server?
>
>
> Thanks again!
>
>
It is automatic, and if it does not work, something is wrong.  Copying the
files will only make it harder to debug.  (Unless you have a lot of files
and just want to speed up the process.  But not recommended.)

-- 
Bob Harold



> On Wed, Apr 27, 2016 at 11:50 AM, Reindl Harald 
> wrote:
>
>>
>>
>> Am 27.04.2016 um 17:45 schrieb Matthew Pounsett:
>>
>>> rndc is the command line interface to a running BIND server.  (BIND ==
>>> berkeley internet name domain, rndc == remote name domain controller (or
>>> something to that effect)).  The rndc.conf file must agree with the
>>> named.conf file on where BIND's controller interface is (the controls{};
>>> clause in named.conf) and what key to use for authentication, if any.
>>>
>>> For example, named.conf might have something like this:
>>> controls {
>>> inet 192.0.2.1 port 953 allow { 192.0.2.100; } keys {"rndc-key"; };
>>> };
>>> While your rndc.conf might have:
>>> options {
>>> default-key "rndc-key";
>>> default-server 192.0.2.1;
>>> default-source-address 192.0.2.100;
>>> default-port 953;
>>> };
>>>
>>> It sounds to me like the named.service file you mention is probably
>>> generating a default rndc.conf file if one doesn't already exist
>>>
>>
>> no it don't and you don't need to setup rndc at all just for
>> start/stop/reload named, systemd knows the PID and so can send a SIGHUP,
>> works like a charme for many year on nameservers hosting hundrets of zones
>> and running with controls { }; since nobody but the maintaining scripts
>> have a business mangle with named and after that issue "systemctl reload"
>>
>> ExecStart=/usr/sbin/named -4 -f -u named
>>
>> ExecReload=/usr/bin/kill -HUP $MAINPID
>> ExecStop=/usr/bin/kill -TERM $MAINPID
>>
>>
>>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Sam Wilson 
In article ,
 "Baird, Josh"  wrote:

> Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
> 
> [1] 
> https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/


Does anyone else find themselves mentally yelling "apex!" whenever they 
read the word "root" in that document?


Sam

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

2016-04-27 Thread Sean Son 
Thank you for your responses guys.  Here is a n00b question: Because this
new server will be a slave DNS server, do I have to manually copy the zone
files from the current slave DNS server (The CentOS 5.11) one, or does the
new server automatically get the zones from the master DNS server?


Thanks again!

On Wed, Apr 27, 2016 at 11:50 AM, Reindl Harald 
wrote:

>
>
> Am 27.04.2016 um 17:45 schrieb Matthew Pounsett:
>
>> rndc is the command line interface to a running BIND server.  (BIND ==
>> berkeley internet name domain, rndc == remote name domain controller (or
>> something to that effect)).  The rndc.conf file must agree with the
>> named.conf file on where BIND's controller interface is (the controls{};
>> clause in named.conf) and what key to use for authentication, if any.
>>
>> For example, named.conf might have something like this:
>> controls {
>> inet 192.0.2.1 port 953 allow { 192.0.2.100; } keys {"rndc-key"; };
>> };
>> While your rndc.conf might have:
>> options {
>> default-key "rndc-key";
>> default-server 192.0.2.1;
>> default-source-address 192.0.2.100;
>> default-port 953;
>> };
>>
>> It sounds to me like the named.service file you mention is probably
>> generating a default rndc.conf file if one doesn't already exist
>>
>
> no it don't and you don't need to setup rndc at all just for
> start/stop/reload named, systemd knows the PID and so can send a SIGHUP,
> works like a charme for many year on nameservers hosting hundrets of zones
> and running with controls { }; since nobody but the maintaining scripts
> have a business mangle with named and after that issue "systemctl reload"
>
> ExecStart=/usr/sbin/named -4 -f -u named
>
> ExecReload=/usr/bin/kill -HUP $MAINPID
> ExecStop=/usr/bin/kill -TERM $MAINPID
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread John Levine 
>> You would only be able to do this if you could put the CNAME record
>> in the parent domain, instead of delegating domain.com to your own
>> server.  But do any domain registrars support that option?
>
>And would the registry (here, Verisign) accept it? As far as I know,
>no.

This smells a lot like the bundled variant problem, in which you
register one name but get a bunch of lexically related names along
with it, and in some cases the related names are active.  For example,
if you register ex�mple.cat, you also get example.cat without the
accent.  Their implementation is terrible, a DNAME at the 2LD.

There's been a lot of discussion about how you might make this work
better, such as BNAME which is supposed to combine CNAME and DNAME.
There's better places to discuss this, of course, since I think we
can assume that should such features be standardized, BIND will
implement them.

R's,
John


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

2016-04-27 Thread Matthew Pounsett 
On 27 April 2016 at 08:34, Sean Son 
wrote:

> Thank you for your response. Basically what I am trying to do is migrate
> the BIND server from a Centos 5.11 machine to a CentOS 7.2 machine.  The
> BIND on CentOS 5.11 was compiled manually by source and its named.conf file
> looks very different than what CentOS/Red Hat provides in the RPM package
> named.conf file. Any tips on how I should go about migrating successfully
> from the 5.11 machine to the 7.2 machine?
>

Your best approach is to have a careful look at the named.conf you're
migrating from and understand what options are required by your DNS needs,
and which are just related to how the Centos 5 machine is organized.  You
can then merge the former set (your requirements) into the default config
of the Centos 7 machine.


>
>
> As for the named.service unit file that Reindl provided, will I need to
> call upon any RNDC services? I saw that in the named.service file that
> comes with the RPM/YUM package contains a call to some RNDC service which
> calls up some generate-rndc-key.sh script.. I am not too sure of what the
> names of the files are.
>

rndc is the command line interface to a running BIND server.  (BIND ==
berkeley internet name domain, rndc == remote name domain controller (or
something to that effect)).  The rndc.conf file must agree with the
named.conf file on where BIND's controller interface is (the controls{};
clause in named.conf) and what key to use for authentication, if any.

For example, named.conf might have something like this:
controls {
inet 192.0.2.1 port 953 allow { 192.0.2.100; } keys {"rndc-key"; };
};
While your rndc.conf might have:
options {
default-key "rndc-key";
default-server 192.0.2.1;
default-source-address 192.0.2.100;
default-port 953;
};


It sounds to me like the named.service file you mention is probably
generating a default rndc.conf file if one doesn't already exist.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread John R. Levine 

At the same time, the browser developers, almost without exception, refuse
to implement SRV because they don't like the idea that they might have to
do another DNS lookup prior to displaying a web page.  And they lobby the
W3C pretty hard to not standardize SRV for HTTP.

That's a pretty serious impasse .. and one that I think is only going to be
overcome by an equally strong lobbying movement from the DNS hosting
industry, when we get tired of trying to educate end users on why CNAME at
apex won't work (end users who don't–and shouldn't need to–care), and get
tired of maintaining messy record synthesis processes.


I don't think that's a fight you're going to win.  The ANAME kludge is 
ugly, but it's straightforward and a whole lot of DNS operators (including 
me) do it.


R's,
john___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Compiling BIND9 on CentOS 7

2016-04-27 Thread Sean Son 
Thank you for your response. Basically what I am trying to do is migrate
the BIND server from a Centos 5.11 machine to a CentOS 7.2 machine.  The
BIND on CentOS 5.11 was compiled manually by source and its named.conf file
looks very different than what CentOS/Red Hat provides in the RPM package
named.conf file. Any tips on how I should go about migrating successfully
from the 5.11 machine to the 7.2 machine?


As for the named.service unit file that Reindl provided, will I need to
call upon any RNDC services? I saw that in the named.service file that
comes with the RPM/YUM package contains a call to some RNDC service which
calls up some generate-rndc-key.sh script.. I am not too sure of what the
names of the files are.


Thanks for all of your help!

On Mon, Apr 25, 2016 at 3:52 PM, Carl Byington  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> On Mon, 2016-04-25 at 13:54 -0400, Sean Son wrote:
> > Reindl
>
> > Thank you for your response.  Let me see if what you provided will
> > work
> > with what I am trying to do.
>
> If you are compiling any source code for rpm based distributions like
> RedHat, you really want to look at the rpm packaging. RedHat has an rpm
> spec file for their older bind on RHEL7/Centos7. I modified that for the
> latest bind.
>
> http://www.five-ten-sg.com/mapper/bind
>
> That builds the latest version of Bind from ISC, in a manner compatible
> with stock bind installs from the Centos7 distribution. The files are
> installed into the same locations.
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEAREKAAYFAlcedWkACgkQL6j7milTFsEoRgCfY41g6L65iylYWrZvDA5cYRf1
> TmcAmwbSQ1VhpmWSyj7mRGQViIFKpaaC
> =M7y/
> -END PGP SIGNATURE-
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread John Miller 
> But this is getting way off topic for BIND-users, and should probably be
> moved to dns-operati...@dns-oarc.net if we want to continue.

Much obliged!

John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Barry Margolin 
In article ,
 "Baird, Josh"  wrote:

> Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
> 
> [1] 
> https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-
> at-a-domains-root/

Akamai has had a similar feature in their EDNS service for years.

One problem that features like this have is that they don't play nice 
with CDN's, because the query for the target name comes from the auth 
server for the domain rather than the original resolver. When I was at 
Akamai, we only allowed this to be used to point to a server that 
immediately sent an HTTP redirect to the subdomain, which could then be 
managed using the normal load balancing algorithms.

That was 5 years ago, they may have since integrated the two services, 
so that when resolving the CNAME it hooks into the CDN algorithms.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Matthew Pounsett 
On 27 April 2016 at 07:40, Stephane Bortzmeyer  wrote:

> On Wed, Apr 27, 2016 at 07:32:48AM -0700,
>  Matthew Pounsett  wrote
>  a message of 49 lines which said:
>
> > One of these days I'd like to lead a serious lobbying effort against
> > the browser developers at the W3C to have SRV records for HTTP
> > standardized.
>
> I fully agree and, if you're brave enough to propose it to the DNSOP
> working group at IETF, I volunteer for reviewing/etc.
>
> There is a starting point:
>
> https://datatracker.ietf.org/doc/draft-andrews-http-srv/


Unfortunately, the problem is not one that can be easily fixed at the IETF.
   I'll go have a look at Mark's draft, but here's the core problem as I
see it:

RFC 2782 (SRV) says:

Applicability Statement

   In general, it is expected that SRV records will be used by clients
   for applications where the relevant protocol specification indicates
   that clients should use the SRV record. Such specification MUST
   define the symbolic name to be used in the Service field of the SRV
   record as described below. It also MUST include security
   considerations. Service SRV records SHOULD NOT be used in the absence
   of such specification.


This means that SRV records will not (can not) be used for the web until
the HTTP spec says they can.  This requires W3C action.

At the same time, the browser developers, almost without exception, refuse
to implement SRV because they don't like the idea that they might have to
do another DNS lookup prior to displaying a web page.  And they lobby the
W3C pretty hard to not standardize SRV for HTTP.

That's a pretty serious impasse .. and one that I think is only going to be
overcome by an equally strong lobbying movement from the DNS hosting
industry, when we get tired of trying to educate end users on why CNAME at
apex won't work (end users who don't–and shouldn't need to–care), and get
tired of maintaining messy record synthesis processes.

But this is getting way off topic for BIND-users, and should probably be
moved to dns-operati...@dns-oarc.net if we want to continue.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Matthew Pounsett 
On 27 April 2016 at 07:42, Baird, Josh  wrote:

> Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
>
> [1]
> https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/


It's possible.  We do a similar thing at eNom... we allow end-users to
insert CNAME records at the apex of the zone in the UI, but then we replace
those with synthesized records.  It's far from ideal, however.  It means
you've either got to act partly like a recursive server and do back-end
lookups every time a CNAME query comes in, or you have to periodically
re-query every authoritative CNAME at the apex of your zones in order to
refresh the synthesized replacement records before the queries come in.
The former introduces latency, and the latter risks serving out-of-date
records and is a huge workload when you're our size.. or worse..
Cloudflare's size.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread John R. Levine 

Assuming you mean this (notice the dots):

 Domain.com.  CNAME  x.y.com.
 www CNAME x.y.com.



No, this does not work.  You're forgetting what goes around the example
records:

domain.com. IN SOA ...
domain.com IN CNAME x.y.com.
domain.com IN NS ...
www.domain.com. IN CNAME x.y.com.


Oh, right, duh.  Sorry about that.

R's,
John

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Adding CNAME for the root domain issue

2016-04-27 Thread Baird, Josh 
Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?

[1] 
https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Stephane Bortzmeyer
Sent: Wednesday, April 27, 2016 10:36 AM
To: Daniel Dawalibi 
Cc: comp-protocols-dns-b...@isc.org; 'Barry Margolin' 
Subject: Re: Adding CNAME for the root domain issue

On Wed, Apr 27, 2016 at 05:26:53PM +0300,  Daniel Dawalibi 
 wrote  a message of 50 lines which said:

> DNS registrar that can offer this option by using apex/naked/root 
> domain redirection

Sorry, but I cannot parse this sentence.

Also, as I said, this is not about the root, it is about your 
ourweddingaccount.com and its parent (.com).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer 
On Wed, Apr 27, 2016 at 07:32:48AM -0700,
 Matthew Pounsett  wrote 
 a message of 49 lines which said:

> One of these days I'd like to lead a serious lobbying effort against
> the browser developers at the W3C to have SRV records for HTTP
> standardized.

I fully agree and, if you're brave enough to propose it to the DNSOP
working group at IETF, I volunteer for reviewing/etc.

There is a starting point:

https://datatracker.ietf.org/doc/draft-andrews-http-srv/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer 
On Wed, Apr 27, 2016 at 10:23:19AM -0400,
 Barry Margolin  wrote 
 a message of 28 lines which said:

> You would only be able to do this if you could put the CNAME record
> in the parent domain, instead of delegating domain.com to your own
> server.  But do any domain registrars support that option?

And would the registry (here, Verisign) accept it? As far as I know,
no.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer 
On Wed, Apr 27, 2016 at 05:26:53PM +0300,
 Daniel Dawalibi  wrote 
 a message of 50 lines which said:

> DNS registrar that can offer this option by using apex/naked/root
> domain redirection

Sorry, but I cannot parse this sentence.

Also, as I said, this is not about the root, it is about your
ourweddingaccount.com and its parent (.com).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Matthew Pounsett 
On 27 April 2016 at 07:26, Stephane Bortzmeyer  wrote:

> On Wed, Apr 27, 2016 at 05:05:50PM +0300,
>  Daniel Dawalibi  wrote
>  a message of 52 lines which said:
>
> > our setup requires a CNAME record.
>
> Bad setup. (And has always been bad.)
>
>
This isn't really his fault.  The OP's goal should be achievable (using the
apex domain name to reach a host that is not an A/ record at the apex),
it just can't be done with CNAME.   One of these days I'd like to lead a
serious lobbying effort against the browser developers at the W3C to have
SRV records for HTTP standardized.   That would completely fix this
problem.   The end user gets to do what they want to do, and the DNS
standards aren't violated.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread John Miller 
If your domain is ourweddingaccount.com, and you're looking to have
the apex record

ourweddingaccount.com.CNAME some.other.domain.

but still host other records in the ourweddingaccount.com zone, you
can't.  That's not how CNAME records work.  A CNAME record is an alias
for a particular _label_ within a zone.  It's meant to do things like

myserver.ourweddingaccount.com.   CNAME   some.other.domain.

What you're saying here is that the name "myserver" will always point
to "some.other.domain" __regardless_of_record_type__.  If you're
trying to do this for the __apex_record__ of your zone (just your
domain name, no hostname), you're saying that you don't need SOA or NS
records for your zone--it's a contradiction in terms.  You _must_ use
an A or  record.  Period.

If you're running a web site on a host whose IP address changes
frequently, may I suggest that you let someone else manage your DNS
for you?  Plenty of DNS companies do this:

https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RFC-compliant-support-for-CNAME-at-the-root
http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53-zoneapex-elb.html
https://devcenter.heroku.com/articles/apex-domains
https://blog.dnsimple.com/2014/01/why-alias-record/

Otherwise, I suggest that you read

http://serverfault.com/questions/613829/why-cant-a-cname-record-be-used-at-the-apex-aka-root-of-a-domain

If you want to manage your own DNS, you need to understand how DNS
works and what its limitations are.

John

On Wed, Apr 27, 2016 at 10:05 AM, Daniel Dawalibi
 wrote:
> Hello John
>
> The below is not working on our BIND version BIND 9.10.0-P2 unless it is 
> working on other version
>
> Domain.com.  CNAME  x.y.com.
> www CNAME x.y.com.
>
> Errors returned when adding these records:
>
> general: dns_master_load: ourweddingaccount.com.db.inter:13: 
> ourweddingaccount.com: CNAME and other data
>
>
> If we proceed with the below work around by replacing the CNAME with A 
> record, It will resolve but our setup requires a CNAME record.
>
> Domain.com.  A  IPaddress
> www CNAME x.y.com.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer 
On Wed, Apr 27, 2016 at 05:05:50PM +0300,
 Daniel Dawalibi  wrote 
 a message of 52 lines which said:

> our setup requires a CNAME record.

Bad setup. (And has always been bad.)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer 
On Wed, Apr 27, 2016 at 01:56:27PM -,
 John Levine  wrote 
 a message of 23 lines which said:

> Assuming you mean this (notice the dots):
> 
>  Domain.com.  CNAME  x.y.com.
>  www CNAME x.y.com.
> 
> it should work.

I disagree. I have the same experience as Daniel Dawalibi, it does not
work (BIND 9.10.3-P4):

27-Apr-2016 16:22:43.351 dns_master_load: foobar.example:15: foobar.example: 
CNAME and other data

And if I delete the "other data" (the NS and the SOA records), it also
fails:

27-Apr-2016 16:24:16.410 zone foobar.example/IN: has 0 SOA records
27-Apr-2016 16:24:16.410 zone foobar.example/IN: has no NS records
27-Apr-2016 16:24:16.410 zone foobar.example/IN: not loaded due to errors.

> Some people believe that you can't have other records at names below
> a name with a CNAME, but they are mistaken.

But that's not the problem, the problem is that you can alias a domain
name with CNAME but not a zone name.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Adding CNAME for the root domain issue

2016-04-27 Thread Daniel Dawalibi 
Hello Barry 

DNS registrar that can offer this option by using  apex/naked/root domain
redirection

Regards
Daniel

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin
Sent: 27 April, 2016 5:23 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: Adding CNAME for the root domain issue

In article ,
 "John Levine"  wrote:

> Assuming you mean this (notice the dots):
> 
>  Domain.com.  CNAME  x.y.com.
>  www CNAME x.y.com.
> 
> it should work.  Some people believe that you can't have other records 
> at names below a name with a CNAME, but they are mistaken.

The problem isn't with names *below* the CNAME, it's with other records with
the same name as the CNAME. In particular, the SOA record for domain.com.

You would only be able to do this if you could put the CNAME record in the
parent domain, instead of delegating domain.com to your own server. 
But do any domain registrars support that option?

--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Adding CNAME for the root domain issue

2016-04-27 Thread Daniel Dawalibi 
Hello John

The below is not working on our BIND version BIND 9.10.0-P2 unless it is 
working on other version

Domain.com.  CNAME  x.y.com.
www CNAME x.y.com.

Errors returned when adding these records:

general: dns_master_load: ourweddingaccount.com.db.inter:13: 
ourweddingaccount.com: CNAME and other data


If we proceed with the below work around by replacing the CNAME with A record, 
It will resolve but our setup requires a CNAME record.

Domain.com.  A  IPaddress
www CNAME x.y.com.




Regards
Daniel
-Original Message-
From: John Levine [mailto:jo...@iecc.com] 
Sent: 27 April, 2016 4:56 PM
To: bind-users@lists.isc.org
Cc: daniel.dawal...@idm.net.lb
Subject: Re: Adding CNAME for the root domain issue

Assuming you mean this (notice the dots):

 Domain.com.  CNAME  x.y.com.
 www CNAME x.y.com.

it should work.  Some people believe that you can't have other records at names 
below a name with a CNAME, but they are mistaken.

On the other hand, this will not work.

  domain.com. CNAME x.y.com.
  domain.com. MX 10 server.somewhere

To make this work, you need Stephane's hack of copying the A and  records.

R's,
John

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread John Levine 
Assuming you mean this (notice the dots):

 Domain.com.  CNAME  x.y.com.
 www CNAME x.y.com.

it should work.  Some people believe that you can't have other records
at names below a name with a CNAME, but they are mistaken.

On the other hand, this will not work.

  domain.com. CNAME x.y.com.
  domain.com. MX 10 server.somewhere

To make this work, you need Stephane's hack of copying the A and  records.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

2016-04-27 Thread jasonsu 


On Wed, Apr 27, 2016, at 06:30 AM, Matthew Pounsett wrote:
> > Actually it is normal for privsep processes to chroot themselves, usually
> > to /var/empty - e.g.
> 
> Right, so "no chroot necessary" (which is what I was responding to) isn't
> accurate.

Oh.  That's not what I got out of your comment.

>From this end-user's perspective, there's a pretty big difference from a user 
>perspective of 

(1) "it" uses privsep, and takes care of the chroot for you -- i.e., you don't 
mess with it, and it's all in a documented, predictable package

and 

(2) you have to monkey with all of it yourself.  It's either easy & insecure, 
or secure but 'good luck with it'.

Jason
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

2016-04-27 Thread Matthew Pounsett 
On 27 April 2016 at 03:07, Tony Finch  wrote:

> Matthew Pounsett  wrote:
> >
> > Privsep doesn't actually fix the same problem chroot does.   As I
> > understand it, privsep reduces the attack surface for remote execution
> > exploits by shuffling off privileged operations to a separate process,
> but
> > if that process isn't chrooted and it has a remote code execution flaw
> then
> > your entire system is opened up to attack.
>
> Actually it is normal for privsep processes to chroot themselves, usually
> to /var/empty - e.g.
>

Right, so "no chroot necessary" (which is what I was responding to) isn't
accurate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adding CNAME for the root domain issue

2016-04-27 Thread Stephane Bortzmeyer 
On Wed, Apr 27, 2016 at 02:55:18PM +0300,
 Daniel Dawalibi  wrote 
 a message of 99 lines which said:

> We are facing a resolving problem on BIND DNS when adding a CNAME RR
> for root domain and other records.

I don't think that you manage the root domain so you probably mean
that you want to add a CNAME to *your* domain?

> Domain.com  CNAME  x.y.com

Short answer: don't do it. Bad idea. And unecessary since all Internet
protocols (with one big exception) allow you to separate the domain
from the server gosting the domain.

Long answer: the unfortunate exception is HTTP :-( A possible solution
is to add address records (A and ) to domain.com. (don't forget the
dot at the end). True, it requires that you keep track of the changes
in x.y.com., but this is the only clean solution.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Adding CNAME for the root domain issue

2016-04-27 Thread Daniel Dawalibi 
Hello

 

We are facing a resolving problem on BIND DNS when adding a CNAME RR for
root domain and other records.

Do you have any work around since it is not feasible as per the following
article http://www.faqs.org/rfcs/rfc1034.html RFC1034 section 3.6.2?

 

Example:

 

Domain.com  CNAME  x.y.com

www CNAME x.y.com

 

Regards

Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: 'succesful' nsupdate of remote server not persistent across nameserver restart?

2016-04-27 Thread Tony Finch 
Matthew Pounsett  wrote:
>
> Privsep doesn't actually fix the same problem chroot does.   As I
> understand it, privsep reduces the attack surface for remote execution
> exploits by shuffling off privileged operations to a separate process, but
> if that process isn't chrooted and it has a remote code execution flaw then
> your entire system is opened up to attack.

Actually it is normal for privsep processes to chroot themselves, usually
to /var/empty - e.g.

https://github.com/openssh/openssh-portable/blob/master/sshd.c#l642
https://github.com/openntpd-portable/openntpd-openbsd/blob/master/src/usr.sbin/ntpd/ntp.c#l130

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Biscay: North 4 or 5. Slight or moderate. Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named DNS resolution latency

2016-04-27 Thread Stephane Bortzmeyer 
On Wed, Apr 27, 2016 at 02:33:26AM -0400,
 digen  wrote 
 a message of 169 lines which said:

> Any inputs on debugging this problem will be much appreciated.

The usual stuff:

1) Is the machine hosting the resolver overloaded? top, for instance

2) is the link to the Internet overloaded? Check your Cacti (or other
software) graphs.

3) Routing problem? traceroute to the name servers. (Don't try ping,
microsoft.com's servers appear to refuse it)

4) An easy way to test DNS performance issues is with a dedicated DNS
test program like check-soa
:

% check-soa -i microsoft.com 
ns1.msft.net.
2620:0:30::53: OK: 2016042614 (22 ms)
208.84.0.53: OK: 2016042614 (40 ms)
ns2.msft.net.
208.84.2.53: OK: 2016042614 (24 ms)
2620:0:32::53: OK: 2016042614 (25 ms)
ns3.msft.net.
2620:0:34::53: OK: 2016042614 (22 ms)
193.221.113.53: OK: 2016042614 (40 ms)
ns4.msft.net.
2620:0:37::53: OK: 2016042614 (25 ms)
208.76.45.53: OK: 2016042614 (40 ms)

% check-soa -i sony.com 
pdns1.cscdns.net.
2620:74:19::33: OK: 2011041474 (19 ms)
209.112.114.33: OK: 2011041474 (34 ms)
pdns2.cscdns.net.
69.36.145.33: OK: 2011041474 (23 ms)
2001:502:cbe4::33: OK: 2011041474 (27 ms)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named DNS resolution latency

2016-04-27 Thread Mark Andrews 

In message

named DNS resolution latency

2016-04-27 Thread digen 
Hi,

Below is a sample output for reference where you can see that the amount of 
time taken by named in resolving DNS records,

http://pastebin.com/TaNfqPwL

http://pastebin.com/3gEtutmx

named.conf - http://pastebin.com/UBPwFKBa

This is occurring recently and the Linux box is 3 years old.
Version - bind-9.8.2-0.37.rc1.el6_7.7.i686
CentOS release 6.3 (Final)

Any inputs on debugging this problem will be much appreciated.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users