Re: Cloud DNS providers for secondary DNS

[John Levine]

>My more specific question is this: If I'm a site on the internet looking for a 
>server in my domain for the first time, I query the TLD
>servers for a list of name servers for my domain and pick one to query. 
>Suppose I pick one that has the correct zone information and can
>answer the query, but that specific NS is not listed in the zone record. I 
>believe that's called a LAME nameserver, correct?

Not sure I understand your question.  If you're looking for, say,
www.blah.example, you (actually your DNS cache that does the recursive
lookups) ask the example TLD servers for www.blah.example, and it
answers with some NS records that say that the blah.example domain is
handled by some set of servers.  Then the cache looks up the address
of one of the servers if it doesn't have it already, and asks it for
www.blah.example.  If the server doesn't know the answer, i.e., it
doesn't handle the blah.example zone, that's a lame delegation.  At
that point most caches will try other servers to try and find a
non-lame one so it's not fatal, but it's not a great idea either.

Extra complication ensues when the server's name is within the zone,
e.g., the server for blah.example is ns.blah.example.  In that case,
the A or  record(s) for ns.blah.example are copied into the upper
level zone (the TLD in this case) as "glue" that are returned in the
additional section of the answer, so caches can use it to handle the
request.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Cloud DNS providers for secondary DNS

[Diggins Mike]

Thanks for the help. My question is hypothetical at this point and likely 
pointless since I intend to implement it the "right" way, but I'd still like to 
understand this better. I'm not looking to circumvent the rules.

My more specific question is this: If I'm a site on the internet looking for a 
server in my domain for the first time, I query the TLD servers for a list of 
name servers for my domain and pick one to query. Suppose I pick one that has 
the correct zone information and can answer the query, but that specific NS is 
not listed in the zone record. I believe that's called a LAME nameserver, 
correct? What happens? Does it answer the query regardless? Does specifying the 
NS record in the zone simply confirm to the remote site that this is a valid 
nameserver for this zone?

-Mike

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lightner, Jeff
Sent: Wednesday, December 30, 2015 8:33 AM
To: bind-users@lists.isc.org
Subject: RE: Cloud DNS providers for secondary DNS

The OP mentioned notifying Registrars.   He'll also need to notify whoever his 
ISP is if he has arpa zones for reverse lookups and they are delegating to his 
name servers.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Levine
Sent: Tuesday, December 29, 2015 9:40 PM
To: bind-users@lists.isc.org
Subject: Re: Cloud DNS providers for secondary DNS

>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz:
>> You could use dyndns for that, but it is not free.
>
>do the provide anycast?

Yes, of course.  Dyn is one of the largest DNS providers in the world.

Their basic secondary service is $40/yr.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Cloud DNS providers for secondary DNS

[Jay Ford]

On Wed, 30 Dec 2015, Diggins Mike wrote:
Thanks for the help. My question is hypothetical at this point and likely 
pointless since I intend to implement it the "right" way, but I'd still 
like to understand this better. I'm not looking to circumvent the rules.


Good plan.

My more specific question is this: If I'm a site on the internet looking 
for a server in my domain for the first time, I query the TLD servers for a 
list of name servers for my domain and pick one to query. Suppose I pick 
one that has the correct zone information and can answer the query, but 
that specific NS is not listed in the zone record. I believe that's called 
a LAME nameserver, correct? What happens? Does it answer the query 
regardless? Does specifying the NS record in the zone simply confirm to the 
remote site that this is a valid nameserver for this zone?


A lame delegation is when you have an NS record to a server which doesn't 
know about the domain in question.


You're glossing over some details which matter, & which often contribute to
broken DNS configurations.

The servers for the parent domain (edu, com, org...) will provide whatever
information you specify via your registrar (NS records & A/ records for
glue if pertinent).  However, that information isn't authoritative, because
those servers aren't authoritative for your domain.  The information is
offered as hints to find authoritative information.  If you specify NS
records for your servers & cloud servers, queriers will use both sets as
hints.

A querier with no knowledge of your domain will use those hints to find 
authoritative information.  In your case, that querier will talk to your 
servers and/or the cloud servers.  If the cloud servers respond with NS 
records for only your servers, the querier will subsequently talk to only 
your servers & not the cloud servers, because that's what the authoritative 
information says to do.  This probably isn't what you want to happen, so you 
probably want to include NS records for the cloud servers, so that queriers 
will use the cloud servers for subsequent queries.


The flip side of this is what your on-campus (or on-whatever) queriers do.
If you have devices on your campus/whatever which use NS records (as opposed
to just being pointed at a recursive resolver), they will (in general) use
all of the NS records.  As result some amount of such queries will go to the
cloud servers when it might be better to have them go to your (presumably
local) servers.  As long as all the servers have the same information, the
answers will be consistent, but performance might suffer.  This might or
might not be a problem.

If you do split-view games, things get even more interesting.


Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-f...@uiowa.edu, phone: 319-335-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[Chris Buxton]

> On Dec 29, 2015, at 5:36 PM, Michelangelo De Simone  wrote:
> 
> also, in order to avoid
> unecessary polling, you may think of enabling the "notify" options from
> your master toward your slaves.

No, that's not what that does.

The notify mechanism is enabled by default, although it probably needs some 
tweaking using also-notify in an anycast scenario.

The notify mechanism allows the master server to notify slave servers (or other 
hosts) when a zone changes. This speeds up the synchronization process between 
master and slaves, but does not preclude the regular scheduled SOA queries.

If for some reason you were concerned about zone refresh traffic (typically 1 
query per zone every several hours), you can tune it in a few ways, including 
adjusting your refresh timer upward to, say, a day or even two. This is safer 
to do when you know that the notify mechanism is working properly. Is that 
perhaps what you meant?

Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Cloud DNS providers for secondary DNS

[Lightner, Jeff]

The OP mentioned notifying Registrars.   He'll also need to notify whoever his 
ISP is if he has arpa zones for reverse lookups and they are delegating to his 
name servers.


-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of John Levine
Sent: Tuesday, December 29, 2015 9:40 PM
To: bind-users@lists.isc.org
Subject: Re: Cloud DNS providers for secondary DNS

>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz:
>> You could use dyndns for that, but it is not free.
>
>do the provide anycast?

Yes, of course.  Dyn is one of the largest DNS providers in the world.

Their basic secondary service is $40/yr.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[Luis Daniel Lucio Quiroz]

You could use dyndns for that, but it is not free.

With a little knowledge, you can save that and put your own slaves. As
cheap as 6 USD per year.
Le 29 déc. 2015 9:05 PM, "Reindl Harald"  a écrit :

>
>
> Am 30.12.2015 um 01:40 schrieb Diggins Mike:
>
>> Is it enough to do that or do I also need to add these (2) name server
>> addresses to each of my zone files as well (I have about 50 zones)
>>
>
> each zone has to have it's nameservers as NS records
> just use http://www.intodns.com/ after any DNS infrastructure changes
>
>
> http://www.noip.com/blog/2011/04/08/anatomy-of-a-zone-file-part-two-what-are-ns-records-and-why-are-they-important-to-dns/
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Cloud DNS providers for secondary DNS

[John W. Blue]

Hello Mike!

So you are tracking correctly what needs to be done: update your registrar and 
your master zone files.  Not knowing how the UI to the cloud and at the risk of 
stating the obvious, the only other agenda item that you would need to address 
is making sure that the cloud knows it is a slave.

If your secondary servers were normal BIND, you would need to tag your zones in 
the named.conf file as slaves.

Hope that is helpful.

John 

-Original Message-
From: bind-users-boun...@lists.isc.org 
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Diggins Mike
Sent: Tuesday, December 29, 2015 6:40 PM
To: bind-users@lists.isc.org
Subject: Cloud DNS providers for secondary DNS

Hello,

I'm looking into providing secondary name service for my organization using a 
cloud DNS provider (D-Zone). We would transfer our zones to them using a 
standard zone transfer and they would publish them to their AnyCast DNS 
servers. I was going to simply add their DNS servers to my Domain Registrars 
list of authoritative name servers. Is it enough to do that or do I also need 
to add these (2) name server addresses to each of my zone files as well (I have 
about 50 zones).

;--
;Name Servers
;--
IN  NS  ns1.mydomain.com.
IN  NS  ns2.mydomain.com.
IN  NS  ns1.d-zone.ca   <== Addition
IN  NS  ns2.d-zone.ca   <== Addition

What happens if I do one without the other? I guess I don't fully understand 
the relationship between the name servers listed in the zone versus the ones 
found in my domain record. I'm running BIND locally, if that matters.

-Mike
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[Reindl Harald]

Am 30.12.2015 um 01:40 schrieb Diggins Mike:

Is it enough to do that or do I also need to add these (2) name server 
addresses to each of my zone files as well (I have about 50 zones)


each zone has to have it's nameservers as NS records
just use http://www.intodns.com/ after any DNS infrastructure changes

http://www.noip.com/blog/2011/04/08/anatomy-of-a-zone-file-part-two-what-are-ns-records-and-why-are-they-important-to-dns/



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[John Levine]

>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz:
>> You could use dyndns for that, but it is not free.
>
>do the provide anycast?

Yes, of course.  Dyn is one of the largest DNS providers in the world.

Their basic secondary service is $40/yr.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[Michelangelo De Simone]

On Tue, Dec 29, 2015, at 04:40 PM, Diggins Mike wrote:

> What happens if I do one without the other? I guess I don't fully
> understand the relationship between the name servers listed in the zone
> versus the ones found in my domain record. I'm running BIND locally, if
> that matters.

Hi Mike,

I'm not sure I understand your question entirely; for a correct
master/slave configuration you usually need:

1. the NS records have to point toward all the nameservers that are
authoritative for your zone (primary and secondary/ies)
2. your slave nameserver(s) should be aware that they're slave for the
specified zone and they need to know who the master is
3. your master nameserver should allow AXFR (zone transfer) toward the
slave server(s)

Generally speaking your master should never allow zone transfers, saved
the explicitly defined slave server(s); also, in order to avoid
unecessary polling, you may think of enabling the "notify" options from
your master toward your slaves.

An excellent tutorial might be found on [1]. I don't know whether this
answers your questions.:)

[1]
http://www.microhowto.info/howto/configure_bind_as_a_slave_dns_server.html
-- 
Bye,
Michelangelo
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[John Levine]

>IN  NS  ns1.mydomain.com.
>IN  NS  ns2.mydomain.com.
>IN  NS  ns1.d-zone.ca  <== Addition
>IN  NS  ns2.d-zone.ca  <== Addition

These questions would, as always, be easier to answer if you gave us
the actual names rather than inventing other names that may or may not
be similar to the real ones.

If your servers are not authoritative for d-zone.ca, which in this
case they very likely aren't, there is no benefit from putting their A
or  records into your zones, since nobody will ask for them.  Just
add the NS records to your own zones, and add them to the list that
the registrar uploads to the TLD zone and it will work.

If you're using nameservers with names within your own zone you have
to set up glue records, but in this case you don't.

R's,
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Cloud DNS providers for secondary DNS

[Reindl Harald]

Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz:

You could use dyndns for that, but it is not free.


do the provide anycast?


With a little knowledge, you can save that and put your own slaves. As
cheap as 6 USD per year.


the OP asked for https://en.wikipedia.org/wiki/Anycast#Domain_Name_System

when you run the master servers you have already the little knowledge 
but you hardly get your own slaves with your own anycast infrastrcuture 
for 6 USD per year - drive your own master and slave is dead simple but 
not the question of the OP


[harry@srv-rhsoft:~]$ dig NS thelounge.net @8.8.8.8
; <<>> DiG 9.10.3-P2-RedHat-9.10.3-7.P2.fc23 <<>> NS thelounge.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62766
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;thelounge.net. IN  NS

;; ANSWER SECTION:
thelounge.net.  11284   IN  NS  ns1.thelounge.net.
thelounge.net.  11284   IN  NS  ns2.thelounge.net.



Le 29 déc. 2015 9:05 PM, "Reindl Harald" > a écrit :



Am 30.12.2015 um 01:40 schrieb Diggins Mike:

Is it enough to do that or do I also need to add these (2) name
server addresses to each of my zone files as well (I have about
50 zones)


each zone has to have it's nameservers as NS records
just use http://www.intodns.com/ after any DNS infrastructure changes


http://www.noip.com/blog/2011/04/08/anatomy-of-a-zone-file-part-two-what-are-ns-records-and-why-are-they-important-to-dns/




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users