Re: Simple question about zone and CNAME
In article mailman.78.1365430543.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: On 08/04/13 14:46, Sam Wilson wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilson sam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Off the top of my head the two most recent issues we've had. 1. If you don't have a domain controller A record at your AD realm name, you'll experience sporadic timeouts and slowness if you ever want to roll out DFS, particularly if your domain members include non-Microsoft clients such as Macs 2. If you put something else at that place, you'll see SMB connection attempts and if they fail but port 80 is open, you'll see Windows trying to do WebDAV requests (!) to it. Both these and other issues make me wish we'd chosen a sub-domain for our AD realm when we migrated from NT4. But we had no way of knowing at the time :o( Thank you (belatedly) for that information. As I think I remarked elsewhere we wished to retain the existing structure of our DNS, with some domains delegated to others (as well as a lot that we delegate to ourselves) which needed to be in the same AD thingy[*]. Forcing another layer of DNS naming between the institution and the department seemed inappropriate. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.79.1365435117.20661.bind-us...@lists.isc.org, Barry S. Finkel bsfin...@att.net wrote: On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilsonsam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction.:-) Sam AD clients, if they do not know about SRV records for finding the LDAP servers, will use the A records for the AD domain to locate the Domain Controllers. ... Can you identify any such clients? Phil Mayers has already mentioned non-MS DFS clients and other things (MS?) which might try SMB and WebDAV to an A record at the AD domain name. Are there others? ... Where I used to work we did not segregate AD, so internally, example.com pointed to the Domain Controllers. Externally, example.com had no IP address because the DCs were not accessible from the external Internet. When we had the DC addresses externally, then AD clients would see the addresses, try to authenticate to the AD, experience timeouts, and get frustrated. Without an external address, AD clients do not try to access the DCs. The drawback is that we can not have example.com externally have the same address as www.example.com to aid browser users. Which is exactly where I came in - the people who manage our corporate image feel that this is unacceptable and reflects badly on the University. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.86.1365490964.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: On 04/08/2013 06:59 PM, Novosielski, Ryan wrote: Someone can correct me if I'm wrong, but I think they'd be right if and only if the webserver they're adding the A record for happens to also be the AD server. In principle that's correct. In practice, running a publicly accessible webserver on your AD controllers is a bad move IMO. The security implications are gruesome. I think I almost dislike the idea so much that I'd suggest split DNS before this. And given how much I dislike split DNS, that's saying something. But hey, to each their own. In our case it would be impossible for the University's public web presence and the AD domain controllers to be the same machines. It is conceivable that we could do some magic in load balancers to divide traffic appropriately, but I'd rather not do that if I don't have to. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.84.1365479484.20661.bind-us...@lists.isc.org, Doug Barton do...@dougbarton.us wrote: On 04/08/2013 06:54 AM, Sam Wilson wrote: In article mailman.61.1365232319.20661.bind-us...@lists.isc.org, Doug Barton do...@dougbarton.us wrote: On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this reason. The Active Directory administrators were | saying that not having umdnj.edu point to an Active Directory server | was bothering the AD servers in some fashion. The solution we're going | to test is telling the AD servers that umdnj.edu are them, but telling | everyone else on the planet that it's www. We think this will do it, | but haven't tested yet. Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. AD DNS is only really happy when it runs the whole show for its home domain. It's possible to do otherwise, but really painful and fragile. We've been running our main domain with the underscore domains delegated to AD for well over a decade and it's been neither painful nor fragile, You apparently missed the context of the response. :) I didn't say impossible, and I've set it up the way you describe in the past. But it assumes both an initial and ongoing level of clue that is not always available. Whereas, put all the AD stuff in its own subdomain is both pain-less, and has other advantages. It would not have been painless for us. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.108.1365771792.20661.bind-us...@lists.isc.org, Dave Sparro dspa...@gmail.com wrote: On 4/6/2013 12:46 AM, Lawrence K. Chen, P.Eng. wrote: So, up until a couple years ago...our webmail address had always been, and only webmail.ksu.edu. But, under the new directionit has to work as webmail.ksu.edu, www.webmail.ksu.edu, webmail.k-state.edu,www.webmail.k-state.edu. and SSL certs to work for all those. Sounds like it is time to have some fun with recursion... You should mention that since www.webmail.ksu.edu exists, www.www.webmail.ksu.edu should work too. :D We once wondered about obtaining an EDU domain, and pondered on what domain our Faculty of Education might want to use. The University of Edmonton may have had similar thoughts. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
- Original Message - In our case it would be impossible for the University's public web presence and the AD domain controllers to be the same machines. It is conceivable that we could do some magic in load balancers to divide traffic appropriately, but I'd rather not do that if I don't have to. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ But, assuming that your web presence is on the load balancer...there wouldn't be any trick to putting AD controller(s) on the same IP...since AD controllers listen to ports other than 80/443. At our university (www.)ksu.edu is 129.130.8.49 and (www.)k-state.edu is 129.130.8.50on this IP, the load balance has port 80 mapped to a pool of webservers handling http, and port 443 is mapped to a different pool of webservers handling https (they should be the same servers now, but there was a time when the webteam was switching webserver apps, that SSL continued to be handled by the old servers since the private keys were internal to that application.) The instability of our web presence was attributed the high activity content that was largely http. until about 2.5 years ago, we were still using Netscape Enterprise Server v4.1! And, there were things specific to that version that precluded moving to newer NES/iPlanet/SunOneWS finally with to apache when a mod was written to recreate those featuresand bugs. Though our AD controllers are not behind our load balancer, but someday the windows group mightnow that they want to be considered an enterprise server tech groupand cause all sorts of confusion with the already existing enterprise server tech group (unix/linux)...and shed their old name of lantech, from when they were the netware group What we do have on this IP, is ports 5222 and 5223 being sent to another pool. OTOH, I am doing some magic on the load balancers...because different URI paths are going to different pools, because some important section was mocked up using technology that is not our standard webserver but then is announced to the world as a path under our main web site. The web team is has been talking about replacing our main web presence with varnish caches, which would give them the ability to do this themselves...rather needing me to maintain the TCL file that makes the magic. But, its been taking them a long time for some reason(years). I have a personal setup, which is a pair nginx servers reverse proxying to various other servers that's working pretty slick The use of separate IPs for ksu.edu k-state.edu is a left over from how things used to be donebut the site now uses a multiname cert with those 4 names and others... since it was cheaper to cram as many different names into a single cert (and we're doing SSL proxy on our load balancer -- so the load balance can works its magic...) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 4/6/2013 12:46 AM, Lawrence K. Chen, P.Eng. wrote: So, up until a couple years ago...our webmail address had always been, and only webmail.ksu.edu. But, under the new directionit has to work as webmail.ksu.edu, www.webmail.ksu.edu, webmail.k-state.edu,www.webmail.k-state.edu. and SSL certs to work for all those. Sounds like it is time to have some fun with recursion... You should mention that since www.webmail.ksu.edu exists, www.www.webmail.ksu.edu should work too. :D -- Dave ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 04/08/2013 06:59 PM, Novosielski, Ryan wrote: Someone can correct me if I'm wrong, but I think they'd be right if and only if the webserver they're adding the A record for happens to also be the AD server. In principle that's correct. In practice, running a publicly accessible webserver on your AD controllers is a bad move IMO. The security implications are gruesome. I think I almost dislike the idea so much that I'd suggest split DNS before this. And given how much I dislike split DNS, that's saying something. But hey, to each their own. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.49.1365191296.20661.bind-us...@lists.isc.org, wbr...@e1b.org wrote: And then there's theses folks: http://no-www.org/ On 04/08/2013 06:42 AM, Sam Wilson wrote: Is co-opting high-level name space for a single protocol a modern-day landgrab? On 08.04.13 20:58, Doug Barton wrote: Is holding on to the antiquated notion that every protocol needs a unique hostname charmingly anachronistic, or just plain obstructionist? (See what I did there?) it's kind of best practice for cases a domain contains more hosts with different usage. But you know this, don't you? For bonus points, list the number of services running on your typical server configuration, and then tell us how many of them have their own hostnames. Start with dns, ssh, and ntp. confinue with smtp/pop/imap. The www belongs to these, not to the dns/ssh/ntp The point being that the world moved on, and putting websites on hostnames that don't start with www. is the common case now. Can we save our energy for something more productive? Why did you post this then? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
Warren Kumari war...@kumari.net wrote on 04/05/2013 06:48:08 PM: And then there's theses folks: http://no-www.org/ Oh wow! Gee, thanks for that? And it's always fun when you tell someone to go to a URL that doesn't include the W's and they want to type them in anyways, ie. chat.example.com. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.49.1365191296.20661.bind-us...@lists.isc.org, wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Is co-opting high-level name space for a single protocol a modern-day landgrab? Discuss. Points will be deducted for uncritical mentions of SRV records. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.51.1365192701.20661.bind-us...@lists.isc.org, Dave Warren li...@hireahit.com wrote: On 2013-04-05 12:18, Sam Wilson wrote: We're currently prevaricating over putting in an A record for ed.ac.uk. Whilst my colleagues who manage active directory assure me that having an A record there - pointing at the content-managed web server that has difficulty handling arbitrary URLs - won't break anything I'm not going to try it except under very controlled conditions and after I've spoken to a lot of other people who do it already. Is ed.ac.uk your Active Directory root as well? If so, my experience is that pointing it at anything but domain controllers will eventually lead you to issues. It is. That's the sort of response I was hoping for - thank you. It's not to say that this totally forbidden, but there is (was?) Microsoft best practices documents suggesting avoiding this configuration entirely when possible, although there were ways to mitigate most of the negative side effects. If you know of a reference that would be helpful. Obviously if you can run a split DNS environment this is less of a factor. We don't and we're trying not to have to. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilson sam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.61.1365232319.20661.bind-us...@lists.isc.org, Doug Barton do...@dougbarton.us wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this reason. The Active Directory administrators were | saying that not having umdnj.edu point to an Active Directory server | was bothering the AD servers in some fashion. The solution we're going | to test is telling the AD servers that umdnj.edu are them, but telling | everyone else on the planet that it's www. We think this will do it, | but haven't tested yet. Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. AD DNS is only really happy when it runs the whole show for its home domain. It's possible to do otherwise, but really painful and fragile. We've been running our main domain with the underscore domains delegated to AD for well over a decade and it's been neither painful nor fragile, at least no more painful than running AD any other way as far as I can tell. We already had a well partitioned and, in some cases, delegated DNS structure before Windows 2000/Active Directory came on the scene, but we needed to have a single AD thingy (forest? domain? I can't remember the correct terminology). Replicating all of that under a new functional domain didn't seem like a sensible option. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.70.1365423010.20661.bind-us...@lists.isc.org, wbr...@e1b.org wrote: Warren Kumari war...@kumari.net wrote on 04/05/2013 06:48:08 PM: And then there's theses folks: http://no-www.org/ Oh wow! Gee, thanks for that? And it's always fun when you tell someone to go to a URL that doesn't include the W's and they want to type them in anyways, ie. chat.example.com. Oh yes. Sigh... Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 08/04/13 14:46, Sam Wilson wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilson sam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Off the top of my head the two most recent issues we've had. 1. If you don't have a domain controller A record at your AD realm name, you'll experience sporadic timeouts and slowness if you ever want to roll out DFS, particularly if your domain members include non-Microsoft clients such as Macs 2. If you put something else at that place, you'll see SMB connection attempts and if they fail but port 80 is open, you'll see Windows trying to do WebDAV requests (!) to it. Both these and other issues make me wish we'd chosen a sub-domain for our AD realm when we migrated from NT4. But we had no way of knowing at the time :o( ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilsonsam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction.:-) Sam AD clients, if they do not know about SRV records for finding the LDAP servers, will use the A records for the AD domain to locate the Domain Controllers. Where I used to work we did not segregate AD, so internally, example.com pointed to the Domain Controllers. Externally, example.com had no IP address because the DCs were not accessible from the external Internet. When we had the DC addresses externally, then AD clients would see the addresses, try to authenticate to the AD, experience timeouts, and get frustrated. Without an external address, AD clients do not try to access the DCs. The drawback is that we can not have example.com externally have the same address as www.example.com to aid browser users. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/08/2013 09:47 AM, Sam Wilson wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilson sam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Someone can correct me if I'm wrong, but I think they'd be right if and only if the webserver they're adding the A record for happens to also be the AD server. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFjBY8ACgkQmb+gadEcsb45vgCgxgNUHa2m62zu1XopcZhoRcTu l20AoLW0pupflGi5bY0U4EHFBr7Vzw9j =9ecc -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/08/2013 10:16 AM, Phil Mayers wrote: On 08/04/13 14:46, Sam Wilson wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilson sam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Off the top of my head the two most recent issues we've had. 1. If you don't have a domain controller A record at your AD realm name, you'll experience sporadic timeouts and slowness if you ever want to roll out DFS, particularly if your domain members include non-Microsoft clients such as Macs 2. If you put something else at that place, you'll see SMB connection attempts and if they fail but port 80 is open, you'll see Windows trying to do WebDAV requests (!) to it. Both these and other issues make me wish we'd chosen a sub-domain for our AD realm when we migrated from NT4. But we had no way of knowing at the time :o( It would seem to me there is some other way around this, either by redirecting traffic to the AD servers or some careful combination of local host names or something else. In our case, the domain itself has barely any activity (and no client activity) and we can just lie to the AD servers and use them as the bare domain name. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFjCAEACgkQmb+gadEcsb7fjQCeIvlEeStO/pAT72UNJGbTuZ32 UxEAn3issXjvxOz+JXPZymbLeGhPdwKA =W3i9 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In message 5162e2a1.7000...@att.net, Barry S. Finkel writes: On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilsonsam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction.:-) Sam AD clients, if they do not know about SRV records for finding the LDAP servers, will use the A records for the AD domain to locate the Domain Controllers. Where I used to work we did not segregate AD, so internally, example.com pointed to the Domain Controllers. Externally, example.com had no IP address because the DCs were not accessible from the external Internet. When we had the DC addresses externally, then AD clients would see the addresses, try to authenticate to the AD, experience timeouts, and get frustrated. Do the AD clients to the correct thing with the no service offered SRV record (e.g. SRV 0 0 0 .)? It is designed to stop fallback to A/ records when the service is explicitly not there. RFC 2782 A Target of . means that the service is decidedly not available at this domain. If they do there should be no confusion with the use of address records between AD and HTTP/HTTPS. Without an external address, AD clients do not try to access the DCs. The drawback is that we can not have example.com externally have the same address as www.example.com to aid browser users. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 2013-04-08 11:10, Novosielski, Ryan wrote: It would seem to me there is some other way around this, either by redirecting traffic to the AD servers or some careful combination of local host names or something else. In our case, the domain itself has barely any activity (and no client activity) and we can just lie to the AD servers and use them as the bare domain name. It's just just the servers though, it's any client that needs to access Active Directory resources that might potentially hit the web server when it's looking for your AD environment. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 04/08/2013 06:54 AM, Sam Wilson wrote: In article mailman.61.1365232319.20661.bind-us...@lists.isc.org, Doug Barton do...@dougbarton.us wrote: On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this reason. The Active Directory administrators were | saying that not having umdnj.edu point to an Active Directory server | was bothering the AD servers in some fashion. The solution we're going | to test is telling the AD servers that umdnj.edu are them, but telling | everyone else on the planet that it's www. We think this will do it, | but haven't tested yet. Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. AD DNS is only really happy when it runs the whole show for its home domain. It's possible to do otherwise, but really painful and fragile. We've been running our main domain with the underscore domains delegated to AD for well over a decade and it's been neither painful nor fragile, You apparently missed the context of the response. :) I didn't say impossible, and I've set it up the way you describe in the past. But it assumes both an initial and ongoing level of clue that is not always available. Whereas, put all the AD stuff in its own subdomain is both pain-less, and has other advantages. Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 04/08/2013 06:42 AM, Sam Wilson wrote: In article mailman.49.1365191296.20661.bind-us...@lists.isc.org, wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Is co-opting high-level name space for a single protocol a modern-day landgrab? Is holding on to the antiquated notion that every protocol needs a unique hostname charmingly anachronistic, or just plain obstructionist? (See what I did there?) For bonus points, list the number of services running on your typical server configuration, and then tell us how many of them have their own hostnames. Start with dns, ssh, and ntp. Then describe how you differentiate your SSL web service from your plain text version. Bonus points if you're running ipp, nfs, or kerberos with their own unique hostnames on the same system. The point being that the world moved on, and putting websites on hostnames that don't start with www. is the common case now. Can we save our energy for something more productive? Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
Sam Wilson sam.wil...@ed.ac.uk wrote: In article mailman.46.1365189018.20661.bind-us...@lists.isc.org, Chris Thompson c...@cam.ac.uk wrote: On Apr 5 2013, John Wobus wrote: DNAME? runs away, giggling��� Or SRV records. Surely browsers are adding support in the next day or two? Come on, April 1 has been over for too long for this. Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. We're currently prevaricating over putting in an A record for ed.ac.uk. Whilst my colleagues who manage active directory assure me that having an A record there - pointing at the content-managed web server that has difficulty handling arbitrary URLs - won't break anything I'm not going to try it except under very controlled conditions and after I've spoken to a lot of other people who do it already. Sam If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. -- Sent from my phone. Please excuse brevity and typos. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/05/2013 04:12 PM, Dave Warren wrote: On 2013-04-05 12:18, Sam Wilson wrote: We're currently prevaricating over putting in an A record for ed.ac.uk. Whilst my colleagues who manage active directory assure me that having an A record there - pointing at the content-managed web server that has difficulty handling arbitrary URLs - won't break anything I'm not going to try it except under very controlled conditions and after I've spoken to a lot of other people who do it already. Is ed.ac.uk your Active Directory root as well? If so, my experience is that pointing it at anything but domain controllers will eventually lead you to issues. It's not to say that this totally forbidden, but there is (was?) Microsoft best practices documents suggesting avoiding this configuration entirely when possible, although there were ways to mitigate most of the negative side effects. Obviously if you can run a split DNS environment this is less of a factor. It is funny you should mention that... my questions about using views to create a situation where one single record is different happens to be exactly for this reason. The Active Directory administrators were saying that not having umdnj.edu point to an Active Directory server was bothering the AD servers in some fashion. The solution we're going to test is telling the AD servers that umdnj.edu are them, but telling everyone else on the planet that it's www. We think this will do it, but haven't tested yet. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFfxkgACgkQmb+gadEcsb7w4wCeKJ/dbr6KekRULsz0VnphSDnB XeoAnjf8tx6zKG7EfpQxnHGWdZSpF1OD =Ny9k -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/06/2013 03:11 AM, Doug Barton wrote: On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this reason. The Active Directory administrators were | saying that not having umdnj.edu point to an Active Directory server | was bothering the AD servers in some fashion. The solution we're going | to test is telling the AD servers that umdnj.edu are them, but telling | everyone else on the planet that it's www. We think this will do it, | but haven't tested yet. Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. AD DNS is only really happy when it runs the whole show for its home domain. It's possible to do otherwise, but really painful and fragile. Yeah, it pretty much is in our case. There's just a small amount of stuff in the root domain for whatever reason and the A record thing is causing some minor issues that they'd prefer would not occur. I don't really know the specifics -- something with group policies. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFf2j8ACgkQmb+gadEcsb4MFACfbaxo4X2AvxVZdtdAdnPT5pN4 mt4AoJXvwn3Jc9z/E2Ehxa0T0IHnnuHO =jRwv -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Simple question about zone and CNAME
Hi, I'd like use CNAME record on my zone. I'm able to have this config: for http://www.mysite.com www IN CNAME somehost.com but I can't do for http://mysite.com @ IN CNAME somehost.com How can I achive this configuration ? Is there another way to specify the address of http://mysite.com ? I would like to avoid pointing on an IP adress directly as I'm managing a few hundred of domain and among them, I don't manage some domain of some client, which is then very painful and time consuming to make them do some change. Regards, Thomas. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 04/05/2013 10:13 AM, Thomas Manson wrote: @ IN CNAME somehost.com Correct. CNAMEs are mutually exclusive with other records (DNSSEC signatures excepted) and zone apex requires SOA and NS. http://somehost.com How can I achive this configuration ? You will have to use an A record. Our DNS system allows CNAME at zone apex, but it resolves it to A/ records when building the DNS zone. Is there another way to specify the address of http://mysite.com ? I would like to avoid pointing on an IP adress directly as I'm managing Can't be avoided. a few hundred of domain and among them, I don't manage some domain of some client, which is then very painful and time consuming to make them do some change. Automate the zone editing, as above. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On Apr 5, 2013, at 5:23 AM, Phil Mayers p.may...@imperial.ac.uk wrote: On 04/05/2013 10:13 AM, Thomas Manson wrote: @ IN CNAME somehost.com Correct. CNAMEs are mutually exclusive with other records (DNSSEC signatures excepted) and zone apex requires SOA and NS. http://somehost.com How can I achive this configuration ? You will have to use an A record. Our DNS system allows CNAME at zone apex, but it resolves it to A/ records when building the DNS zone. Is there another way to specify the address of http://mysite.com ? I would like to avoid pointing on an IP adress directly as I'm managing Can't be avoided. DNAME? runs away, giggling… W a few hundred of domain and among them, I don't manage some domain of some client, which is then very painful and time consuming to make them do some change. Automate the zone editing, as above. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life. -- Terry Pratchett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 05/04/13 14:16, Warren Kumari wrote: DNAME? runs away, giggling… DNAME doesn't do it, because it directs a sub-tree, not the name itself. You'd need the DNAME in the parent zone, and if you can do that, you can just put two CNAMES (zone and *.zone). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
DNAME? runs away, giggling… Or SRV records. Surely browsers are adding support in the next day or two? John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On Apr 5 2013, John Wobus wrote: DNAME? runs away, giggling… Or SRV records. Surely browsers are adding support in the next day or two? Come on, April 1 has been over for too long for this. Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
In article mailman.46.1365189018.20661.bind-us...@lists.isc.org, Chris Thompson c...@cam.ac.uk wrote: On Apr 5 2013, John Wobus wrote: DNAME? runs away, giggling⦠Or SRV records. Surely browsers are adding support in the next day or two? Come on, April 1 has been over for too long for this. Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. We're currently prevaricating over putting in an A record for ed.ac.uk. Whilst my colleagues who manage active directory assure me that having an A record there - pointing at the content-managed web server that has difficulty handling arbitrary URLs - won't break anything I'm not going to try it except under very controlled conditions and after I've spoken to a lot of other people who do it already. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-Original Message- From: Chris Thompson c...@cam.ac.uk Date: Friday, April 5, 2013 3:10 PM To: Bind Users Mailing List bind-users@lists.isc.org Subject: Re: Simple question about zone and CNAME On Apr 5 2013, John Wobus wrote: DNAME? runs away, gigglingŠ Or SRV records. Surely browsers are adding support in the next day or two? Come on, April 1 has been over for too long for this. Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On 2013-04-05 12:18, Sam Wilson wrote: We're currently prevaricating over putting in an A record for ed.ac.uk. Whilst my colleagues who manage active directory assure me that having an A record there - pointing at the content-managed web server that has difficulty handling arbitrary URLs - won't break anything I'm not going to try it except under very controlled conditions and after I've spoken to a lot of other people who do it already. Is ed.ac.uk your Active Directory root as well? If so, my experience is that pointing it at anything but domain controllers will eventually lead you to issues. It's not to say that this totally forbidden, but there is (was?) Microsoft best practices documents suggesting avoiding this configuration entirely when possible, although there were ways to mitigate most of the negative side effects. Obviously if you can run a split DNS environment this is less of a factor. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
On Apr 5, 2013, at 3:48 PM, wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Oh wow! Gee, thanks for that… Sad panda, W Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Have you got any previous convictions? Well, I dunno... I suppose I used to believe very firmly that a penny saved is a penny earned-- -- Terry Pratchett ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
- Original Message - On Apr 5, 2013, at 3:48 PM, wbr...@e1b.org wrote: Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Oh wow! Gee, thanks for that… Sad panda, W Wow...didn't know that site existed I've thought for a long time that all websites have to start with 'www.' was pretty antiquated. And, such most of the sites I have set up don't use are that way. Especially the domain I got for my url shortener OTOH, our old webmaster is now working in marketingwhen it was mandated that all DNS requests would automatically have the www. version created or vice versa, depending on what was requestedalso they automatically get both ksu.edu and k-state.edu forms, even if they only asked for one. And, it just happens automatically with their request and isn't indicated that it happened So, up until a couple years ago...our webmail address had always been, and only webmail.ksu.edu. But, under the new directionit has to work as webmail.ksu.edu, www.webmail.ksu.edu, webmail.k-state.edu, www.webmail.k-state.edu. and SSL certs to work for all those. And, then somebody mentioned that m. was the prefix for mobile websites. So, now we support m.webmail x2, www.m.webmail x2, and m.www.webmail x2...and ssl for all. in fact the wholeeverything has to have multiple names is causing problems, because now we need ssl certs to work for multiple names because people aren't typing just the name and getting redirected to the one https:// form that exists. They'll https to one of the variants and complain they got a cert error and demand it be fixed. Rather than use the one form that has always been used to get to the site, and the one form that is published. Of course, sometimes the getting both ksu.edu and k-state.edu form is automatic, because their subdomain is an include file that is included in both files. Though there are others, where the information had been entered by hand into both zones. And, occasionally typos have gone undetected for years, because they never asked for the k-state.edu form...and it never worked because of a typo...until suddenly it does Of course, there are also places in the files where the ksu.edu form has a different IP address than the k-state.edu form (by one) The use of multiname certs to address this problem has only been a recent thing here, and it doesn't seem to be widely known. Though apparently, my hosting provider doesn't support theserequiring me to buy unique IPs for each certunless I happen to buy my cert from them...in which case theirs will work both with and without the 'www.' Though I have 3 domains pointed to the same site Also it seems that if I signup for cloudflare and move my NS to them, I can use just my domain name. Except that my hosting provider has partnered with them, so that NS can stay with thembut then I can no longer use just my domain name (because they'll then use the CNAME method that cloudflare offerswhich can't be done for the apex of my domainso I can't use cloudflare. Though DoS'ng my site was getting dropped of sharply a few days ago. My site was seeing about 30x more traffic than usual. I meant to see if there was anything piling on things at work...but guess I was busy enough to look, and nobody has asked me about the systems I take care of. In November our authoritative-only nameservers were getting DoS'dthey saw 1 gigabit of traffic coming in for each of the IPs of our nameservers. Only thing I could see in the logs was the nameserver couldn't reply to queries during the times. I knew our pipe was big, but didn't realize it was big enough to have a sustained and solid 1 gigabit of junk at the my nameservers. Hopefully they'll continue to exempt my DNS vlan (which has both authoritative-only nameservers and the recursive caching servers) from the packet inspection device that they say might've helped. Because it was hard enough trying to explain the DNS interference it was causing. (and does cause to DNS servers elsewhere on campus) P2P isn't only thing on the Internet that are large UDP packets that look encrypted (which is the main purpose of the device -- like, they only update the signature file on the device when they see an uptick in DMCA notices 8-) The main thing was there would be messages for managed-keys-zone and then after a day or so, bind would stop resolving queries completely. Restarting it, would make it work again until it stops againand so on. So, I decided the workaround was to