Re: SPF/TXT records
This is a bit OT, but... You specify in an SPF (TXT) record your outbound MTAs, the ones that everybody outside of your organization will see your mail sourced from. If it goes through a third-party outsourced provider, you put the provider's MTAs in your record (best via an include:). If your marketing people use a third-party spammer^H^H^H^H^H^H^H provider for sending e-mail blasts, you also put those MTAs in your record (again, best via an include:). Leave your internal relays out of the record, nobody outside sees them or cares about them. (This is a specific short-coming of SPF, it doesn't really work with forwarding and relaying.) If you can't work around your forwarding / relaying issues, think about using DKIM to sign your messages. DKIM doesn't care how mail gets delivered as it's not tied to MTA IP addresses like SPF is and is thus forwarding and relaying insensitive. See openspf.org and dkim.org for more details. Regards, Mike -- Michael Milligan - mi...@acmeps.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.6.1 stats dump
Hi folks, while looking at a stats dump from bind 9.6.1 I see: ++ Per Zone Query Statistics ++ but there are no stats showing for this, how is this enabled (if at all)? Thanks -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.6.1 stats dump
On Jun 18 2009, R Dicaire wrote: Hi folks, while looking at a stats dump from bind 9.6.1 I see: ++ Per Zone Query Statistics ++ but there are no stats showing for this, how is this enabled (if at all)? Set zone-statistics yes; in options, or per-zone. This really isn't difficult to find in the ARM. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNAME records
On Thu, Jun 18, 2009 at 07:44:38AM -0700, Chris Buxton wrote: ... Setting aside the DNAME record, what you're trying to accomplish is something frequently requested - a private overlay on an otherwise public zone that doesn't obscure the public zone. But it doesn't work the way you want - a server that is authoritative for a zone is fully authoritative for that zone - positively and negatively. The only way to accomplish what you want would be to create one or more private zones for subdomains of example.com, to cover the names that need to resolve privately without obscuring the public data for example.com. For example, you could create _tcp.example.com - I'd be willing to bet that this subdomain does not exist in the public namespace. You could then DNAME this to _tcp.example2.com, or you could explicitly create the CNAME records you want to have. ... I don't remember all of the original question, but ... ISTM this is not the only way. One may also have public and private views of the same zone, including only the public info in the public view, but including public and private info in the private view. I would agree if you were to argue that separate subdomains are a cleaner way to do this, though. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote: ... Yes. Once a zone is dynamic, you're no longer allowed to edit the zone file directly (unless you make it static again, for example by use of ... For which reason, of course, dynamic data should always be in a separate subdomain from static data, which may someday need to be updated. Apologies if this was obvious. There exist people for whom it was not. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF/TXT records
It is all too easy for mail marked as from one of your domains to be forwarded out the other mail server, if your internal mail server lets every server inside forward mail (e.g., error messages) to it. Unless you personally set up mail on all servers, in which case you are a bottleneck. I have a similar thing happening when folks from one domain send e-mail to an old-fashioned alias that just re-sends to all other members of that alias - and the mail gets rejected by SPF. This is not good, and if I don't have control of the originators' SPF records, unsolveable. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
We don't allow all servers to send email at all. They have to specifically be configured to send and relay to the Exchange server which itself must be configured to allow them. The domain, waterinvoice.com is not in general use but is used by one server (and a test server on occasion) to send automated emails to customers that request them. There are no users sending with that domain except in test scenarios. My question actually arose in response to a third party marketing company that is asking us to set up an SPF record for a third domain we purchased. The SPF record for them is fairly straight forward but it made me wonder if I wanted to implement SPF for internally generated emails which hosts should be listed. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Joseph S D Yao Sent: Thursday, June 18, 2009 12:16 PM To: bind-users@lists.isc.org Subject: Re: SPF/TXT records It is all too easy for mail marked as from one of your domains to be forwarded out the other mail server, if your internal mail server lets every server inside forward mail (e.g., error messages) to it. Unless you personally set up mail on all servers, in which case you are a bottleneck. I have a similar thing happening when folks from one domain send e-mail to an old-fashioned alias that just re-sends to all other members of that alias - and the mail gets rejected by SPF. This is not good, and if I don't have control of the originators' SPF records, unsolveable. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF/TXT records
On Thu, Jun 18, 2009 at 12:22:26PM -0400, Jeff Lightner wrote: We don't allow all servers to send email at all. They have to specifically be configured to send and relay to the Exchange server which itself must be configured to allow them. The domain, waterinvoice.com is not in general use but is used by one server (and a test server on occasion) to send automated emails to customers that request them. There are no users sending with that domain except in test scenarios. My question actually arose in response to a third party marketing company that is asking us to set up an SPF record for a third domain we purchased. The SPF record for them is fairly straight forward but it made me wonder if I wanted to implement SPF for internally generated emails which hosts should be listed. If it has not already been mentioned, please see the furious debate over whether SPF should ever be installed. I'm sure Google can provide plenty of references. The choice is, of course, yours [and your customer's]. Receiving mail servers configured with SPF will reject all mail listed in the [easily edited] mail header from X domain that is not listed in the SPF record for X domain. E.g., if you want all your e-mail to go to your home-consultancy e-mail account, so you set up your laptop to use From: j...@home-consultancy.example but hook it up to the company mail server, and there is an SPF record for home-consultancy.example [which you don't control] that says mail ONLY comes from pegasus.home-consultancy.example - then any e-mail you send via the company's mail server [which has a policy allowing this OBTW], but sent as if from your home office, will be rejected by said mail servers. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Dynamic DNS and Slave Servers
Although, I should be able to add static data to a dynamic data zone either with nsupdate or with freezing and thawing the zone, correct? Joseph A. Borgia, Jr. Sr. UNIX/SAN Engineer Team Rome IT - Rome Research Corporation U.S. Air Force Research Laboratory/Rome Research Site/RIOS COMM: 315-330-3952 DSN: 587-3952 FAX: 315-330-8258 -Original Message- From: Joseph S D Yao [mailto:j...@tux.org] Sent: Thursday, June 18, 2009 12:10 PM To: Chris Buxton Cc: Borgia, Joe A CTR USAF AFMC AFRL/RIOS; bind-users@lists.isc.org Subject: Re: Dynamic DNS and Slave Servers On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote: ... Yes. Once a zone is dynamic, you're no longer allowed to edit the zone file directly (unless you make it static again, for example by use of ... For which reason, of course, dynamic data should always be in a separate subdomain from static data, which may someday need to be updated. Apologies if this was obvious. There exist people for whom it was not. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ smime.p7s Description: S/MIME cryptographic signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
Joseph S D Yao wrote: On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote: ... Yes. Once a zone is dynamic, you're no longer allowed to edit the zone file directly (unless you make it static again, for example by use of ... For which reason, of course, dynamic data should always be in a separate subdomain from static data, which may someday need to be updated. Surely you mean sub*zone* (?) It's not always possible to arrange one's namespace between static and dynamic, oftentimes there are other conventions and taxonomies which dictate that static data and dynamic data must co-exist in the same (sub)domain. This is when tools like nsupdate and the Dynamic Update capabilities of the Net::DNS Perl module come in handy -- to allow maintenance of static data in zones which also contain truly dynamic data, maintained by a DHCP server and/or self-registering Wintel clients and/or some other infrastructure component(s). - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
Date: Thu, 18 Jun 2009 12:41:04 -0400 From: Kevin Darcy k...@chrysler.com Joseph S D Yao wrote: On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote: [...] For which reason, of course, dynamic data should always be in a separate subdomain from static data, which may someday need to be updated. Surely you mean sub*zone* (?) Kevin: I'll bite! What is the difference between a sub*domain* and a sub*zone*? I don't see how you could have the one w/o the other. But that could be because I'm feeling especially slow today. Regards, Gregory Hicks - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18-Jun-2009, at 14:25, Gregory Hicks wrote: Kevin: I'll bite! What is the difference between a sub*domain* and a sub*zone*? I don't see how you could have the one w/o the other. But that could be because I'm feeling especially slow today. foo.example.com is a subdomain of example.com. It is only a subzone if there's a delegation from example.com to foo.example.com (if there's a zone cut). -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) iEYEARECAAYFAko6hykACgkQmFeRJ0tjIxFOKACfREn+EkxLDUByLlpUdu2e1PL9 t74AnREgfx5+eGz1eh1Dl1XWa/HDQPy+ =VSPv -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
All subzones are subdomains. But a subdomain isn't a subzone unless it's delegated from the parent zone. Also, subzones have zone definitions in named.conf. Undelegated subdomains do not. - Kevin Gregory Hicks wrote: Date: Thu, 18 Jun 2009 12:41:04 -0400 From: Kevin Darcy k...@chrysler.com Joseph S D Yao wrote: On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote: [...] For which reason, of course, dynamic data should always be in a separate subdomain from static data, which may someday need to be updated. Surely you mean sub*zone* (?) Kevin: I'll bite! What is the difference between a sub*domain* and a sub*zone*? I don't see how you could have the one w/o the other. But that could be because I'm feeling especially slow today. Regards, Gregory Hicks - Gregory Hicks | Principal Systems Engineer | Direct: 408.569.7928 People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf -- George Orwell The price of freedom is eternal vigilance. -- Thomas Jefferson The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
Kevin Darcy wrote: All subzones are subdomains. But a subdomain isn't a subzone unless it's delegated from the parent zone. Actually, it is possible to have an undelegated (sub)zone, but not considered a good practice, because then you have to explicitly define that zone on all nameservers that need to resolve it. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
I'm assuming you mean it would be rejected if you didn't have an SPF record for the company mail server in addition to the record for the home consultancy? I'll look into the SPF debate - I hadn't heard suggestions NOT to use it before - simply had never implemented it because it wasn't high priority. -Original Message- From: Joseph S D Yao [mailto:j...@tux.org] Sent: Thursday, June 18, 2009 12:43 PM To: Jeff Lightner Cc: bind-users@lists.isc.org Subject: Re: SPF/TXT records On Thu, Jun 18, 2009 at 12:22:26PM -0400, Jeff Lightner wrote: We don't allow all servers to send email at all. They have to specifically be configured to send and relay to the Exchange server which itself must be configured to allow them. The domain, waterinvoice.com is not in general use but is used by one server (and a test server on occasion) to send automated emails to customers that request them. There are no users sending with that domain except in test scenarios. My question actually arose in response to a third party marketing company that is asking us to set up an SPF record for a third domain we purchased. The SPF record for them is fairly straight forward but it made me wonder if I wanted to implement SPF for internally generated emails which hosts should be listed. If it has not already been mentioned, please see the furious debate over whether SPF should ever be installed. I'm sure Google can provide plenty of references. The choice is, of course, yours [and your customer's]. Receiving mail servers configured with SPF will reject all mail listed in the [easily edited] mail header from X domain that is not listed in the SPF record for X domain. E.g., if you want all your e-mail to go to your home-consultancy e-mail account, so you set up your laptop to use From: j...@home-consultancy.example but hook it up to the company mail server, and there is an SPF record for home-consultancy.example [which you don't control] that says mail ONLY comes from pegasus.home-consultancy.example - then any e-mail you send via the company's mail server [which has a policy allowing this OBTW], but sent as if from your home office, will be rejected by said mail servers. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
On Thu, Jun 18, 2009 at 12:44:18PM -0400, Borgia, Joe A CTR USAF AFMC AFRL/RIOS wrote: Although, I should be able to add static data to a dynamic data zone either with nsupdate or with freezing and thawing the zone, correct? If you're using nsupdate, is it static data? ;-) But, yes. Static data such as the SOA and NS records are mandatory. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF/TXT records
On Thu, Jun 18, 2009 at 03:06:14PM -0400, Jeff Lightner wrote: I'm assuming you mean it would be rejected if you didn't have an SPF record for the company mail server in addition to the record for the home consultancy? In my example, you for some reason don't have control over that DNS record. ;-) And, yes, that is what I meant, replacing if by because. I'll look into the SPF debate - I hadn't heard suggestions NOT to use it before - simply had never implemented it because it wasn't high priority. Yes. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNAME records
On Jun 18, 2009, at 9:08 AM, Joseph S D Yao wrote: On Thu, Jun 18, 2009 at 07:44:38AM -0700, Chris Buxton wrote: ... Setting aside the DNAME record, what you're trying to accomplish is something frequently requested - a private overlay on an otherwise public zone that doesn't obscure the public zone. But it doesn't work the way you want - a server that is authoritative for a zone is fully authoritative for that zone - positively and negatively. The only way to accomplish what you want would be to create one or more private zones for subdomains of example.com, to cover the names that need to resolve privately without obscuring the public data for example.com. For example, you could create _tcp.example.com - I'd be willing to bet that this subdomain does not exist in the public namespace. You could then DNAME this to _tcp.example2.com, or you could explicitly create the CNAME records you want to have. ... I don't remember all of the original question, but ... ISTM this is not the only way. One may also have public and private views of the same zone, including only the public info in the public view, but including public and private info in the private view. I would agree if you were to argue that separate subdomains are a cleaner way to do this, though. Yes, that will absolutely work. But the OP requested a method that did not involve managing the public data in two places. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
On Jun 18, 2009, at 9:10 AM, Joseph S D Yao wrote: On Thu, Jun 18, 2009 at 07:50:49AM -0700, Chris Buxton wrote: ... Yes. Once a zone is dynamic, you're no longer allowed to edit the zone file directly (unless you make it static again, for example by use of ... For which reason, of course, dynamic data should always be in a separate subdomain from static data, which may someday need to be updated. Apologies if this was obvious. There exist people for whom it was not. As a DNS trainer, I can tell you that nothing is obvious to everyone. With dynamic DNS, until you've done it a few times, it's just magic incantations. That said, while there is something to be said for sandboxing as you describe, it's also quite valuable to learn to use nsupdate. Or get/ write yourself a tool to make it all transparent. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic DNS and Slave Servers
There really isn't such a thing as a static zone. All zones are subject to change. You just have a choice in how you change them. Via UPDATE or via some other mechanism. If a zone was truely static you wouldn't need a serial number in the SOA. You wouldn't need notify or refresh queries. What people call static are just slowly changing zones. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Questions about DNAME records
On Thu, Jun 18, 2009 at 02:12:07PM -0700, Chris Buxton wrote: ... Yes, that will absolutely work. But the OP requested a method that did not involve managing the public data in two places. ... Which is exactly what views are for. External data is kept in ONE file, as below. named.conf: ... acl localfolk { localhost; LOC.AL.NET.WORK/MASK; ... }; view internal { // This should match our internal networks. match-clients { localfolk; }; // Provide recursive service to internal clients only. recursion yes; // Provide a complete view of the example.com zone // including addresses of internal hosts. zone example.com { type master; file zone.example.int; }; }; view external { // Match all clients not matched by the previous view. match-clients { any; }; // Refuse recursive service to external clients. recursion no; // Provide a restricted view of the example.com zone // containing only publicly accessible hosts. zone example.com { type master; file zone.example.ext; }; }; zone.example.ext: $TTL1d @ IN SOA ... IN NS ... // Remember to increment the SOA serial number when this is // updated! $INCLUDE data/example.ext.data zone.example.int: $TTL1d @ IN SOA ... IN NS ... // Remember to increment the SOA serial number when either of // these is updated! $INCLUDE data/example.ext.data $INCLUDE data/example.int.data -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users