Doubt with towiresorted
I have created a static zone file for www.abcd.com with the Answer section entries containing 2 IP addresses like 1.1.1.1 and 2.2.2.2. I tried to print these addresses in the towiresorted function for the random order like - for(i=0;icount;i++) { char adstr[40]; isc_uint32_t ip_host=(*(isc_uint32_t *)sorted[i].rdata-data); inet_ntop(AF_INET,(ip_host),adstr,adstr,40); printf(%s \n,adstr); } thinking that rdata-data contains the IP addresses of the answer section. But i am getting different IP addresses when i'm running named and using dig www.abcd.com. Some help as to what exactly stores the IPs contained in the Answer section would be really great. Regards, Vignesh. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNAME?
In message banlktimxqxzfurpp9jggga9xvhsb72k...@mail.gmail.com, Jon F. writes: You know I was thinking and I guess the original poster could actually do the zone mimicking by just adding the .us zone statement to named.conf but point it to the same zone name as the already built zone. In the zone, just use the @ instead of pointing to an actual name. Then it can be read for any domain pointing to that file. I haven't tried that but it should work in theory I suppose. Certainly easier than playing with DNAME's. On 01.07.11 11:42, Mark Andrews wrote: That doesn't work for signed zones. But I still find it more readable... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about the reference
Hello, Please see this reference: $ dig mydots.net @j.gtld-servers.net ; DiG 9.4.2-P2.1 mydots.net @j.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydots.net.IN A ;; AUTHORITY SECTION: mydots.net. 172800 IN NS ns1.dnsbed.com. mydots.net. 172800 IN NS ns2.dnsbed.com. ;; ADDITIONAL SECTION: ns1.dnsbed.com. 172800 IN A 74.117.233.4 ns2.dnsbed.com. 172800 IN A 204.152.196.108 ;; Query time: 196 msec ;; SERVER: 192.48.79.30#53(192.48.79.30) ;; WHEN: Fri Jul 1 16:23:05 2011 ;; MSG SIZE rcvd: 106 j.gtld-servers.net gives the reference info about the domain mydots.net. It says the dns servers for mydots.net is ns[1-2].dnsbed.com, following with two NS's IP addresses. My question is, when other BIND Cache get this reference, will it use the IP addresses directly? Or will it use the IP addresses get from the authoritative server? I ask this because, when the IP addresses get from reference, are different from the ones get from the authoritative server, what will be happened? Thanks for your kind helps. Receive Notifications of Incoming Messages Easily monitor multiple email accounts access them with a click. Visit http://www.inbox.com/notifier and check it out! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problem with name resolving
Hi All, i have a private Network with a Debian Lenny Server/Router and the Services BIND9.7.3(DDNS)/DHCP4.1.1/PPPOE3.8/CUPS1.4.4/APACHE2.2.16 and Kernel 2.6.37.2. My Problem is that he can not resolve himself and regardless from which PC i do a ping i can not resolve my two name-based-virtual hosts. Furhter on i do not know how to setup my network at the best dynamically? When my pppd program dials in it gets two nameservers which he shall save in /etc/resolv.conf or not? When i save this two nameservers in /etc/resolv.conf i have problem too resolve my local network, but when pppoe does not save these two nameservers, i have problem to resolve internet names from my server view. Further on i can not reach my two virtual Apache Hosts www.feldland.dyndns.org, test.feldland.dyndns.org, but i can reach feldland.dyndns.org which leads me to test.dyndns.org. Here are my named-based-virtual hosts defind with port 80: /etc/apache2/sites-enabled/umleiten -- http://paste.pocoo.org/show/425695/ All request will be redirected to Port 443: cat /etc/apache2/sites-enabled/standard-ssl -- http://pastebin.com/BPZDTMGF DDNS/DHCP-Service seems to work. So i post not all configs but only the involved configs i think. /etc/resolv.conf: domain feldland.lan search feldland.lan nameserver 0.0.0.0 nameserver 192.168.2.1 /etc/host.conf: order hosts,bind multi on /hostname: feld-server /etc/hosts: 127.0.0.1 localhost 192.168.0.186 feld-server.feldland.lanfeld-server /etc/networks: default 0.0.0.0 loopback127.0.0.0 link-local 169.254.0.0 My DNS-server shall only be presentative for my local network regardless from which Client or Server in my Network and all other Internet request shall be redirected to my Arcor DNS Server. Further on i post some commands which evidence my problem: Some nslookup -- http://pastebin.com/aLKay6F9 Some dig -- http://pastebin.com/WfCrssMD Any hints or ideas? regards Markus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
Correction, my server can see himself localy, for example: feld-server:/var/www# ping -R -c 1 feld-server PING feld-server.feldland.lan (192.168.0.186) 56(124) bytes of data. 64 bytes from feld-server.feldland.lan (192.168.0.186): icmp_req=1 ttl=64 time=0.090 ms RR: feld-server.feldland.lan (192.168.0.186) feld-server.feldland.lan (192.168.0.186) feld-server.feldland.lan (192.168.0.186) feld-server.feldland.lan (192.168.0.186) --- feld-server.feldland.lan ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms feld-server:/var/www# ping -R -c 1 feldland.dyndns.org PING feldland.dyndns.org (92.76.235.61) 56(124) bytes of data. 64 bytes from dslb-092-076-235-061.pools.arcor-ip.net (92.76.235.61): icmp_req=1 ttl=64 time=0.077 ms RR: dslb-092-076-235-061.pools.arcor-ip.net (92.76.235.61) dslb-092-076-235-061.pools.arcor-ip.net (92.76.235.61) dslb-092-076-235-061.pools.arcor-ip.net (92.76.235.61) dslb-092-076-235-061.pools.arcor-ip.net (92.76.235.61) --- feldland.dyndns.org ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.077/0.077/0.077/0.000 ms But this does not work: feld-server:/var/www# ping -R -c 1 test.feldland.dyndns.org ping: unknown host test.feldland.dyndns.org feld-server:/var/www# ping -R -c 1 www.feldland.dyndns.org ping: unknown host www.feldland.dyndns.org My server can still see the other local clients. regards Markus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/01/11 05:02, Markus Feldmann wrote: Hi All, i have a private Network with a Debian Lenny Server/Router and the Services BIND9.7.3(DDNS)/DHCP4.1.1/PPPOE3.8/CUPS1.4.4/APACHE2.2.16 and Kernel 2.6.37.2. My Problem is that he can not resolve himself and regardless from which PC i do a ping i can not resolve my two name-based-virtual hosts. Furhter on i do not know how to setup my network at the best dynamically? When my pppd program dials in it gets two nameservers which he shall save in /etc/resolv.conf or not? When i save this two nameservers in /etc/resolv.conf i have problem too resolve my local network, but when pppoe does not save these two nameservers, i have problem to resolve internet names from my server view. Further on i can not reach my two virtual Apache Hosts www.feldland.dyndns.org, test.feldland.dyndns.org, but i can reach feldland.dyndns.org which leads me to test.dyndns.org. Here are my named-based-virtual hosts defind with port 80: /etc/apache2/sites-enabled/umleiten -- http://paste.pocoo.org/show/425695/ All request will be redirected to Port 443: cat /etc/apache2/sites-enabled/standard-ssl -- http://pastebin.com/BPZDTMGF DDNS/DHCP-Service seems to work. So i post not all configs but only the involved configs i think. /etc/resolv.conf: domain feldland.lan search feldland.lan nameserver 0.0.0.0 nameserver 192.168.2.1 /etc/host.conf: order hosts,bind multi on /hostname: feld-server /etc/hosts: 127.0.0.1 localhost 192.168.0.186 feld-server.feldland.lan feld-server /etc/networks: default 0.0.0.0 loopback 127.0.0.0 link-local 169.254.0.0 My DNS-server shall only be presentative for my local network regardless from which Client or Server in my Network and all other Internet request shall be redirected to my Arcor DNS Server. Further on i post some commands which evidence my problem: Some nslookup -- http://pastebin.com/aLKay6F9 Some dig -- http://pastebin.com/WfCrssMD Any hints or ideas? regards Markus Markus, To be sure, you know that nslookup and dig do NOT use the search parameter in /etc/resolv.conf. So when you do an nslookup or dig query, you have to use the fully qualified domain name(FQDN). PING uses the search parameter in /etc/resolv.conf, so that can be a source of confusion for you. You have not posted your named.conf or the contents of any local zone files you may be using. Those are important for troubleshooting this issue. It would appear that you setup the dyndns client on your debian box to update feldland.dyndns.org. But how and where do you update the other two? www.feldland.dyndns.org and test.feldland.dyndns.org Or did you forget to create those at dyndns.org? Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the reference
On 07/01/11 03:47, Jeff Peng wrote: Hello, Please see this reference: $ dig mydots.net @j.gtld-servers.net ; DiG 9.4.2-P2.1 mydots.net @j.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydots.net.IN A ;; AUTHORITY SECTION: mydots.net. 172800 IN NS ns1.dnsbed.com. mydots.net. 172800 IN NS ns2.dnsbed.com. ;; ADDITIONAL SECTION: ns1.dnsbed.com. 172800 IN A 74.117.233.4 ns2.dnsbed.com. 172800 IN A 204.152.196.108 ;; Query time: 196 msec ;; SERVER: 192.48.79.30#53(192.48.79.30) ;; WHEN: Fri Jul 1 16:23:05 2011 ;; MSG SIZE rcvd: 106 j.gtld-servers.net gives the reference info about the domain mydots.net. It says the dns servers for mydots.net is ns[1-2].dnsbed.com, following with two NS's IP addresses. My question is, when other BIND Cache get this reference, will it use the IP addresses directly? Or will it use the IP addresses get from the authoritative server? I ask this because, when the IP addresses get from reference, are different from the ones get from the authoritative server, what will be happened? Thanks for your kind helps. Jeff, Think about this scenerio: example.com uses ns1.example.com and ns2.example.com for it's name servers(legal and proper). If the resolver did not use the glue records presented from the root servers, how would the resolver find www.example.com? When you register name servers, these are called glue records. The info in the additional section, comes from those glue records. In your scenerio, the results will be unpredicatable and random. Sometimes it will work and sometimes it won't work. It's important that the glue records be correct. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
Am 01.07.2011 14:51, schrieb Lyle Giese: Markus, To be sure, you know that nslookup and dig do NOT use the search parameter in /etc/resolv.conf. So when you do an nslookup or dig query, you have to use the fully qualified domain name(FQDN). PING uses the search parameter in /etc/resolv.conf, so that can be a source of confusion for you. Here some ping outputs from my servers view: feld-server:~# ping -R -c 1 feld-server PING feld-server.feldland.lan (192.168.0.186) 56(124) bytes of data. 64 bytes from feld-server.feldland.lan (192.168.0.186): icmp_req=1 ttl=64 time=0.124 ms RR: feld-server.feldland.lan (192.168.0.186) feld-server.feldland.lan (192.168.0.186) feld-server.feldland.lan (192.168.0.186) feld-server.feldland.lan (192.168.0.186) --- feld-server.feldland.lan ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.124/0.124/0.124/0.000 ms But the next doesn't work correctly, he needs some time, but however knows the IP of my client. feld-server:~# ping -R -c 1 feld-bertlap PING feld-bertlap.feldland.lan (192.168.0.212) 56(124) bytes of data. --- feld-bertlap.feldland.lan ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms feld-server:~# ping -R -c 1 feldland.dyndns.org PING feldland.dyndns.org (92.76.247.153) 56(124) bytes of data. 64 bytes from dslb-092-076-247-153.pools.arcor-ip.net (92.76.247.153): icmp_req=1 ttl=64 time=0.133 ms RR: dslb-092-076-247-153.pools.arcor-ip.net (92.76.247.153) dslb-092-076-247-153.pools.arcor-ip.net (92.76.247.153) dslb-092-076-247-153.pools.arcor-ip.net (92.76.247.153) dslb-092-076-247-153.pools.arcor-ip.net (92.76.247.153) --- feldland.dyndns.org ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.133/0.133/0.133/0.000 ms But these next doesn't work too: feld-server:~# ping -R -c 1 test.feldland.dyndns.org ping: unknown host test.feldland.dyndns.org feld-server:~# ping -R -c 1 www.feldland.dyndns.org ping: unknown host www.feldland.dyndns.org You have not posted your named.conf or the contents of any local zone files you may be using. Those are important for troubleshooting this issue. Yes here are some: named.conf -- http://pastebin.com/eAQtvg3U named.conf.local -- http://pastebin.com/ivWtzDLr named.conf.options -- http://pastebin.com/zxHVEugz db.feldland.lan -- http://pastebin.com/JZxkMKzd db.192.168.0 -- http://pastebin.com/QJgCnJ1m It would appear that you setup the dyndns client on your debian box to update feldland.dyndns.org. But how and where do you update the other two? www.feldland.dyndns.org and test.feldland.dyndns.org Or did you forget to create those at dyndns.org? Because i am using one Ip for two sites i do not have to register more than one host. yes its confusing me :-) I am not sure which of my services resolve the names correctly, but because of the fact i registered only feldland.dyndns.org at dyndns.org, i think i have to solve the problem in my network localy and not at dyndns.org my /etc/ddclient.conf: # Configuration file for ddclient generated by debconf # # /etc/ddclient.conf pid=/var/run/ddclient.pid protocol=dyndns2 use=if, if=ppp0 server=members.dyndns.org login=yyy password=xxx feldland.dyndns.org Regards Markus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dig +topdown
I set up a zone with dnssec, and wanted to verify that it was working properly. But I appear to have trouble with the root KSK. $ dig +dnssec danmcdonald.us +topdown ;; No trusted key, +sigchase option is disabled ; DiG 9.7.3-P1 +dnssec danmcdonald.us +topdown I appear to have the managed-keys-zone loading properly: In named.conf, I have the managed-keys stanza with the initial key. Named loaded the mananged-keys-zone file and loads the zone at startup: 01-Jul-2011 08:40:54.738 general: info: managed-keys-zone ./IN: loaded serial 2 [named]$ cat managed-keys.bind $ORIGIN . $TTL 0; 0 seconds @IN SOA. . ( 2 ; serial [...] I have the dnssec flags enabled in the options{} stanza: dnssec-enable yes; dnssec-validation yes; It appears that sigchase is enabled in named: [named]$ /usr/sbin/named -V BIND 9.7.3-P1 built with 'x86_64-mandriva-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/lib64' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--x-includes=/usr/include' '--x-libraries=/usr/lib64' '--localstatedir=/var' '--disable-openssl-version-check' '--enable-threads' '--enable-largefile' '--enable-ipv6' '--enable-filter-' '--enable-epoll' '--with-openssl=/usr' '--with-gssapi=/usr' '--disable-isc-spnego' '--with-randomdev=/dev/urandom' '--with-libxml2=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-bdb=no' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-odbc=no' '--with-dlz-stub=yes' 'build_alias=x86_64-mandriva-linux-gnu' 'host_alias=x86_64-mandriva-linux-gnu' 'target_alias=x86_64-mandriva-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fstack-protector-all -DLDAP_DEPRECATED' 'LDFLAGS= -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id -Wl,--as-needed -Wl,--no-undefined -Wl,-z,relro -Wl,-O1 -Wl,--build-id' 'CPPFLAGS= -DDIG_SIGCHASE' Any advise as to what I might be doing wrong? -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/01/11 08:50, Markus Feldmann wrote: Am 01.07.2011 14:51, schrieb Lyle Giese: Markus, To be sure, you know that nslookup and dig do NOT use the search parameter in /etc/resolv.conf. So when you do an nslookup or dig query, you have to use the fully qualified domain name(FQDN). PING uses the search parameter in /etc/resolv.conf, so that can be a source of confusion for you. Don't really care about ping outputs. You are asking about name resolution with your bind server. I don't care about ping because it uses some methods that are outside of DNS. Like checking your hosts file and adding the search domains. I will only comment on DIG outputs. NSLOOKUP is better than PING, but does not post as much diagnostic output as DIG. So when troubleshooting, DIG is the best option. It would appear that you setup the dyndns client on your debian box to update feldland.dyndns.org. But how and where do you update the other two? www.feldland.dyndns.org and test.feldland.dyndns.org Or did you forget to create those at dyndns.org? Because i am using one Ip for two sites i do not have to register more than one host. yes its confusing me :-) I am not sure which of my services resolve the names correctly, but because of the fact i registered only feldland.dyndns.org at dyndns.org, i think i have to solve the problem in my network localy and not at dyndns.org You are right in that you only need one host at dyndns.org to update your ip address, but you want to have two different websites. The proper way to do that is with CNAME entries pointing to the host you are updating at connect time. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dig +topdown
Daniel McDonald dan.mcdon...@austinenergy.com wrote: I set up a zone with dnssec, and wanted to verify that it was working properly. But I appear to have trouble with the root KSK. $ dig +dnssec danmcdonald.us +topdown ;; No trusted key, +sigchase option is disabled Any advise as to what I might be doing wrong? The manual says: +trusted-key= Specifies a file containing trusted keys to be used with +sigchase. Each DNSKEY record must be on its own line. If not specified, dig will look for /etc/trusted-key.key then trusted-key.key in the current directory. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Cromarty, Forth, Tyne: Variable 3 or 4. Smooth or slight, occasionally moderate in east Cromarty later. Occasional showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNAME?
Yes, all my zones are (or will be) signed. And all are dynamic update; tricks like pointing all zones to the same zone files don't work. So the bottom line is that either way I would somehow need to get my registrar(s) to put special records (DNAME or BNAME if it escapes the politics) into the TLDs (.US, .INFO)? Considering how hard it is just to get DNSSEC records installed, that doesn't sound like a fun time. I haven't seen a DNAME option in the GUI for any of the registrars that I use. And if I got a record in, I wonder (a) if it would stay in and (b) if I could get it changed (or removed) when circumstances change. Does anyone have a real experience with this? Especially someone who isn't a megacorp :-)? Does the BNAME proposal address the MX/CNAME issues with DNAME? Either way, having to put a record in the parent zone is no big deal - except when registrars / TLDs are involved. It seems to me that there's a more manageable approach than that described for BNAME - that is solely under the control of named. Given that my BIND servers are authoritative for the real (.net) and aliased (.us, .info) zones (and, for the external views, properly delegated from the TLDs), wouldn't it be more practical to have a named solution? E.g. a mechanism to tell named to respond authoritatively to all queries to aliased zones (in my current case, .US, .INFO) as though it was resolving DNAME in the parent zone? Put another way: the aliased server is authoritative for the aliased zone. Where it gets the zone data from is a private matter. Normally, it's a zone file. But for an alias, it could simply query some other real zone (it might even also be authoritative for that), substitute the alias name for the real zone names, and serve the data as authoritative. (Signing as necessary.) That would avoid doing anything in the TLD (parent in the general case), and it would also make it easy to do more subtle things. For example, put some records in the aliased zone, and only go to the real zone if no record matches a query. Pretty much required for DNSSEC keys, so might as well look for any record here first. That would seem very flexible. And, since it wouldn't need a new record type, no IETF politics! It might look like zone example.us { type master; alias-of example.net; # Zone to mirror, meaning reflect queries for example.us to example.net; verify any signatures, then edit reply's example.us strings = example.us, re-sign and respond as authoritative file example.us.exceptions.db; # Required to contain (minimally) .us DNSSEC keys # Optionally, look here before the alias zone when resolving. }; Of course, the synthesized data can be cached per the usual rules; think of the alias-of zone as serving misses from the zone file. I know I'm not the only user with this problem - many corporations get theirname.{everything posible) and then try to make them look like theirname.com. Usually with http redirects - but that doesn't address all the other services. But I conclude that as of today, this is wishful thinking - there is no practical approach. Sigh. - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: Mark Andrews [mailto:ma...@isc.org] Sent: Thursday, June 30, 2011 20:58 To: Jon F. Cc: Timothe Litt; bind-us...@isc.org Subject: Re: DNAME? In message BANLkTim=maau1y+xh7yzibmrznvx30z...@mail.gmail.com, Jon F. write s: I have a similar set up to that and it works. Have you checked the logs to make sure the zone properly loaded? I'm assuming the zone data you posted below is from the example.us zone but your first question makes it sound like you put it in a seperate zone. That would explain the SERVFAIL if the zone data never loaded but the server was authoritative. It does need to be in the .us. ;; ANSWER SECTION: example.com. 60 IN DNAME example.net. test.example.com. 60 IN CNAME test.example.net. test.example.net. 60 IN A 127.0.0.1 And that's with zone data like this: example.com. IN NS ns1.example.net. example.com. IN NS ns2.example.net. example.com. IN A 10.0.0.1 example.com. IN DNAME example.net. Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to do it fully for a domain without adding an A record as well. But what your doing works, it's just not very pretty. Someone may have a better way. There is an outstanding proposals for BNAME. This would be added to the parent zone instead of NS records and would synthesis CNAMEs records for the domain and its children. This has got bogged down in IETF politics over how to fix idn rather that be allowed to stand on its own merits. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE:
RE: DNAME?
Yes, the example.us zone loads. As I mentioned, no errors in named.log, and the statistics webserver (in named) shows example.us as active, albeit with '-' for the serial number instead of the number in the zone file. How did you get a DNAME into .com? I did make example.us a zone - it is one, isn't it? If the DNAME has to go in .us, I don't see making this scheme work. As a practical matter, registrars will put NS records into the TLDs, and some (with encouragement) are starting to accept DNSSEC records for the TLDs). But I've yet to see one that provides a means for a registrant to have a DNAME inserted... Unless I'm missing something. Did you actually manage to do this, or is your setup working in third+-level domains? I was hoping/expecting that since my server is the authoritiative server for example.us, the DNAME could go in the example.us zone. I expected that when, as the authoritative server, it was asked for foo.example.us, it would respond with foo.example.net. But the RFC wasn't clear, which is why I asked. thanks. - This communication may not represent my employer's views, if any, on the matters discussed. _ From: Jon F. [mailto:pikel@gmail.com] Sent: Thursday, June 30, 2011 16:11 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: DNAME? I have a similar set up to that and it works. Have you checked the logs to make sure the zone properly loaded? I'm assuming the zone data you posted below is from the example.us zone but your first question makes it sound like you put it in a seperate zone. That would explain the SERVFAIL if the zone data never loaded but the server was authoritative. It does need to be in the .us. ;; ANSWER SECTION: example.com. 60 IN DNAME example.net. test.example.com. 60 IN CNAME test.example.net. test.example.net. 60 IN A 127.0.0.1 And that's with zone data like this: example.com. IN NS ns1.example.net. example.com. IN NS ns2.example.net. example.com. IN A 10.0.0.1 example.com. IN DNAME example.net. Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to do it fully for a domain without adding an A record as well. But what your doing works, it's just not very pretty. Someone may have a better way. On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt l...@acm.org wrote: I have domain example.net in production, and have recently acquired example.us and example.info. For whatever reason, I want example.us to simply mirror example.net, which is dynamically udpdated (and dnssec). And I want example.us to be zero maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want to mirror every update made in .net to .us) So, I add a zone to ns1.example.net that looks like: (In view internal) zone example.us { auto-dnssec maintain; type master; allow-transfer { key TSIG_GLOBAL_KEY; }; file EXAMPLE_US.DB; update-policy { grant TSIG_GLOBAL_KEY subdomain example.us. ANY ; }; }; $ORIGIN . $TTL 600; 10 minutes example.us. IN SOA ns1.example.net. examplenetadmin.example.net. ( 2011063001 ; serial 172800 ; refresh (2 days) 600; retry (10 minutes) 2419200; expire (4 weeks) 600; minimum (10 minutes) ) example.us. IN DNAME example.net. example.us. IN NS ns1.example.net. example.us. IN NS ns2.example.net. I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net (www.example.net does exist). I see nothing in the named.log, except the trace 99 /notrace commands bracketing the dig, and if I turn on querylog: client ns1 IP#33256: view internal: query: www.example.us IN A + (ns1 IP). If I look at the named statistics channel, I see that example.us is being served, but the zone serial is '-', not '2011063001'. Questions: o Am I confused about DNAME placement - would it have to go in .US? If so, is this possible? (I don't mean technically possible - I mean practically - e.g. thru a registrar such as godaddy, enom, etc). If not, what explains the SERVFAIL? o Why is '-' reported for the zone serial? o I understand that DNAME and MX don't play well together (DNAME is essentially CNAME, and MX doesn't allow CNAMEs). I suspect I'd have to live with that - unless there are wiser heads? o Is there a better approach? (Assume that I'll also want to do the same thing to example.info...) Thanks. - This communication may not represent my employer's views, if any, on the matters discussed. ___ Please visit
Re: DNAME?
On 07/01/2011 10:03, Timothe Litt wrote: Yes, all my zones are (or will be) signed. And all are dynamic update; Then the answer is simple, have a front end that allows you to make the edits in one place and have them updated in both zones. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
Am 01.07.2011 18:35, schrieb Lyle Giese: You are right in that you only need one host at dyndns.org to update your ip address, but you want to have two different websites. The proper way to do that is with CNAME entries pointing to the host you are updating at connect time. Do i need to open my firewall for port 53? :-( Is there another way? maybe to add two virtual hosts at dyndns.org with the same IP? regards Markus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
another question about the glue
h.gtld-servers.net is one of the net domain's NS servers. As the info below: $ dig mydots.net @h.gtld-servers.net ; DiG 9.4.2-P2.1 mydots.net @h.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydots.net.IN A ;; AUTHORITY SECTION: mydots.net. 172800 IN NS ns1.dnsbed.com. mydots.net. 172800 IN NS ns2.dnsbed.com. ;; ADDITIONAL SECTION: ns1.dnsbed.com. 172800 IN A 74.117.233.4 ns2.dnsbed.com. 172800 IN A 204.152.196.108 ;; Query time: 279 msec ;; SERVER: 192.54.112.30#53(192.54.112.30) ;; WHEN: Sat Jul 2 03:25:41 2011 ;; MSG SIZE rcvd: 106 Why the net zone has the glue for the servers which are in the com zone? Thank you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: another question about the glue
On 7/1/11 9:31 PM, PANG J. wrote: Why the net zone has the glue for the servers which are in the com zone? skull@mithrandir:~$ dig ns com +short | sort a.gtld-servers.net. b.gtld-servers.net. c.gtld-servers.net. d.gtld-servers.net. e.gtld-servers.net. f.gtld-servers.net. g.gtld-servers.net. h.gtld-servers.net. i.gtld-servers.net. j.gtld-servers.net. k.gtld-servers.net. l.gtld-servers.net. m.gtld-servers.net. skull@mithrandir:~$ dig ns net +short | sort a.gtld-servers.net. b.gtld-servers.net. c.gtld-servers.net. d.gtld-servers.net. e.gtld-servers.net. f.gtld-servers.net. g.gtld-servers.net. h.gtld-servers.net. i.gtld-servers.net. j.gtld-servers.net. k.gtld-servers.net. l.gtld-servers.net. m.gtld-servers.net. -- Paranoia is a disease unto itself. And may I add: the person standing next to you may not be who they appear to be, so take precaution. - http://bofhskull.wordpress.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: another question about the glue
Those aren't glue records for a .com zone. Those glue records are for mydots.net, the NS' just so happen to be residing in the .com zone. The name servers don't have to be in the same zones as the actual domain name. On a side note, the gtld's cover .com as well. On Fri, Jul 1, 2011 at 2:31 PM, PANG J. pa...@xuite.net wrote: h.gtld-servers.net is one of the net domain's NS servers. As the info below: $ dig mydots.net @h.gtld-servers.net ; DiG 9.4.2-P2.1 mydots.net @h.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 57902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydots.net.IN A ;; AUTHORITY SECTION: mydots.net. 172800 IN NS ns1.dnsbed.com. mydots.net. 172800 IN NS ns2.dnsbed.com. ;; ADDITIONAL SECTION: ns1.dnsbed.com. 172800 IN A 74.117.233.4 ns2.dnsbed.com. 172800 IN A 204.152.196.108 ;; Query time: 279 msec ;; SERVER: 192.54.112.30#53(192.54.112.**30) ;; WHEN: Sat Jul 2 03:25:41 2011 ;; MSG SIZE rcvd: 106 Why the net zone has the glue for the servers which are in the com zone? Thank you. __**_ Please visit https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users -- Jonathan French pikel@gmail.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/01/11 14:13, Markus Feldmann wrote: Am 01.07.2011 18:35, schrieb Lyle Giese: You are right in that you only need one host at dyndns.org to update your ip address, but you want to have two different websites. The proper way to do that is with CNAME entries pointing to the host you are updating at connect time. Do i need to open my firewall for port 53? :-( Is there another way? maybe to add two virtual hosts at dyndns.org with the same IP? regards Markus I don't know dyndns.com services that well. I don't know what they support or do not support directly. Using an example, I have lcrcomputer.com. If I setup a dynamic dns host with dyndns.org and wanted two host names pointing there, I would do this: 1) setup a dynamic host at dyndns: host.dyndns.org 2) in the LCRCOMPUTER.COM zone I would add two entries: host1.lcrcomputer.com. in cname host.dyndns.org. host2.lcrcomputer.com. in cname host.dyndns.org. I don't know if dyndns.com will allow you to create cname entries in their zones. They will if you have a hosted domain name there. You need to open udp and tcp port 53 only if you need to make your dns server available to the public Internet. If it's only for internal use, no. And besides, if you want to run a public name server, it needs to be on a static IP address and not on a dynamic ip address. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: another question about the glue
that's meaningless. net and com are different zones, though they are located in the same servers. 于 2011-7-2 3:48, Emanuele Balla (aka Skull) 写道: On 7/1/11 9:31 PM, PANG J. wrote: Why the net zone has the glue for the servers which are in the com zone? skull@mithrandir:~$ dig ns com +short | sort a.gtld-servers.net. b.gtld-servers.net. c.gtld-servers.net. d.gtld-servers.net. e.gtld-servers.net. f.gtld-servers.net. g.gtld-servers.net. h.gtld-servers.net. i.gtld-servers.net. j.gtld-servers.net. k.gtld-servers.net. l.gtld-servers.net. m.gtld-servers.net. skull@mithrandir:~$ dig ns net +short | sort ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: another question about the glue
On Fri, Jul 1, 2011 at 12:31 PM, PANG J. pa...@xuite.net wrote: http://h.gtld-servers.netWhy the net zone has the glue for the servers which are in the com zone? Glue refers to address records for name servers of delegated child zones, when the names of those servers are subdomains of the delegated zone itself, e.g., example.net. IN NS ns1.example.net. ns1.example.net. IN A 192.0.2.1 However, records in the additional section don't always correspond to glue records contained in the delegating zone. Servers may also return records from other sources in their additional section, such as from other zones for which they are authoritative. Such is the case with the gTLD servers, which are authoritative for net and com. The address records returned for ns{1,2}.dnsbed.com are not in the net zone, but they are sibling glue for another zone delegated from the com zone. That is, they are the names of servers authoritative for a zone delegated from the com zone other than dnsbed.com (ns{1,2}.dnsbed.com aren't among the authoritative server names for dnsbed.com). Casey ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: another question about the glue
于 2011-7-2 5:47, Casey Deccio 写道: However, records in the additional section don't always correspond to glue records contained in the delegating zone. Servers may also return records from other sources in their additional section, such as from other zones for which they are authoritative. Such is the case with the gTLD servers, which are authoritative for net and com. The address records returned for ns{1,2}.dnsbed.com http://dnsbed.com are not in the net zone, but they are sibling glue for another zone delegated from the com zone. That is, they are the names of servers authoritative for a zone delegated from the com zone other than dnsbed.com http://dnsbed.com (ns{1,2}.dnsbed.com http://dnsbed.com aren't among the authoritative server names for dnsbed.com http://dnsbed.com). Thanks a lot, I got it now, thank you. Regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNAME?
When DNAME was being developed the working group had to make a decision about whether DNAME should redirect the node it was at or just the names below it. The decision was made to do the latter because it didn't require TLD operators to know about DNAME at the cost of a little more work to keep the apex records in sync. In hindsight we should have done both as there are use cases for both. Getting other types added to TLDs isn't a technical issue, its a political issue. There are TLDs that accept MX, A, and I believe DNAME today instead of NS records at what would be the delegation point. It's just as easy to serve these records as it is to serve a delegation. Mark In message 2fa4ed65dac044849aa3f57fbcfe2...@sb.litts.net, Timothe Litt writ es: This is a multi-part message in MIME format. --===7538508973042255473== Content-Type: multipart/alternative; boundary==_NextPart_000_000C_01CC37F1.C5C06C70 This is a multi-part message in MIME format. --=_NextPart_000_000C_01CC37F1.C5C06C70 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Yes, the example.us zone loads. As I mentioned, no errors in named.log, and the statistics webserver (in named) shows example.us as active, albeit with '-' for the serial number instead of the number in the zone file. How did you get a DNAME into .com? I did make example.us a zone - it is one, isn't it? If the DNAME has to go in .us, I don't see making this scheme work. As a practical matter, registrars will put NS records into the TLDs, and some (with encouragement) are starting to accept DNSSEC records for the TLDs). But I've yet to see one that provides a means for a registrant to have a DNAME inserted... Unless I'm missing something. Did you actually manage to do this, or is your setup working in third+-level domains? I was hoping/expecting that since my server is the authoritiative server for example.us, the DNAME could go in the example.us zone. I expected that when, as the authoritative server, it was asked for foo.example.us, it would respond with foo.example.net. But the RFC wasn't clear, which is why I asked. thanks. - This communication may not represent my employer's views, if any, on the matters discussed. _ From: Jon F. [mailto:pikel@gmail.com] Sent: Thursday, June 30, 2011 16:11 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: DNAME? I have a similar set up to that and it works. Have you checked the logs to make sure the zone properly loaded? I'm assuming the zone data you posted below is from the example.us zone but your first question makes it sound like you put it in a seperate zone. That would explain the SERVFAIL if the zone data never loaded but the server was authoritative. It does need to be in the .us. ;; ANSWER SECTION: example.com. 60 IN DNAME example.net. test.example.com. 60 IN CNAME test.example.net. test.example.net. 60 IN A 127.0.0.1 And that's with zone data like this: example.com. IN NS ns1.example.net. example.com. IN NS ns2.example.net. example.com. IN A 10.0.0.1 example.com. IN DNAME example.net. Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to do it fully for a domain without adding an A record as well. But what your doing works, it's just not very pretty. Someone may have a better way. On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt l...@acm.org wrote: I have domain example.net in production, and have recently acquired example.us and example.info. For whatever reason, I want example.us to simply mirror example.net, which is dynamically udpdated (and dnssec). And I want example.us to be zero maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want to mirror every update made in .net to .us) So, I add a zone to ns1.example.net that looks like: (In view internal) zone example.us { auto-dnssec maintain; type master; allow-transfer { key TSIG_GLOBAL_KEY; }; file EXAMPLE_US.DB; update-policy { grant TSIG_GLOBAL_KEY subdomain example.us. ANY ; }; }; $ORIGIN . $TTL 600; 10 minutes example.us. IN SOA ns1.example.net. examplenetadmin.example.net. ( 2011063001 ; serial 172800 ; refresh (2 days) 600; retry (10 minutes) 2419200; expire (4 weeks) 600; minimum (10 minutes) ) example.us. IN DNAME example.net. example.us. IN NS ns1.example.net. example.us. IN NS ns2.example.net. I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net