RE: Seeking Advice on DNSSEC Algorithm Rollover
Spain, Dr. Jeffry A. spa...@countryday.net wrote: My experience with changing the timing metadata or removing the key files is that named issues a warning like the following: zone zone/IN: Key zone/algorithm/key tag missing or inactive and has no replacement: retaining signatures. In this circumstance none of the RRSIGs or NSECs are removed. They sit there indefinitely even after the RRSIGs expire. If I remember correctly, that was because you removed the keyfile rather than just updating the timing metadata. Try updating the timing data and leaving the keyfiles in place until after BIND has acted on the deletion date. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties: Northwesterly 4 or 5, occasionally 6 in east. Slight or moderate, occasionally rough later. Mainly fair. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Seeking Advice on DNSSEC Algorithm Rollover
My experience with changing the timing metadata or removing the key files is that named issues a warning like the following: zone zone/IN: Key zone/algorithm/key tag missing or inactive and has no replacement: retaining signatures. In this circumstance none of the RRSIGs or NSECs are removed. They sit there indefinitely even after the RRSIGs expire. If I remember correctly, that was because you removed the keyfile rather than just updating the timing metadata. Try updating the timing data and leaving the keyfiles in place until after BIND has acted on the deletion date. I did some additional testing over the weekend. Removing the key files without updating the timing metadata definitely causes this problem. Updating the timing metadata such that the inactive date is in the past and the deletion date is in the future also causes this problem. The key to success appears to be updating the timing metadata such that the inactive and deletion dates are both in the past. I still want to test this where there are no keys present for a second algorithm, i.e. a secure to insecure transition. Thanks. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
It looks to me like this is an EDNS bug. I am querying the authoritative server directly, with no firewalls in the way. The FORMERR is coming from the authoritative server not from BIND. I get the same result over IPv4 and IPv6. They also have a bug in their NXDOMAIN logic: extranet.microsoft.com does not exist therefore partners.extranet.microsoft.com cannot exist. ; DiG 9.9.1-P1 +noedns @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 9931 ;; flags: qr rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; ANSWER SECTION: partners.extranet.microsoft.com. 3600 IN NS dns12.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns10.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns13.one.microsoft.com. partners.extranet.microsoft.com. 3600 IN NS dns11.one.microsoft.com. ;; ADDITIONAL SECTION: dns12.one.microsoft.com. 3600 IN A 207.46.55.10 dns10.one.microsoft.com. 3600 IN A 131.107.125.65 dns13.one.microsoft.com. 3600 IN A 65.55.31.17 dns11.one.microsoft.com. 3600 IN A 94.245.124.49 ;; Query time: 159 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:38:51 2012 ;; MSG SIZE rcvd: 197 ; DiG 9.9.1-P1 +edns=0 @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 20875 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:38:57 2012 ;; MSG SIZE rcvd: 60 ; DiG 9.9.1-P1 +noedns @ns1.msft.net extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 141 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;extranet.microsoft.com.IN NS ;; AUTHORITY SECTION: microsoft.com. 3600IN SOA ns1.msft.net. msnhst.microsoft.com. 2012062205 300 600 2419200 3600 ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:44:44 2012 ;; MSG SIZE rcvd: 95 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Sole, Lundy, Fastnet: Southeast at first in Lundy and Fastnet, otherwise southwest, 4 or 5. Slight or moderate, occasionally rough in west Sole. Occasional rain or drizzle, fog patches. Moderate, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
Carsten Strotmann (private) c...@strotmann.de wrote: The FORMERR I'm seeing is also quite odd, as it has the AD flag set, which should normally not appear in an error type of response, but might be caused by a mangled DNS packet: I think it is echoing the AD bit in the query. ; DiG 9.9.1-P1 +noad +qr @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Sending: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 3331 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 3331 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:57:06 2012 ;; MSG SIZE rcvd: 60 ; DiG 9.9.1-P1 +qr @ns1.msft.net. partners.extranet.microsoft.com ns ; (2 servers found) ;; global options: +cmd ;; Sending: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 21060 ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Got answer: ;; -HEADER- opcode: QUERY, status: FORMERR, id: 21060 ;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;partners.extranet.microsoft.com. INNS ;; Query time: 142 msec ;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1) ;; WHEN: Mon Jun 25 12:56:22 2012 ;; MSG SIZE rcvd: 60 Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Dogger: Northwest 5 or 6 becoming variable 3 or 4. Moderate, becoming slight in west. Showers. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Understanding cause of DNS format error (FORMERR)
In article mailman.1121.1340625284.63724.bind-us...@lists.isc.org, Tony Finch d...@dotat.at wrote: It looks to me like this is an EDNS bug. ... There's some kind of delegation bug as well. If I query dns1[0-3].one.microsoft.com for SOA and NS for partners.extranet.microsoft.com you get sensible answers though the origin host is different for each server queried and those origins are privately addressed. If I query dns1[0-3].one.microsoft.com for vlasext.partners.extranet.microsoft.com/IN/A I get answers with no AA bit set and a decreasing TTL as if the data were cached. It does not appear that vlasext.partners.extranet.microsoft.com is delegated itself so it's not cached answers from a child zone. The authority for zero-answer responses such as vlasext.partners.extranet.microsoft.com/IN/ is the SOA for partners.extranet.microsoft.com It's all rather horrible. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reverse zones best practices
Hi all, look for some info on best practices for reverse zones. I have, a pretty big IP space and alot of reverse zones are not created. I want to clean it up, a few people that dont really know DNS are thinking of super netting eg a top level 10.0.0.0/16 sorta thing. but we have 100s of defined mission critical reverse zones defined at the vlan level of 10.x.x.0/24... my thinking, would be do a discovery and create all the /24s, even if there is like 100s. instead of the bigger super net... what would be the best practice and the way to go? -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
CNAME Rules
The RFC rules on CNAMEs is fairly tight but I am seeing an increasing amount of traffic with misconfigured CNAMEs some of which are accepted by BIND as valid responses. The examples capture three trends, note these are actual responses: 1) Example-1: CNAME in the additional section necessary to finish processing of response. BIND accepts this as valid: proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 nscount=6 arcount=7 query: after12.failblog.org. A IN answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.com. answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. additional: chzallnighter.wordpress.com. CNAME IN TTL=300 vip-lb.wordpress.com. additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137 2) Example-2: Multiple CNAMEs with same label but different data, BIND finds this to be incorrect and retries if another nameserver is available: proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 query: image.dhgate.com. A IN answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. nameserver: . NS IN TTL=518400 a.root-servers.net. nameserver: . NS IN TTL=518400 b.root-servers.net. nameserver: . NS IN TTL=518400 c.root-servers.net. 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to be incorrect as well and retries. proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=3 arcount=3 query: www.smilebox.com. A IN answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 My question really what are the rules governing CNAME processing in BIND and why does Example-1 allowed as valid. -srinivas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zones best practices
I strongly recommend splitting on /8 /16 and /24 boundries. With the number of zones you are talking about, doing anything else will get very confusing very quickly. If a netblock is larger than a /24, put at the top and bottom of each /24 a comment lile explaining what size it is For example my 10.in-addr.arpa. zone has ; this is top of the 10/8 delegates to 10.*/16 zone file for 230.16.10.in-addr.arpa has comment ; 10.16.230.0/23 vlan : Purpose-of-vlan-here 10.16.230.0-10.16.231.255 (512) In this way, whoever looks at the zone, no matter how dns savvy they are, knows the size of the netblock On Mon, 25 Jun 2012, nex6 wrote: Hi all, look for some info on best practices for reverse zones. I have, a pretty big IP space and alot of reverse zones are not created. I want to clean it up, a few people that dont really know DNS are thinking of super netting eg a top level 10.0.0.0/16 sorta thing. but we have 100s of defined mission critical reverse zones defined at the vlan level of 10.x.x.0/24... my thinking, would be do a discovery and create all the /24s, even if there is like 100s. instead of the bigger super net... what would be the best practice and the way to go? -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME Rules
On Jun 25, 2012, at 2:13 PM, Srinivas Krishnan wrote: The RFC rules on CNAMEs is fairly tight but I am seeing an increasing amount of traffic with misconfigured CNAMEs some of which are accepted by BIND as valid responses. The examples capture three trends, note these are actual responses: 1) Example-1: CNAME in the additional section necessary to finish processing of response. BIND accepts this as valid: proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 nscount=6 arcount=7 query: after12.failblog.org. A IN answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.com. answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. additional: chzallnighter.wordpress.com. CNAME IN TTL=300 vip-lb.wordpress.com. additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137 This is standard CNAME chaining, per RFC-1034: % dig after12.failblog.org @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;after12.failblog.org. IN A ;; ANSWER SECTION: after12.failblog.org. 3416IN CNAME chzallnighter.wordpress.com. chzallnighter.wordpress.com. 116 IN CNAME vip-lb.wordpress.com. vip-lb.wordpress.com. 116 IN A 74.200.247.187 vip-lb.wordpress.com. 116 IN A 76.74.255.117 vip-lb.wordpress.com. 116 IN A 76.74.255.123 vip-lb.wordpress.com. 116 IN A 72.233.104.123 vip-lb.wordpress.com. 116 IN A 72.233.127.217 vip-lb.wordpress.com. 116 IN A 74.200.247.59 2) Example-2: Multiple CNAMEs with same label but different data, BIND finds this to be incorrect and retries if another nameserver is available: proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 query: image.dhgate.com. A IN answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. nameserver: . NS IN TTL=518400 a.root-servers.net. nameserver: . NS IN TTL=518400 b.root-servers.net. nameserver: . NS IN TTL=518400 c.root-servers.net. % dig image.dhgate.com @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;image.dhgate.com. IN A ;; ANSWER SECTION: image.dhgate.com. 26 IN CNAME image.dhgate.com.cdn20.com. image.dhgate.com.cdn20.com. 29 IN CNAME image.dhgate.com.wscdns.com. image.dhgate.com.wscdns.com. 29 IN CNAME dhgate.com.edgesuite.net. dhgate.com.edgesuite.net. 1381 IN CNAME a1015.b.akamai.net. a1015.b.akamai.net. 20 IN A 65.121.208.137 a1015.b.akamai.net. 20 IN A 65.121.208.120 I wonder where chinacache.net came from in your case, unless they are using different CDNs in different parts of the world. Around here, they're using Akamai EdgeSuite. Again, this looks to be standard CNAME chaining, only your query didn't chase image.dhgate.com.cdn20.com any further. 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to be incorrect as well and retries. proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=3 arcount=3 query: www.smilebox.com. A IN answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 My question really what are the rules governing CNAME processing in BIND and why does Example-1 allowed as valid. From here, this gets: % dig www.smilebox.com @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;www.smilebox.com. IN A ;; ANSWER SECTION: www.smilebox.com. 3421IN CNAME www.g.smilebox.com. www.g.smilebox.com. 121 IN A 216.218.214.53 ...which is a single CNAME pointing to an A record. Are you sure your ancount=2 was really two copies of the same CNAME, rather than a CNAME and A record? Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving DNS out of non-cooperative provider
We've just resolved this amicably--I'd missed the commercial.service@rcn.comaddress, but was contacted off-list by one of RCN's engineers, who read this thread and has removed our domain from their nameservers. He was quite helpful. No cease-and-desist letter needed--not by a long shot! John On Mon, Jun 18, 2012 at 11:22 PM, Mark Andrews ma...@isc.org wrote: In message 4fdf631a.4060...@brandeis.edu, John Miller writes: Hi Alexander, We've actually run into this before. Once upon a time, RCN cable used to run some slave servers for us, but we've long since moved away from them, including zone transfers. We yanked them from our registrar a long time ago, and life was good. For whatever reason, RCN's still answering queries for brandeis.edu. As others have mentioned, change your DNS servers with your domain registrar, and you'll be fine. John And if there is another zone with a CNAME to a brandeis.edu domain on those servers the clients will be getting old data. As you have no control over creation of CNAMEs in other zones I would suggest that you send them a Cease and Decist notice if they are still doing it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org -- John Miller Systems Engineer Brandeis University johnm...@brandeis.edu (781) 736-4619 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME Rules
Chuck, You are using a caching resolver to check the responses and you only see response after its been resolved by Google's DNS server. Try dig @ns1.wordpress.com after12.failblog.org. to see the actual records that you would receive if you were a DNS server performing an authoritative query to wordpress. Is having a CNAME in the additional section regular CNAME chaining, my understanding was that additional sections do not contain CNAMEs. -srinivas On Monday, June 25, 2012 5:29:24 PM UTC-4, Chuck Swiger wrote: On Jun 25, 2012, at 2:13 PM, Srinivas Krishnan wrote: The RFC rules on CNAMEs is fairly tight but I am seeing an increasing amount of traffic with misconfigured CNAMEs some of which are accepted by BIND as valid responses. The examples capture three trends, note these are actual responses: 1) Example-1: CNAME in the additional section necessary to finish processing of response. BIND accepts this as valid: proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 nscount=6 arcount=7 query: after12.failblog.org. A IN answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.com. answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. additional: chzallnighter.wordpress.com. CNAME IN TTL=300 vip-lb.wordpress.com. additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137 This is standard CNAME chaining, per RFC-1034: % dig after12.failblog.org @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;after12.failblog.org.IN A ;; ANSWER SECTION: after12.failblog.org. 3416IN CNAME chzallnighter.wordpress.com. chzallnighter.wordpress.com. 116 IN CNAME vip-lb.wordpress.com. vip-lb.wordpress.com. 116 IN A 74.200.247.187 vip-lb.wordpress.com. 116 IN A 76.74.255.117 vip-lb.wordpress.com. 116 IN A 76.74.255.123 vip-lb.wordpress.com. 116 IN A 72.233.104.123 vip-lb.wordpress.com. 116 IN A 72.233.127.217 vip-lb.wordpress.com. 116 IN A 74.200.247.59 2) Example-2: Multiple CNAMEs with same label but different data, BIND finds this to be incorrect and retries if another nameserver is available: proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 query: image.dhgate.com. A IN answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. nameserver: . NS IN TTL=518400 a.root-servers.net. nameserver: . NS IN TTL=518400 b.root-servers.net. nameserver: . NS IN TTL=518400 c.root-servers.net. % dig image.dhgate.com @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;image.dhgate.com.IN A ;; ANSWER SECTION: image.dhgate.com. 26 IN CNAME image.dhgate.com.cdn20.com. image.dhgate.com.cdn20.com. 29IN CNAME image.dhgate.com.wscdns.com. image.dhgate.com.wscdns.com. 29 IN CNAME dhgate.com.edgesuite.net. dhgate.com.edgesuite.net. 1381IN CNAME a1015.b.akamai.net. a1015.b.akamai.net. 20 IN A 65.121.208.137 a1015.b.akamai.net. 20 IN A 65.121.208.120 I wonder where chinacache.net came from in your case, unless they are using different CDNs in different parts of the world. Around here, they're using Akamai EdgeSuite. Again, this looks to be standard CNAME chaining, only your query didn't chase image.dhgate.com.cdn20.com any further. 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to be incorrect as well and retries. proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=3 arcount=3 query: www.smilebox.com. A IN answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 My question really what are the rules governing CNAME processing in BIND and why does Example-1 allowed as valid. From here, this gets: % dig www.smilebox.com @8.8.8.8 [ ... ] ;; QUESTION SECTION: ;www.smilebox.com.IN A ;; ANSWER SECTION: www.smilebox.com. 3421IN CNAME www.g.smilebox.com. www.g.smilebox.com. 121 IN A 216.218.214.53 ...which is a single CNAME pointing to an A record. Are you sure your ancount=2
RE: Reverse zones best practices
I don't know about best practice in this case, but I decided to put our reverse entries into one super netting file as you call it. We had the same problem that a lot of reverse entries were missing, so I wrote a script to parse the forward file and create the reverse. Then I incorporated that into my adding a new entry process so, I never add a reverse entry now, the script creates it. For that matter, all of our forward entries are in one file as well. I don't need to look at DNS to find my network structure. I just want DNS to do DNS. bb -Original Message- From: bind-users-bounces+brad.bendily=la@lists.isc.org [mailto:bind-users-bounces+brad.bendily=la@lists.isc.org] On Behalf Of nex6 Sent: Monday, June 25, 2012 4:03 PM To: bind-users@lists.isc.org Subject: Reverse zones best practices Hi all, look for some info on best practices for reverse zones. I have, a pretty big IP space and alot of reverse zones are not created. I want to clean it up, a few people that dont really know DNS are thinking of super netting eg a top level 10.0.0.0/16 sorta thing. but we have 100s of defined mission critical reverse zones defined at the vlan level of 10.x.x.0/24... my thinking, would be do a discovery and create all the /24s, even if there is like 100s. instead of the bigger super net... what would be the best practice and the way to go? -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME Rules
In message CA+zrinE1sHkojS1fCNdcgZtF-+QQrTkqmRcfXZ1kUiBr=sq...@mail.gmail.com , Srinivas Krishnan writes: The RFC rules on CNAMEs is fairly tight but I am seeing an increasing amount of traffic with misconfigured CNAMEs some of which are accepted by BIND as valid responses. The examples capture three trends, note these are actual responses: Named first parses the response to extract the records into RRsets. Responses with multiple CNAMES are detected at this point and get rejected. Named then tries to interpet the parsed message and once it has seen the CNAME and associated RRSIGs it stops processing the result and issues a new query for the target of the CNAME. This is done to stop the cache being poisoned. 1) Example-1: CNAME in the additional section necessary to finish processing of response. BIND accepts this as valid: proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 nscount=6 arcount=7 query: after12.failblog.org. A IN answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.c om. answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. additional: chzallnighter.wordpress.com. CNAME IN TTL=300 vip-lb.wordpress.com. additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137 2) Example-2: Multiple CNAMEs with same label but different data, BIND finds this to be incorrect and retries if another nameserver is available: proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 query: image.dhgate.com. A IN answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. nameserver: . NS IN TTL=518400 a.root-servers.net. nameserver: . NS IN TTL=518400 b.root-servers.net. nameserver: . NS IN TTL=518400 c.root-servers.net. 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to be incorrect as well and retries. proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=3 arcount=3 query: www.smilebox.com. A IN answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 My question really what are the rules governing CNAME processing in BIND and why does Example-1 allowed as valid. -srinivas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME Rules
On Jun 25, 2012, at 2:34 PM, Srinivas Krishnan wrote: You are using a caching resolver to check the responses and you only see response after its been resolved by Google's DNS server. The overwhelming majority of Internet users are using caching resolvers running at their ISP, employer, etc. :-) Try dig @ns1.wordpress.comafter12.failblog.org. to see the actual records that you would receive if you were a DNS server performing an authoritative query to wordpress. Is having a CNAME in the additional section regular CNAME chaining, my understanding was that additional sections do not contain CNAMEs. The wordpress nameserver is hoping to short-circuit a series of requests following the CNAME chain by including the data in the additional section: % dig after12.failblog.org. @ns1.wordpress.com [ ... ] ;; -HEADER- opcode: QUERY, status: NOERROR, id: 27255 ;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 6, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;after12.failblog.org. IN A ;; ANSWER SECTION: after12.failblog.org. 3600IN CNAME chzallnighter.wordpress.com. vip-lb.wordpress.com. 300 IN A 74.200.247.187 vip-lb.wordpress.com. 300 IN A 74.200.247.59 vip-lb.wordpress.com. 300 IN A 76.74.255.117 vip-lb.wordpress.com. 300 IN A 72.233.104.123 vip-lb.wordpress.com. 300 IN A 72.233.127.217 vip-lb.wordpress.com. 300 IN A 76.74.255.123 ;; AUTHORITY SECTION: wordpress.com. 14400 IN NS ns1.wordpress.com. wordpress.com. 14400 IN NS ns2.wordpress.com. wordpress.com. 14400 IN NS ns3.wordpress.com. wordpress.com. 14400 IN NS ns4.wordpress.com. wordpress.com. 14400 IN NS ns5.wordpress.com. wordpress.com. 14400 IN NS ns6.wordpress.com. ;; ADDITIONAL SECTION: chzallnighter.wordpress.com. 300 IN CNAME vip-lb.wordpress.com. ns1.wordpress.com. 14400 IN A 72.233.69.14 ns2.wordpress.com. 14400 IN A 76.74.159.137 ns3.wordpress.com. 14400 IN A 64.34.177.159 ns4.wordpress.com. 14400 IN A 72.233.104.98 ns5.wordpress.com. 14400 IN A 69.174.248.140 ns6.wordpress.com. 14400 IN A 64.34.174.135 A paranoid nameserver would discard the A records in the ANSWER section and the CNAME for ADDITIONAL SECTION as not matching the query, but then it would have to follow the CNAME and look those records up anyway... Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME Rules
Mark, Is the first parsing step over both Answer and Additional sections, I was under the impression that Named parses the response into RRSets from the Answer section and if there is a CNAME chain both within the same zone it follows the chain as well. But no additional sections are checked for CNAMEs. Is that correct ? -srinivas On Monday, June 25, 2012 5:53:04 PM UTC-4, Mark Andrews wrote: In message CA+zrinE1sHkojS1fCNdcgZtF-+QQrTkqmRcfXZ1kUiBr=sq...@mail.gmail.com , Srinivas Krishnan writes: The RFC rules on CNAMEs is fairly tight but I am seeing an increasing amount of traffic with misconfigured CNAMEs some of which are accepted by BIND as valid responses. The examples capture three trends, note these are actual responses: Named first parses the response to extract the records into RRsets. Responses with multiple CNAMES are detected at this point and get rejected. Named then tries to interpet the parsed message and once it has seen the CNAME and associated RRSIGs it stops processing the result and issues a new query for the target of the CNAME. This is done to stop the cache being poisoned. 1) Example-1: CNAME in the additional section necessary to finish processing of response. BIND accepts this as valid: proto: DNS: id=febd qr=1 QUERY AA NOERROR qdcount=1 ancount=7 nscount=6 arcount=7 query: after12.failblog.org. A IN answer: after12.failblog.org. CNAME IN TTL=3600 chzallnighter.wordpress.c om. answer: vip-lb.wordpress.com. A IN TTL=300 72.233.104.123 nameserver: wordpress.com. NS IN TTL=14400 ns1.wordpress.com. nameserver: wordpress.com. NS IN TTL=14400 ns2.wordpress.com. additional: chzallnighter.wordpress.com. CNAME IN TTL=300 vip-lb.wordpress.com. additional: ns1.wordpress.com. A IN TTL=14400 72.233.69.14 additional: ns2.wordpress.com. A IN TTL=14400 76.74.159.137 2) Example-2: Multiple CNAMEs with same label but different data, BIND finds this to be incorrect and retries if another nameserver is available: proto: DNS: id=8faa qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=13 query: image.dhgate.com. A IN answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.chinacache.net. answer: image.dhgate.com. CNAME IN TTL=7200 image.dhgate.com.cdn20.com. nameserver: . NS IN TTL=518400 a.root-servers.net. nameserver: . NS IN TTL=518400 b.root-servers.net. nameserver: . NS IN TTL=518400 c.root-servers.net. 3) Example-3: Multiple CNAMEs with same and data, BIND finds this to be incorrect as well and retries. proto: DNS: id=a0f6 qr=1 QUERY AA NOERROR qdcount=1 ancount=2 nscount=3 arcount=3 query: www.smilebox.com. A IN answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. answer: www.smilebox.com. CNAME IN TTL=3600 www.g.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns1.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns2.smilebox.com. nameserver: smilebox.com. NS IN TTL=86400 ns3.smilebox.com. additional: ns1.smilebox.com. A IN TTL=86400 207.66.132.8 additional: ns2.smilebox.com. A IN TTL=86400 216.218.214.52 additional: ns3.smilebox.com. A IN TTL=86400 71.164.20.101 My question really what are the rules governing CNAME processing in BIND and why does Example-1 allowed as valid. -srinivas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME Rules
Chuck, I am talking from the point of view of a DNS server not a client resolver. Anyways note that the entire CNAME chain is from the same wordpress zone, so the chain should be followed without requiring an additional query and there is no need for trying to short circuit the process by adding it into the Additional section. Am I wrong ? -srinivas On Monday, June 25, 2012 5:55:50 PM UTC-4, Chuck Swiger wrote: On Jun 25, 2012, at 2:34 PM, Srinivas Krishnan wrote: You are using a caching resolver to check the responses and you only see response after its been resolved by Google's DNS server. The overwhelming majority of Internet users are using caching resolvers running at their ISP, employer, etc. :-) Try dig @ns1.wordpress.comafter12.failblog.org. to see the actual records that you would receive if you were a DNS server performing an authoritative query to wordpress. Is having a CNAME in the additional section regular CNAME chaining, my understanding was that additional sections do not contain CNAMEs. The wordpress nameserver is hoping to short-circuit a series of requests following the CNAME chain by including the data in the additional section: % dig after12.failblog.org. @ns1.wordpress.com [ ... ] ;; -HEADER- opcode: QUERY, status: NOERROR, id: 27255 ;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 6, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;after12.failblog.org.IN A ;; ANSWER SECTION: after12.failblog.org. 3600IN CNAME chzallnighter.wordpress.com. vip-lb.wordpress.com. 300 IN A 74.200.247.187 vip-lb.wordpress.com. 300 IN A 74.200.247.59 vip-lb.wordpress.com. 300 IN A 76.74.255.117 vip-lb.wordpress.com. 300 IN A 72.233.104.123 vip-lb.wordpress.com. 300 IN A 72.233.127.217 vip-lb.wordpress.com. 300 IN A 76.74.255.123 ;; AUTHORITY SECTION: wordpress.com.14400 IN NS ns1.wordpress.com. wordpress.com.14400 IN NS ns2.wordpress.com. wordpress.com.14400 IN NS ns3.wordpress.com. wordpress.com.14400 IN NS ns4.wordpress.com. wordpress.com.14400 IN NS ns5.wordpress.com. wordpress.com.14400 IN NS ns6.wordpress.com. ;; ADDITIONAL SECTION: chzallnighter.wordpress.com. 300 IN CNAME vip-lb.wordpress.com. ns1.wordpress.com.14400 IN A 72.233.69.14 ns2.wordpress.com.14400 IN A 76.74.159.137 ns3.wordpress.com.14400 IN A 64.34.177.159 ns4.wordpress.com.14400 IN A 72.233.104.98 ns5.wordpress.com.14400 IN A 69.174.248.140 ns6.wordpress.com.14400 IN A 64.34.174.135 A paranoid nameserver would discard the A records in the ANSWER section and the CNAME for ADDITIONAL SECTION as not matching the query, but then it would have to follow the CNAME and look those records up anyway... Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Duplicates in newsgroup gateway
I read bind-users through the comp.protocols.dns.bind newsgroup. I'm seeing lots of duplicate posts. Most of the replies in the CNAME Rules thread showed up twice. Is there a problem with the gateway? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Duplicates in newsgroup gateway
it's posted 2x, slightly different. To: comp.protocols.dns.b...@googlegroups.com To: comp-protocols-dns-b...@isc.org both cc the newsgroup -david On 06/25/2012 06:11 PM, Barry Margolin wrote: I read bind-users through the comp.protocols.dns.bind newsgroup. I'm seeing lots of duplicate posts. Most of the replies in the CNAME Rules thread showed up twice. Is there a problem with the gateway? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Duplicates in newsgroup gateway
On Mon, 25 Jun 2012, David Ford wrote: it's posted 2x, slightly different. To: comp.protocols.dns.b...@googlegroups.com To: comp-protocols-dns-b...@isc.org I suspect this is an artifact of people starting a thread one place and cc'ing one reflector or the other. I'll see if I can reach out to the googlegroups folks and figure a way to sort this. -Dan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
