Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, 2017-07-12 at 16:21 -0500, b...@zq3q.org wrote: > OK, I'm ready to consider other registrars, any suggestions > would be appreciated. I like gkg.net - they have an API so you can automatically upload new DS records when you do DNSSEC key rollovers. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEUEAREKAAYFAllmtQwACgkQL6j7milTFsGcNQCdEMVMhDjbb/G++ors2jJgH5Yp zHsAl3mvhHy0EybJzoO1g0rF+lLvDuc= =/PA6 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On 07/12/2017 03:21 PM, b...@zq3q.org wrote: OK, I'm ready to consider other registrars, any suggestions would be appreciated. $Dynadot++ has been good to me. I can pay them via PayPal and they support DS records for DNSSEC if you eventually want to mess with that. - I think they were reasonably priced too. I dislike the following and voted by spending my money elsewhere. $GoDaddy-- They try to up sell you ever chance they get and IMHO their web UI tries to make every possible chance to up sell possible. $Hover-- Formerly "It's Your Domain" (who was decent) changed to Hover and seemed to be a registrar as a side need of a different service they were selling. They really put me off. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Hi Reindl: On Tue 7/11/17 18:05 +0200 Reindl Harald wrote: > > Am 11.07.2017 um 15:57 schrieb b...@zq3q.org: > > Assume I register domain 'mynew.org' with registrar namecheap; and as an > > exercise, > > I plan to setup my own two authoritative DNS nameservers for 'mynew.org'. > > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > > is that going to work?** > > > > namecheap support seems to suggest that the personal DNS authorative > > nameservers > > for 'mynew.org', must be in 'mynew.org', as in > > > > ns1.mynew.org > > ns2.mynew.org > > for sure not > and i am repsonsible for both zones and some hundret others > on that nameservers over 15 years Thanks for confirming. > https://intodns.com/rhsoft.net confirms that all is fine Thanks for this tool! > and when your > registrar really has such crazy requirements switch to a sane one - > frankly it's even not helpful in case you need to switch nameservers > because in the case above they become GLUE records with a TTL of 172800 > independent from the zone TTL OK, I'm ready to consider other registrars, any suggestions would be appreciated. https://www.gandi.net/ has been suggested by Matthew Seaman. Looks good to me. related rant: http://zq3q.org/pz/#zycbu_Choosing_a_DNS_registrar > i had to switch a server which hosted websites and one of the > nameservers (i know don't mix it) to a different machine some years ago > and it was not funny that it took ages until webclients used the new IP > address while NDS would not have been a problem by just keep the old one > as additional slave until shut it down > > ns1.thelounge.net. ['85.124.176.242'] [TTL=172800] > ns2.thelounge.net. ['91.118.73.16'] [TTL=172800] > > [harry@rh:~]$ whois rhsoft.net > ... > Name Server: ns1.thelounge.net > Name Server: ns2.thelounge.net > DNSSEC: Unsigned > > [harry@rh:~]$ dig NS rhsoft.net @ns1.thelounge.net > ; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> NS rhsoft.net > @ns1.thelounge.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27172 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1024 > ;; QUESTION SECTION: > ;rhsoft.net.IN NS > > ;; ANSWER SECTION: > rhsoft.net. 86400 IN NS ns2.thelounge.net. > rhsoft.net. 86400 IN NS ns1.thelounge.net. --snip On Tue 7/11/17 21:33 +0200 Reindl Harald wrote: --snip > > What is a domain registrar with good support, that can guide me through > > getting this to work under linux (fedora 24 and bind 9.x)? I can buy a new > > domain > > if need be. > > no need - you can transfer your domains at any point in time Thanks. I may as well learn that process. --snip > > in case of .at we are directly registrar and our infrastructure talks > idrectly via > https://en.wikipedia.org/wiki/Extensible_Provisioning_Protocol to Thx for the above link. > nic.at, for other TLD's we use https://www.epag.de/ which belongs in the > meantime to GoDaddy Thx, I looked at https://www.epag.de/en/ > it should not be that hard to find a service which let you define the > nameservers of your domain - if it's a registrar at it's own or a > reseller don#t matter that much because the only point is whatever > interface that let you define "these hosts are the nameservers for > excample.com" -- regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Automatic RRSIG Refresh in BIND 9.8.2
Latitudewrote: > > Should DNSSEC key signing keys and zone signing keys also be located in a > directory inside the /dynamic directory? Would it be acceptable to have them > in a directory such as /var/named/chroot/etc/keys/dnssec? On my master server I have zone files and journals in a .../zone/ directory writable by named, and DNSSEC keys in a different .../key/ directory read-only for named, but writable by a semi-privileged user that is responsible for key maintenance. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Shannon: Variable 3, becoming west 4 or 5. Moderate. Occasional drizzle. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
b...@zq3q.orgwrote: > One of my real hosts is below xen.prgmr.com, like the fake 'zap' above, > so I would have to email prgmr.com support to get them to add > > mynew.org. IN NS zap.xen.prgmr.com. > ^^^ << Is this valid? > > to the xen.prgmr.com zone. There's a bit of confusion here, but this is a legitimately confusing part of the DNS because there are multiple layers of indirection and two kinds of indirection... The first kind there are the delegation records in the parent zone, and the authoritative records at the apex of the child zone. The other kind, zones have name servers, and name servers have addresses. For example, my zone is dotat.at. It has the name servers dotat.at. 3600IN NS ns1.gratisdns.dk. dotat.at. 3600IN NS ns3.gratisdns.dk. dotat.at. 3600IN NS grey.dotat.at. dotat.at. 3600IN NS puck.nether.net. For a correct delegation, these NS records have to appear in the parent zone (which I configure through my registrar) and at the apex of my zone (on my master server, alongside the SOA etc.). The second level of indirection is from name server names to addresses. These are just normal hostname address records, so they appear in the authoritative zones indicted by their names. (You seemed to be confused about where NS records live. I hope this clarified it for you!) (To make GratisDNS and Puck authoritative for my zone, I used their user interfaces to ask them to act as secondaries, telling them what my master server IP addresses are. No changes to their DNS records, just their server configutation which isn't visible from the outside.) But, there's also glue. Glue is a special case for name server hostnames which are in the child zone - in my example this applies to grey.dotat.at. These hostnames need address records in the delegation to avoid a circular dependency. $ dig +noall +additional grey.dotat.at @d.ns.at grey.dotat.at. 10800 IN A 131.111.57.57 grey.dotat.at. 10800 IN 2001:630:212:110::d:7a7 You configure your glue records through your registrar alongside your delegation NS records. Usually you get to specify a list of nameserver names, each with optional addresses - you only need to specify the addresses when the hostname is in the child zone. Basically what you are doing with this registrar user interface is providing a COPY of data from the delegated zone: the apex NS records, and any addresses of nameservers whose hostnames are inside the delegated zone. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fisher: Northwesterly 5 to 7, occasionally gale 8 in east. Moderate or rough. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users