Sometimes you have to do things like hiding your version just because it
came up on the security audit. It's a lot easier to make them shut up
by doing what they want than by explaining to them that what they want
is meaningless.
-Original Message-
From:
] On Behalf
Of Matus UHLAR - fantomas
Sent: Wednesday, January 20, 2010 3:53 AM
To: bind-users@lists.isc.org
Subject: Re: Server overwhelmed by rejections?
On 19.01.10 08:29, Lightner, Jeff wrote:
Luckily my machines have enough horsepower not to shut down from this
but I have on occasion seen the CPU
it is at least I can look at upgrading
or
downgrading to solve the issue.
-Original Message-
From: Lightner, Jeff [mailto:jlight...@water.com]
Sent: 03 February 2010 15:37
To: Duncan Berriman; bind-users@lists.isc.org
Subject: RE: Host/nslookup/dig queries wrong server
Interesting
I'm assuming you downloaded the ISC source rather than RedHat or CentOS.
RedHat back ports bug and security fixes from later BIND versions into
their BIND 9.3.6 implementation (which is why there is extra versioning
in their package names). Since CentOS is built from RedHat source and
both
It changed between 9.3 and 9.4.
See this link:
http://support.menandmice.com/jforum/posts/list/25.page
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Riccardo Castellani
Sent:
I'm running 9.3 on RHEL 5.4.
My options are:
options {
directory /var/named;
query-source address 10.0.0.3;
allow-query { internaldns; externaldns; dswadnsalias; };
allow-recursion { internaldns; externaldns; };
blackhole { blackhats; };
version
You need an A record for the domain itself:
superease.net. IN A 202.68.195.36
www IN A 202.68.195.36
The first one (terminated by the dot) tells it lookup for the domain
name superease.net itself. The dot is important - without it this
would try to lookup
to the same IP for the
domain.
-Original Message-
From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr]
Sent: Tuesday, February 23, 2010 10:01 AM
To: Lightner, Jeff
Cc: Cefull Lo; bind-users@lists.isc.org
Subject: Re: no hostname become unresolvable.
On Tue, Feb 23, 2010 at 09:50:29AM
it as if it is a non-issue but I suspect they'd balk at such
a request.
-Original Message-
From: Jonathan de Boyne Pollard
[mailto:j.deboynepollard-newsgro...@ntlworld.com]
Sent: Wednesday, February 24, 2010 4:36 AM
To: Lightner, Jeff; BIND users mailing list
Subject: Re: Query denied
From the BCP79 referenced at top of the draft:
d. Internet-Draft: temporary documents used in the IETF and RFC
Editor processes. Internet-Drafts are posted on the IETF web site
by the IETF Secretariat and have a nominal maximum lifetime in the
Secretariat's public directory of
Modern being?
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Alan Clegg
Sent: Wednesday, March 10, 2010 2:25 PM
To: bind-users@lists.isc.org
Subject: Re: recursion
ic.nssip wrote:
I too found it best to have them be separate even if they contain the
same data. For me I had an internal and external view - the external
was my original zone so I made that my external view then simply
prepended internal- to the zone file name in the internal view. That
way all my intenal
Maybe it's a difference between udp and tcp in your firewall?
For most queries udp 53 is used but for long packets it might switch to
tcp 53 - since you're doing an any you're going to get a lot more data.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
Anyway his issue wasn't with Qmail (if it had been internal lookups
would have failed as well). It was before that while trying to do a DNS
resolution. As OP indicated it turned out it was a rule in his PIX
blocking it from external so it wasn't really a BIND issue either.
-Original
The CentOS stuff is built from RHEL sources so the basic repositories
wouldn't have a newer BIND base package than RHEL. However, as noted
previously the RHEL provided package includes backports of later BIND
base versions for bug and security fixes.
Of course you can always install a later BIND
That answer seems to imply that when load is high enough on existing
caching servers the traffic will go to the others. Is that the case?
At what point does this occur?
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
Did I misread your original problem? I thought you said it worked if
you had only one of the nameservers in resolv.conf. You didn't state
but I assume (that word again) that you meant if either of your
nameservers was there by itself it worked?
Why would a recursion issue not come into play
?
That link only shows the IP you came from and does a reverse lookup on
it. It doesn't seem to say anything about the nameserver.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of
I'm sure that's all it displayed when I went to it from my Windows
desktop's browser.
-Original Message-
From: Warren Kumari [mailto:war...@kumari.net]
Sent: Monday, April 26, 2010 2:20 PM
To: Lightner, Jeff
Cc: Josh Kuo; bind-us...@isc.org
Subject: Re: dig +trace to find all
On most *nixes ps only shows the process and not the thread though they
may have tools to see thread information.
Linux will show you the threads as if they were processes.
From CentOS5 (linux) man page:
To get info about threads:
ps -eLf
ps axms
I fear I've missed something important.
My Network admin is saying his understanding is we MUST make changes for
this 5/5 change on the root servers. I was under the impression that
until we decide to implement DNSSEC ourselves we don't need to do
anything on our end to continue resolving.
:36 PM, Lightner, Jeff wrote:
It sounds as if he read an article saying we have to implement DNSSEC
on
our DNS servers or we'll quit working on 5/5? Is that the case?
Also what is the drop dead date/time if so? 5/5 Midnight UTC? Some
other time?
You don't need to do anything more than
To follow up on Peter's question what does it mean if one sees the
reply size limit is at least with a value lower than the advertised
EDNS buffer size?
This link talks about various scenarios but not that one so I'm not sure
if this means Peter and I need to be concerned.
I saw similar results
Feher
Sent: Monday, May 03, 2010 4:10 PM
To: bind-us...@isc.org
Subject: Re: Preparing for upcoming DNSSEC changes on 5/5
On 3/05/10 9:54 PM, Lightner, Jeff jlight...@water.com wrote:
On doing that however, I now see the advertised value is 3839 but the
at least value is 3828 on one and 3827
for upcoming DNSSEC changes on 5/5
On 3/05/10 7:34 PM, Lightner, Jeff jlight...@water.com wrote:
There is no EDNS entry in my named.conf. Do I need one, given that
above worked?
You probably should. Your resolver is saying its capable of handling
4096,
but apparently your network path may
I was using the Java tester on a Windows system and saw the same
4096/3843 as I'd seen with DIG and just now noticed this comment in its
results:
Note: There will always be a difference between the announced and
measured buffer size because of the algorithm used. However this
difference should
The point in my anecdote and the quote from the test was to say that
you do NOT need to set the value if you're getting something within 300
bytes of the advertised value. You are as I was so do not need to set
it.
It may be the person that suggested setting it was under the
misapprehension
8:30 EDT 05/05/2010 and the world hasn't ended here yet.
We can celebrate Cinco de Mayo in peace. If only I didn't detest
tequila.
Side note: I've actually been to Puebla Mexico which is where the
battle that Cinco de Mayo commemorates took place.
-Original Message-
From:
They can't fool us - we know it was caused by the J server DNSSEC issue.
:-)
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Jack Tavares
Sent: Thursday, May 06, 2010 2:17 PM
To:
I don't understand that.
Are you saying that dnsec-validation no; is in your named.conf or are you
saying you don't believe it is necessary to set it there because by default
validation is off? If the latter what does it hurt to try it? Obviously
something isn't working the way you expect or
Hah! Convincing PHBs that a mature OS like Windows is broken as
compared to that weird UNIX/Linux stuff is like convincing the Amish
that horse drawn plows aren't the best way to improve crop yields.
You're fighting a religious battle in both cases.
-Original Message-
From:
Do they all actually use separate IPs?
Here we have multiple domains that all go to the same web server many of
which are going to the same NATed IP. For those we just create a zone
(e.g. okstate-aliases) with standard setup and then the A record we have
is for @ like:
@ IN SOA
No but you set notify-source and transfer-source to the IP of the NIC that you
want to handle the view. That effectively restricts the traffic for that view
to the specific NIC. (Note this is the NIC's internal IP not any NAT ip you
might have redirected to that internal IP.)
-Original
This is to say the limitation is the 32 bit not the Solaris. You have
the same limit in HP-UX 32 bit, Linux 32 bit etc...
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Stacey
Blackhole isn't better IMHO because I found in the past that they still try
your server ad nauseum even though they're blocked - blocking at iptables is
doing it at kernel level before BIND. However it does work and is certainly
one way to do it especially on systems that don't have their own
Yes - I had already written him off list in reply to an email he sent me and
pointed it out. It also only blocks port 53 so if he had other ports open the
script kiddie would still be able to see those other ports.
-Original Message-
From:
2 rules aren't needed if you don't specify protocol and port in the first one.
It simply drops ALL traffic from that IP.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Lyle
Giese
It comes right up in Firefox but prompts for a username and password.
Dig shows:
dig www.ncbi.nlm.nih.gov
; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 www.ncbi.nlm.nih.gov
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 22983
;; flags: qr rd ra; QUERY:
What is so obvious about it not being down? If folks like ATT and
other major corporations could have outages I don't see any reason why
this one couldn't.
Note that you typed rimm.com (two m's) not rim.com. The former has
a red WOT rating so I suspect it is used to spoof the latter but
From our ATT based network it works but the individual server digs (dns1
dns2) were significantly slower than the dig in which I didn't specify a
server.
$ dig @dns2.mbc.irides.com www-mbclive.mbc.irides.com
; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @dns2.mbc.irides.com
In views order is important. If you have internal before others (e.g.
external) then that is the default view.
What I *think* it is telling you is that if you have an internal view that you
restrict to certain networks that you need to insure you have all the public
zones in the
/etc = named.conf, rndc.conf and other config files
/var/named = zone files.
Are you running just bind or bind-chroot. If the latter then named.conf
goes in /var/named/chroot/etc rather than /etc and the zone files go
into /var/named/chroot/var/named instead of /var/named.
You can configure
No the prior poster was correct - you can do chroot or SELinux or both.
While it is true that RedHat teaches SELinux and ships it you can always
disable it if you prefer not to use it. You are asked during the
install of the OS and you can disable it or enable it any time you want
after the
Up until Bill came out with NT with the stated intention of killing UNIX
I was somewhat of an M$ fan (over Apple that is). All he really
succeeded in killing was Netware. Now years later Apple is running a
UNIX based OS - go figure.
-Original Message-
From:
And of course VMWare is 80% owned by EMC:
http://www.boston.com/business/technology/articles/2010/03/03/emc_to_maintain_80_vmware_stake/
-Original Message-
From: Dale Kiefling [mailto:dale.kiefl...@cbsinteractive.com]
Sent: Friday, September 24, 2010 1:46 PM
To: Lightner, Jeff
Cc
Of course some versions of nslookup arent' standard even for nslookup.
The one on HP-UX actually interrogates local /etc/hosts file if
nsswitch.conf says to use files first. I got so used to doing that for
years that when I tried to use nslookup on Linux back in 2005 I was
miffed because it was
Can you share what you're talking about since it appears you're saying
you got the reply off list?
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Martin McCormick
Sent: Wednesday,
You're saying its getting the records because they are cached at org?
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Mark Andrews
Sent: Friday, October 15, 2010 9:21 AM
To: Tech W.
iptables is available in most Linux distros and it is definitely better
to block things there than in BIND itself.
I don't know that BIND has a rate limiter. It DOES have a blacklist
option where you can completely block a site's access to it but as noted
above it is better to do it in iptables
Some OSes provide an official BIND package and maintain it. (e.g.
RHEL 5.x uses BIND 9.3.x). This package while initially based on 9.3
from ISC may have security and/or functionality updates backported into
it from later versions of BIND.
If you are using such an official package from your OS
You would NOT use a single zone for this. Views are designed
specifically to control what is seen. However, that control is mainly
done by acl's specifying which networks access which views. Do you
assign specific subnets to each client? If so you could do this with
views but processing
was concerned about
security of each customer. This would especially be true if those
customers also had web, mail or other servers being hosted by me as
well.
-Original Message-
From: Chris Buxton [mailto:chris.p.bux...@gmail.com]
Sent: Monday, November 08, 2010 12:32 PM
To: Lightner, Jeff
Cc
I've noticed a couple of times on this list that if I post links for
certain on line sites with free tools like whois that they never seem to
make it to the list.
Is there some prohibition against posting those links that would cause
them to be filtered out? I know at least one of them also
D'oh - I realize now that the reply ONLY went to you and not to the
list.
Trying to send it to list with this reply.
-Original Message-
From: Lightner, Jeff
Sent: Thursday, November 11, 2010 9:21 AM
To: 'Torsten'
Subject: RE: Rules against links or certain links?
Yes.
I think you
Not a hole if you look at the reasoning for Fedora itself. It has a
short lifecycle and they expressly tell folks not to use it for
Production due to this. It is meant to be bleeding edge for testing the
latest/greatest. It is used as a test bed for what makes it into RHEL.
For Production
It checks for test.domain - I saw it do that for my zone. For us it
isn't a subdomain but simply an A record. Apparently when it found
your record it went ahead and did another check for your sub-zone.
I'm surprised that it does not check for ftp.zone. Whenever we're
doing acquisitions here
BIND doesn't require you to use any views by default.
The way views work one of them IS a default so order of views is important.
You would use the default as your catch all.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
IIRC the U.S. Government last year or the year before mandated all their
sites be DNSSEC compliant by early this year. Maybe it is just a sign
they are actually doing it.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
Haven't done it but don't see why not. Since every entry in named.conf
specifies the zone file you can definitely have multiple zones all
pointing to the same zone file. (We do that for many ancillary zones
that we want to point to our primary domain so have an aliases file that
uses the @
Linux people and their reinstalls?!
Somebody has confused Linux with Windows. We've been running RedHat
Eneterprise Linux (RHEL) systems commercially for several years (including our
DNS servers) and the only time I reinstall is when I'm redeploying a system
and/or want to go to a newer major
but always knew I wasn't the tail that wags the dog.
You apparently think you are in your organization so congrats on that.
-Original Message-
From: Dan [mailto:d...@sunsaturn.com]
Sent: Friday, March 11, 2011 12:33 PM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: RE: R
If these are new servers that are only for BIND I'd suggest going with
RHEL6 rather than 5.6 - RHEL releases have very long life cycle. When
I get a spare moment I intend to update our servers to RHEL6.
We use the RHEL5 BIND package for the reasons you give. However, the
way RedHat does things
Not to mention that RedHat just announced pending EOL of RHEL4 last
week. RHEL5 has been out since around 2007 and RHEL6 was released
around the start of this year.
From: bind-users-bounces+jlightner=water@lists.isc.org
I'm wondering if the issue isn't because you've not told your ISP what
your name servers are. You have to do that for reverse delegations to
get to your servers. (This is in addition to telling your Registrar.)
-Original Message-
From:
By re-delegate do you mean at the Registrars and ISPs?
If so and if you have more than one DNS server for redundancy (as you should)
then you can replace one server at a time using the same name/IP on the new
server as on the old server. When we did this a few years back we simply
moved the
Is anyone else seeing odd results with news.google.com? My BIND 9
master and slave are getting different results. If I go out to other
sites such as Kloth.net or iptools.com they also get different results
from each other and different from what my master and slave are
reporting.
I'm
they are not in different locations or in a separate subnet is
why I don't understand why I'd be getting separate location specific
IPs handed to the two servers.
-Original Message-
From: Warren Kumari [mailto:war...@kumari.net]
Sent: Tuesday, May 24, 2011 4:06 PM
To: Lightner, Jeff
Cc: bind-users
You can blacklist things in named.conf but we've found it more efficient to
simply have iptables drop packets from the offending IPs so they never even get
to BIND.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
Subject: RE: Getting different name resolution for news.google.com from
masterand slave BIND
Lightner, Jeff wrote:
The master is dswadns1.water.com at 12.44.84.213 and the slave is
dswadns2.water.com at 12.44.84.214.
So, they leave your network in the same way, through the same router
etc
I wonder if pointing to different file names with one being a symbolic
link to the other would work? That way you'd only have to create and
update the one file but the transfer would transfer two separate files.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
I'm not sure I agree with that - multiple single threaded processes can
be distributed across cores/CPUs. That is to say ONE single thread
process doesn't gain from multiple cores but more than one can because
they don't have to compete against each other on the same core.
-Original
Expecting the future - Planning your life around it is something sales folks
like to do and most of the rest of us call vaporware - it's always going to be
available the 2nd quarter of next year.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
Or as previously pointed out it WILL work if you specify a name server at
invocation.
That is to say you MUST either do dig @server... OR have a resolve.conf
that specifies servers to attempt if not specified at invocation. (And before
anyone else says it - You can of course still specify a
Also has a wrong name: Should be resolv.conf NOT resolve.conf.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
Michael McNally
Sent: Thursday, July 28, 2011 3:47 PM
To:
input for this
command? Please don't respond that negative numbers are integers and therefore
valid - that would be pure sophistry.)
-Original Message-
From: Warren Kumari [mailto:war...@kumari.net]
Sent: Thursday, August 18, 2011 1:26 PM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Can someone give me a better explanation of why this is saying my delegation
failed than the FAQ does?
In a separate thread I saw this recommendation to another user:
I think the checking tool at
http://dnscheck.iis.se/?test=undelegated
may be what you need.
You may find it
message is trying to tell me.
-Original Message-
From: Matthew Seaman [mailto:m.sea...@infracaninophile.co.uk]
Sent: Tuesday, September 20, 2011 11:52 AM
To: Lightner, Jeff
Cc: bind-users@lists.isc.org
Subject: Re: Delegation check failed
On 20/09/2011 14:25, Lightner, Jeff wrote
I think it is safe to say the issue is the iis.se site is broken so far as
delegation test goes. Another user reported to me that he had several domains
return the same thing at this site.
Thanks everyone for the replies.
-Original Message-
From:
I was the one asking about water.com. I'd started a separate thread hoping not
to tromp on the OP of the earlier thread but apparently didn't succeed.
I know the reason for the SOA/MX report so never asked about that.
I did ask about the delegation messages but at this point as noted earlier
One thing we do is create a single alias zone with generic information in it
to have multiple zones all go to the same IP.
Typically the main zone we'll put in its own zone file and have named.conf
associate that zone with that zone file.
For other zones we tell named.conf to point to the
If you set your SOA properly to use @ (which means this zone) your A
records should be:
domain.com. A 1.1.1.1
www A 1.1.1.1
The SOA should append the domain.com to every record not terminated by a dot
so that www is read as www.domain.com. Similarly
+1
All of our redirects are either done by rewrite rules in Apache or Jboss or on
our load balancer. We don’t do any in DNS.
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On
: bind-us...@isc.org; bind-users@lists.isc.org; Lightner, Jeff
Subject: Re: CNAME or A record?
Either is fine. Using the cname would require a single update if your ip
changes, but prevents other records at the same level. So you couldn't attach
mx for instance at example.comhttp://example.com
and that my preference was A records.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
wbr...@e1b.org
Sent: Wednesday, September 28, 2011 7:17 PM
To: Lightner, Jeff
Cc: bind-us...@isc.org
Right - the issue here is the lookup not the DNS record itself. On UNIX/Linux
hosts the file is /etc/resolv.conf.
However, I do see a DNS configuration issue here as well. There should NOT be
a dot after name in the A record - that tells it NOT to append the domain
name.
-Original
What do you mean you can’t have additional IPs? Even if you don’t have other
network connections you can use virtual IPs on a single NIC. I have one
server (not DNS) that has 30 virtual IPs on a single NIC.
From:
One thing that is different about nslookup on HP-UX (which doesn't have host)
is that it actually respects nsswitch.conf so will give you results from
/etc/hosts OR from name services whereas most implementations only do it from
name services.
Nslookup is deprecated meaning you should use host
So hitting yourself in the head with a shovel is better? :p
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
David Miller
Sent: Wednesday, October 12, 2011 4:08 PM
To:
While setting up blackholes in BIND works fine when I did this on Linux I found
that setting up iptables to do drops for known bad IPs/ranges was slightly
better as the traffic never gets to BIND in the first place as it is stopped at
kernel level. It simply DROPs the packet without telling
I’m confused – does the OP want to block or does he want to redirect.
“block/redirect” are two different things. What I wrote will block. If he
wants to redirect that’s fine but I don’t think he’d want to redirect to his
real webserver – why send bogus traffic there and also take the risk
it.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
Michelle Konzack
Sent: Wednesday, October 26, 2011 9:01 PM
To: bind-users@lists.isc.org
Subject: Re: DNS Sinkhole in BIND
Hello Lightner, Jeff
Not an answer to your basic question but I did want to mention that on most
UNIX/Linux terminal sessions you can hit Ctrl-s to stop scrolling and
Ctrl-q to resume it.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
You can install Cygwin under Windoze and then get most Linux packages under
that.
Alternatively you can just install the Windows zip file for BIND and use the
dig.exe it provides.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
ISC who makes bind doesn't support it any longer. Mark is with ISC.
What do you have this installed on? It may be something distro specific and if
so you may need to get you question answered by whoever provided it to you.
For example RedHat Enterprise Linux distributes a modified version of
Is it possible to create a zone file that only contains a CNAME?
The request I got is to create a CNAME to point shop4water.com to
shop4water.hostedbywebtstore.com.
We own shop4water.com – hostedbywebstore.com is something external that we
don’t own.
I’ve reviewed past posts and searched the
: Re: CNAME only zone?
On 09/12/11 16:25, Lightner, Jeff wrote:
Is it possible to create a zone file that only contains a CNAME?
This comes up a lot, it seems.
No. CNAME conflicts with any other record - including the SOA and NS
records required at the apex.
You will have to put an A record
@lists.isc.org] On Behalf Of
/dev/rob0
Sent: Friday, December 09, 2011 12:41 PM
To: bind-users@lists.isc.org
Subject: Re: CNAME only zone?
On Friday 09 December 2011 10:25:36 Lightner, Jeff wrote:
Is it possible to create a zone file that only contains a CNAME?
As already answered
Or you could simply put a virtual IP address on the same name server (and any
NATting required) and put it in as your second at the registrar.
That is to say the Registrar would see the same name server with two different
names and IPs so wouldn't know it was the same name server.
if a root zone is not defined in named.conf
I wonder if you really do NOT want to ever hit root zones you could make your
own entry in named.conf that points to localhost for root zone and thereby
avoid hitting any real root?
-Original Message-
From:
Just as a follow on to that prior thread.
I was able to setup the CNAME for www and * at the Registrar without A records
as indicated. Unfortunately the * at registrar equated to *. Meaning for
example ftp.mydomain.com would work with that CNAME but the domain itself,
mydomain.com, would not.
1 - 100 of 153 matches
Mail list logo