Re: A record of domain name must be name server ?

2014-09-12 Thread Matus UHLAR - fantomas 

On 11.09.14 13:14, Bob Harold wrote:

In reference to the question of using a CNAME or A record for "
www.example.com", it seems to me that the best solution, if we could ever
get there, would be to create a new record type that means "redirect an A
or  lookup to this other name".  Like this:

example.com.  IN  SOA  
example.com.  IN  ANAME  my.webhosting.com.
www.example.com.  IN  CNAME  my.webhosting.com.

I use "ANAME" to mean "like a CNAME, but only for A and  lookups", with
no restrictions on other names with the same left side (except perhaps
other A and  records if that is necessary for technical reasons).

Several DNS and hosting providers provide similar functionality, but is
there any chance of widespread DNS support for something like this?


It's a server-side thing. The current protocol does not support redirecting
only for A and/or , nor any particular types, only everything (CNAME).


Is there already and RFC for this?


I'm not sure whether this kind of RR should be introduced.
Maybe redirect that defines types to be redirected...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Mark Andrews 

In message <5411bdd6.4010...@chrysler.com>, Kevin Darcy writes:
> (Yes, I'm aware that there was a proposal recently discussed on the 
> DNSOP list for an MX-target convention to denote "no mail service 
> offered here". That would presumably solve the problem I cited in the 
> previous paragraph. But AFAIK that proposal is many years away from 
> widespread adoption, and even if adopted, it puts an extra burden on the 
> DNS admins to populate the "no service" MX record, which, again, is 
> going to produce inconsistent results -- some admins will remember to do 
> it; many won't).

No, it's more like formalising existing practice.  Universal adoption
would be a long time off but there is a large existing base of MTA's
that will do the right thing.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Thomas Schulz 
> On 9/11/2014 11:51 AM, Mark Elkins wrote:
>> On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote:
>>> Mark,
>>>  Depending on implementation, a PTR RRset with multiple
>>> records either
>>>
>>> -- only ever gets answered with the "first" record of the set (in
>>> which case the second and subsequent records of the set are just a
>>> waste of space), or
>>> -- answers in a random, cyclic and/or round-robin fashion (in which
>>> case, the results are non-deterministic from the standpoint of a
>>> client, and this can cause problems and/or confusion)
>>
>> Last time I checked, ALL matching records are returned as a single
>> Resource Record Set - (and in the case of DNSSEC - covered with a single
>> signature).
>>
>> What the receiver does with it is up to that receiver... as you say -
>> some of the information may be discarded.
> If the invoker is using the classic gethostbyaddr() interface, then 
> it'll only see the RDATA from the "first" PTR RR, where "first" is 
> determined by the local nameserver implementation and/or the local 
> Operating System interface for name resolution.
>>
>>> So, although the standards allow multiple RRs, in practical terms, it
>>> only makes sense for a PTR RRset to contain a *single* RR.
>> I would still disagree. When there is forward<-->reverse checking, one
>> may need the complete answer. I certainly have some processes that do an
>> exhaustive check.
> Certainly if one gets down to the resolver-library level and grovels 
> through all of the RRs in the Answer Section of the response packet, one 
> could certainly care more than the typical reverse-resolving 
> app/subsystem would. And any software that builds up certain heightened 
> expectations is likely to complain if those expectations are not met.
> 
>  - Kevin
>>> On 9/11/2014 3:45 AM, Mark Elkins wrote:
>>>
 On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:
> No, what I'm saying is that if
>
> example.com owns an A record 203.0.113.48, and
> www.example.com owns an A record 203.0.113.48, then
>
> where does 48.113.0.203.in-addr.arpa point?
>
> Some people will point it at example.com, some will point it at
> www.example.com. What you get is a mish-mosh. No consistency.
 Although I prefer the use of a CNAME solution (CNAME www.example.com to
 example.com), in the case of separate A (and ) records, one could
 point the reverse to both names. Nothing wrong with a PTR record having
 more than one answer. There is then no inconsistency, just choice. After
 all, pretty much every NS record has at least two Right-Hand-Sides
 (Answers)


> If, on the other hand, www.example.com is a CNAME to example.com, then
> it's crystal clear where the reverse record will point -- example.com.
> There is no ambiguity or option for inconsistency.
>
>   - Kevin
>
> On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:
>> Hey Kevin,
>>
>> This is not an issue at all.
>> A PTR is different then a "A" record and can be used by two reverse
>> domain names and only the owner of the IP addresses space can define
>> them.
>> I am not sure if two PTR records for two domains will be applied to
>> one IP but it is possible for two IP addresses to have the same PTR.
>>
>> Can we even use a CNAME as a PTR???
>>
>> Eliezer
>>
>> On 09/11/2014 12:37 AM, Kevin Darcy wrote:
>>> Also, have you considered the forward/reverse ambiguity that arises when
>>> multiple owner names resolve to the same address? To which of those
>>> names does the PTR point?
>>>
>>>   - Kevin

Well, this is certainly getting far away from an answer to the original
qustion!

Originally our web server was only available as www.adi.com. Later I
noticed that a lot of sites were available without the www. So I decided
to allow our web server to be available as adi.com. But I still consider
www.adi.com to be the real name of the server. And I certainly can not
alias adi.com to www.adi.com!

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy 

On 9/11/2014 11:51 AM, Mark Elkins wrote:

On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote:

Mark,
 Depending on implementation, a PTR RRset with multiple
records either

-- only ever gets answered with the "first" record of the set (in
which case the second and subsequent records of the set are just a
waste of space), or
-- answers in a random, cyclic and/or round-robin fashion (in which
case, the results are non-deterministic from the standpoint of a
client, and this can cause problems and/or confusion)


Last time I checked, ALL matching records are returned as a single
Resource Record Set - (and in the case of DNSSEC - covered with a single
signature).

What the receiver does with it is up to that receiver... as you say -
some of the information may be discarded.
If the invoker is using the classic gethostbyaddr() interface, then 
it'll only see the RDATA from the "first" PTR RR, where "first" is 
determined by the local nameserver implementation and/or the local 
Operating System interface for name resolution.



So, although the standards allow multiple RRs, in practical terms, it
only makes sense for a PTR RRset to contain a *single* RR.

I would still disagree. When there is forward<-->reverse checking, one
may need the complete answer. I certainly have some processes that do an
exhaustive check.
Certainly if one gets down to the resolver-library level and grovels 
through all of the RRs in the Answer Section of the response packet, one 
could certainly care more than the typical reverse-resolving 
app/subsystem would. And any software that builds up certain heightened 
expectations is likely to complain if those expectations are not met.


- Kevin

On 9/11/2014 3:45 AM, Mark Elkins wrote:


On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?

Some people will point it at example.com, some will point it at
www.example.com. What you get is a mish-mosh. No consistency.

Although I prefer the use of a CNAME solution (CNAME www.example.com to
example.com), in the case of separate A (and ) records, one could
point the reverse to both names. Nothing wrong with a PTR record having
more than one answer. There is then no inconsistency, just choice. After
all, pretty much every NS record has at least two Right-Hand-Sides
(Answers)



If, on the other hand, www.example.com is a CNAME to example.com, then
it's crystal clear where the reverse record will point -- example.com.
There is no ambiguity or option for inconsistency.

  - Kevin

On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:

Hey Kevin,

This is not an issue at all.
A PTR is different then a "A" record and can be used by two reverse
domain names and only the owner of the IP addresses space can define
them.
I am not sure if two PTR records for two domains will be applied to
one IP but it is possible for two IP addresses to have the same PTR.

Can we even use a CNAME as a PTR???

Eliezer

On 09/11/2014 12:37 AM, Kevin Darcy wrote:

Also, have you considered the forward/reverse ambiguity that arises when
multiple owner names resolve to the same address? To which of those
names does the PTR point?

  - Kevin

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Bob Harold 
In reference to the question of using a CNAME or A record for "
www.example.com", it seems to me that the best solution, if we could ever
get there, would be to create a new record type that means "redirect an A
or  lookup to this other name".  Like this:

example.com.  IN  SOA  
example.com.  IN  ANAME  my.webhosting.com.
www.example.com.  IN  CNAME  my.webhosting.com.

I use "ANAME" to mean "like a CNAME, but only for A and  lookups", with
no restrictions on other names with the same left side (except perhaps
other A and  records if that is necessary for technical reasons).

Several DNS and hosting providers provide similar functionality, but is
there any chance of widespread DNS support for something like this?

Is there already and RFC for this?

I find these interesting sites:
http://www.dnsmadeeasy.com/services/aname-records/
http://aws.amazon.com/route53/faqs/#Supported_DNS_record_types
http://blog.andrewallen.co.uk/2012/06/27/cname-is-out-hello-aname/
(This last one points out a problem with the current implementations - I
think proper support in the DNS protocol would solve this.)

-- 
Bob Harold
DNS and DHCP
University of Michigan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Matus UHLAR - fantomas 

On 9/11/2014 12:08 PM, Matus UHLAR - fantomas wrote:

we both also said it's personal preference.


On 11.09.14 12:53, Kevin Darcy wrote:
And I'm saying that's a cop-out. It should be a recommended practice 


encouraging consistent 
forward/reverse mappings is something that all DNS admins have a 
stake in, whether they realize it or not.


correct reverse-forward mappings - yes.
correct forward-reverse mappings - no.

In zones apexes it's sometimes just impossible and I have already met people
uselessly insisting on such (pardon me) shit without understanding real
(and potentially much bigger) problem.

It's not usable where it's not usable, of course. But, where it *is* 
usable, I'm just saying it's recommended,


It's definitely not recommended by me. You are of course free to recommend
what you choose, but I think I should warn you I'll oppose that...

Did you seriously think I'd recommend 
something that *doesn't*work*? Please, give me a little more credit 
than that.


I remember you from your postings here, so I really don't think you are
incompetent, especially not an idiot :-)

I just don't agree with this point, because I have already met people not
getting this properly and insisting on something that was likely to get them
into troubles bigger than with having multiple A's...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy 

On 9/11/2014 12:08 PM, Matus UHLAR - fantomas wrote:

On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote:

On 10.09.14 18:13, Kevin Darcy wrote:

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?


Completely your decision.
Some people will point it at example.com, some will point it at 
www.example.com. What you get is a mish-mosh. No consistency.


Do not mix multiple A and PTR. they are just different things.
You are creating issues where there are none.


On 11.09.14 11:20, Kevin Darcy wrote:
The issue is consistency. If you give admins choices where to point a 
PTR, and the RFCs don't provide any clear guidance, you're going to 
get inconsistent results.


sorry, but again - you are searching for consistency somewhere, where no
consistency (nor a PTR) is required.

Consistency is a good thing, isn't it? Sure, the earth isn't going to 
fall off its axis of rotation just because of the way people point 
their A and PTR records, CNAME or don't CNAME. But if we can nudge 
people in the direction of consistency, and there is no downside, why 
wouldn't we do that? That's what "best practices" are all about -- 
impelling people towards processes/methods/conventions that 
ultimately benefit *everyone*. Greatest good for the greatest number, 
and all that.


I haven't met a case where this level of "consistency" would be needed.
Needed? Is that where you're setting the bar here? A little too high, 
I'd say. My point is that consistency is a good thing, and the "CNAME to 
@" practice helps to foster that. Whether it's *needed* would be a whole 
other question. Somewhere between "necessary" and (what Alan called) 
"preferences" are these things called recommendations or best practices.




I have met a case where the "only one A should point to an IP" caused
troubles.
Well, sure. Some names, such as zone-apex names, *cannot* own CNAME 
records. If example1.com and example2.com need to resolve to the same 
IP, then, and assuming they are both zone-apex names, you're going to 
have multiple As with the same RDATA, and a reverse-record ambiguity. 
That's unavoidable. All I'm saying, is that in the normal case, where 
you have an option, "CNAME to @" makes a lot of sense and should be 
followed.


your argument fails immediately when there's need for more than just A on
www.example.com
If the RDATA needs to be *different* between "www" and apex, or the 
application/subsystem which accesses the resource makes a distinction 
between canonical names and aliases, sure. I'm not laying down a 
hard-and-fast rule. Of course there will be exceptions, where the 
higher-level protocols or the user requirements demand it.


(Yes, I'm aware that there was a proposal recently discussed on the 
DNSOP list for an MX-target convention to denote "no mail service 
offered here". That would presumably solve the problem I cited in the 
previous paragraph. But AFAIK that proposal is many years away from 
widespread adoption, and even if adopted, it puts an extra burden on 
the DNS admins to populate the "no service" MX record, which, again, 
is going to produce inconsistent results -- some admins will remember 
to do it; many won't).


... and this is just example of it.
An example of what? Of what bad things can happen when (semi-)important 
things are left to mere "preference"?



The same applies for all other RRs for exmaple.com Alan named crap.

Actually, the only other RR type that Alan enumerated specifically 
was NS, which operates on entirely different principles, and serves a 
significantly different function, than MX-based mail routing. Who 
would be looking up www.example.com with QTYPE=NS? Is that even a 
plausible use-case scenario?


well, me and Alan have shown examples why "www CNAME @" is not a good 
idea.
Alan's concern was that the "www" name could get associated with record 
types that the DNS admin might not have expected. This is not a problem 
for a competent admin, who will have realistic expectations and an 
understanding of CNAME mechanics. You raised the possibility that a mail 
server might reject messages sent erroneously to "www" and I responded 
that if it's going to fail anyway, at least that failure mode is better 
than a mail server trying to deliver mail to a web server (which is what 
happens in the same scenario when "www" is an independent A record).


You got anything else?


we both also said it's personal preference.
And I'm saying that's a cop-out. It should be a recommended practice -- 
except where there are special mitigating circumstances which make it 
inappropriate or unworkable -- not merely a "preference". Hair styles 
and musical genres are "preferences"; encouraging consistent 
forward/reverse mappings is something that all DNS admins have a stake 
in, whether they realize it or not.




What other RR types do you have in mind? 


Does it matter at all? It _ma

Re: A record of domain name must be name server ?

2014-09-11 Thread Matus UHLAR - fantomas 

On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote:

On 10.09.14 18:13, Kevin Darcy wrote:

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?


Completely your decision.
Some people will point it at example.com, some will point it at 
www.example.com. What you get is a mish-mosh. No consistency.


Do not mix multiple A and PTR. they are just different things.
You are creating issues where there are none.


On 11.09.14 11:20, Kevin Darcy wrote:
The issue is consistency. If you give admins choices where to point a 
PTR, and the RFCs don't provide any clear guidance, you're going to 
get inconsistent results.


sorry, but again - you are searching for consistency somewhere, where no
consistency (nor a PTR) is required.

Consistency is a good thing, isn't it? Sure, the earth isn't going to 
fall off its axis of rotation just because of the way people point 
their A and PTR records, CNAME or don't CNAME. But if we can nudge 
people in the direction of consistency, and there is no downside, why 
wouldn't we do that? That's what "best practices" are all about -- 
impelling people towards processes/methods/conventions that 
ultimately benefit *everyone*. Greatest good for the greatest number, 
and all that.


I haven't met a case where this level of "consistency" would be needed.
I have met a case where the "only one A should point to an IP" caused
troubles.

your argument fails immediately when there's need for more than just A on
www.example.com

(Yes, I'm aware that there was a proposal recently discussed on the 
DNSOP list for an MX-target convention to denote "no mail service 
offered here". That would presumably solve the problem I cited in the 
previous paragraph. But AFAIK that proposal is many years away from 
widespread adoption, and even if adopted, it puts an extra burden on 
the DNS admins to populate the "no service" MX record, which, again, 
is going to produce inconsistent results -- some admins will remember 
to do it; many won't).


... and this is just example of it.


The same applies for all other RRs for exmaple.com Alan named crap.

Actually, the only other RR type that Alan enumerated specifically 
was NS, which operates on entirely different principles, and serves a 
significantly different function, than MX-based mail routing. Who 
would be looking up www.example.com with QTYPE=NS? Is that even a 
plausible use-case scenario?


well, me and Alan have shown examples why "www CNAME @" is not a good idea.
we both also said it's personal preference.

What other RR types do you have in mind? 


Does it matter at all? It _may_ happen, and it's the case where CNAME is
not usable.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Mark Elkins 
On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote:
> Mark,
> Depending on implementation, a PTR RRset with multiple
> records either
> 
> -- only ever gets answered with the "first" record of the set (in
> which case the second and subsequent records of the set are just a
> waste of space), or
> -- answers in a random, cyclic and/or round-robin fashion (in which
> case, the results are non-deterministic from the standpoint of a
> client, and this can cause problems and/or confusion)


Last time I checked, ALL matching records are returned as a single
Resource Record Set - (and in the case of DNSSEC - covered with a single
signature).

What the receiver does with it is up to that receiver... as you say -
some of the information may be discarded.

> So, although the standards allow multiple RRs, in practical terms, it
> only makes sense for a PTR RRset to contain a *single* RR.

I would still disagree. When there is forward<-->reverse checking, one
may need the complete answer. I certainly have some processes that do an
exhaustive check.


- Kevin
> 
> On 9/11/2014 3:45 AM, Mark Elkins wrote:
> 
> > On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:
> > > No, what I'm saying is that if
> > > 
> > > example.com owns an A record 203.0.113.48, and
> > > www.example.com owns an A record 203.0.113.48, then
> > > 
> > > where does 48.113.0.203.in-addr.arpa point?
> > > 
> > > Some people will point it at example.com, some will point it at 
> > > www.example.com. What you get is a mish-mosh. No consistency.
> > Although I prefer the use of a CNAME solution (CNAME www.example.com to
> > example.com), in the case of separate A (and ) records, one could
> > point the reverse to both names. Nothing wrong with a PTR record having
> > more than one answer. There is then no inconsistency, just choice. After
> > all, pretty much every NS record has at least two Right-Hand-Sides
> > (Answers)
> > 
> > 
> > > If, on the other hand, www.example.com is a CNAME to example.com, then 
> > > it's crystal clear where the reverse record will point -- example.com. 
> > > There is no ambiguity or option for inconsistency.
> > > 
> > >  - Kevin
> > > 
> > > On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:
> > > > Hey Kevin,
> > > > 
> > > > This is not an issue at all.
> > > > A PTR is different then a "A" record and can be used by two reverse 
> > > > domain names and only the owner of the IP addresses space can define 
> > > > them.
> > > > I am not sure if two PTR records for two domains will be applied to 
> > > > one IP but it is possible for two IP addresses to have the same PTR.
> > > > 
> > > > Can we even use a CNAME as a PTR???
> > > > 
> > > > Eliezer
> > > > 
> > > > On 09/11/2014 12:37 AM, Kevin Darcy wrote:
> > > > > Also, have you considered the forward/reverse ambiguity that arises 
> > > > > when
> > > > > multiple owner names resolve to the same address? To which of those
> > > > > names does the PTR point?
> > > > > 
> > > > >  - Kevin
> > > > ___
> > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > > > unsubscribe from this list
> > > > 
> > > > bind-users mailing list
> > > > bind-users@lists.isc.org
> > > > https://lists.isc.org/mailman/listinfo/bind-users
> > > > 
> > > > 
> > > > 
> > > ___
> > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > > unsubscribe from this list
> > > 
> > > bind-users mailing list
> > > bind-users@lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/bind-users
> > 
> > 
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy 

Mark,
Depending on implementation, a PTR RRset with multiple 
records either


-- only ever gets answered with the "first" record of the set (in which 
case the second and subsequent records of the set are just a waste of 
space), or
-- answers in a random, cyclic and/or round-robin fashion (in which 
case, the results are non-deterministic from the standpoint of a client, 
and this can cause problems and/or confusion)


So, although the standards allow multiple RRs, in practical terms, it 
only makes sense for a PTR RRset to contain a *single* RR.


- Kevin

On 9/11/2014 3:45 AM, Mark Elkins wrote:

On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?

Some people will point it at example.com, some will point it at
www.example.com. What you get is a mish-mosh. No consistency.

Although I prefer the use of a CNAME solution (CNAME www.example.com to
example.com), in the case of separate A (and ) records, one could
point the reverse to both names. Nothing wrong with a PTR record having
more than one answer. There is then no inconsistency, just choice. After
all, pretty much every NS record has at least two Right-Hand-Sides
(Answers)



If, on the other hand, www.example.com is a CNAME to example.com, then
it's crystal clear where the reverse record will point -- example.com.
There is no ambiguity or option for inconsistency.

  - Kevin

On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:

Hey Kevin,

This is not an issue at all.
A PTR is different then a "A" record and can be used by two reverse
domain names and only the owner of the IP addresses space can define
them.
I am not sure if two PTR records for two domains will be applied to
one IP but it is possible for two IP addresses to have the same PTR.

Can we even use a CNAME as a PTR???

Eliezer

On 09/11/2014 12:37 AM, Kevin Darcy wrote:

Also, have you considered the forward/reverse ambiguity that arises when
multiple owner names resolve to the same address? To which of those
names does the PTR point?

  - Kevin

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users




___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Kevin Darcy 

On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote:

On 10.09.14 18:13, Kevin Darcy wrote:

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?


Completely your decision.
Some people will point it at example.com, some will point it at 
www.example.com. What you get is a mish-mosh. No consistency.


Do not mix multiple A and PTR. they are just different things.
You are creating issues where there are none.
The issue is consistency. If you give admins choices where to point a 
PTR, and the RFCs don't provide any clear guidance, you're going to get 
inconsistent results.


If you make "www" a CNAME to apex, then the RFCs are clear that you 
can't point the PTR to the "www" name. The *only*legal*choice* is to 
point the PTR at the apex name. You're going to get *much*more* 
consistent results.


Consistency is a good thing, isn't it? Sure, the earth isn't going to 
fall off its axis of rotation just because of the way people point their 
A and PTR records, CNAME or don't CNAME. But if we can nudge people in 
the direction of consistency, and there is no downside, why wouldn't we 
do that? That's what "best practices" are all about -- impelling people 
towards processes/methods/conventions that ultimately benefit 
*everyone*. Greatest good for the greatest number, and all that.


If, on the other hand, www.example.com is a CNAME to example.com, 
then it's crystal clear where the reverse record will point -- 
example.com. There is no ambiguity or option for inconsistency.


If you point www CNAME @, the 'www' will have both MX and NS records 
same as

example.com.  Which may e.g. cause rejectd on backup MX hosts, apparently
not designed to receive mail for www.example.com.
So, is it better that mail sent erroneously to www.example.com fall 
through the RFC 5321 algorithm and attempt to be delivered to the A 
record? That host is almost certainly is a *web* server and quite likely 
to not even be listening on port 25. After some period of time, the user 
ultimately gets a "connection timed out, still retrying" NDR and 
scratches their head trying to figure out what went wrong. Meanwhile, 
the sending MTA keeps on retrying, web server sees "garbage" traffic on 
an off-port and generates ICMP packets back to the source. In the "CNAME 
to @" scenario, at least the mail gets rejected promptly by a *mail* 
server, you have a nice clear audit trail on the server side and a 
meaningful error message (e.g. "I don't accept mail for the 
www.example.com domain") back to the user.


(Yes, I'm aware that there was a proposal recently discussed on the 
DNSOP list for an MX-target convention to denote "no mail service 
offered here". That would presumably solve the problem I cited in the 
previous paragraph. But AFAIK that proposal is many years away from 
widespread adoption, and even if adopted, it puts an extra burden on the 
DNS admins to populate the "no service" MX record, which, again, is 
going to produce inconsistent results -- some admins will remember to do 
it; many won't).


Obviously, if one wants mail for example.com and www.example.com to be 
delivered to *different* MX targets, then "CNAME to @" isn't an option. 
But in the general case, where you don't want mail to www.example.com to 
be deliverable *at*all*, "CNAME to @" is quite a viable option; 
arguably, a *better* option, since the failure mode is faster and 
cleaner than directing MTAs to try to deliver mail, as per RFC 5321, to 
a web server.




The same applies for all other RRs for exmaple.com Alan named crap.

Actually, the only other RR type that Alan enumerated specifically was 
NS, which operates on entirely different principles, and serves a 
significantly different function, than MX-based mail routing. Who would 
be looking up www.example.com with QTYPE=NS? Is that even a plausible 
use-case scenario?


What other RR types do you have in mind? SRV records? They have their 
own defined naming structure, which effectively precludes apex naming. 
TXT records used for SPF purposes? Worst case for that is that the same 
hosts trusted to send mail for example.com are also trusted to send mail 
for www.example.com -- but *sending* mail servers are presumably under 
the control (directly or indirectly) of the domain owner, so the 
potential for negative fallout seems rather minimal. Something else? Are 
you thinking that a LOC record should be differentiated between "www" 
and apex, if the web server is physically in a different datacenter than 
the corporate headquarters of the domain owner?


- Kevin

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Sam Wilson 
In article ,
 Antonio Querubin  wrote:

> On Thu, 11 Sep 2014, Matus UHLAR - fantomas wrote:
> 
> > If you point www CNAME @, the 'www' will have both MX and NS records same as
> > example.com.  Which may e.g. cause rejectd on backup MX hosts, apparently
> > not designed to receive mail for www.example.com.
> 
> Actually no.  All other RRs are supposed to be ignored (except for RRSIG, 
> etc) once the CNAME exists.  Ie. the MX and NS RRs exist only for 
> example.com, but not www.example.com.

I think that's a misunderstanding of what Matus wrote.  With separate A 
records then www.example.com will only have an A record.  If you alias 
www to @ then looking up MX and NS records for www will return the ones 
for example.com.

Sam

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Sam Wilson 
In article ,
 Alan Clegg  wrote:

> On 9/10/14, 8:42 AM, Sam Wilson wrote:
> 
> > And you could reduce maintenance very slightly by replacing
> > 
> > www in  A   75.100.245.133
> > 
> > with 
> > 
> > www in  CNAME   @
> 
> And now you have an MX record, 3 NS records and a bunch of other crap
> associated with the WWW address.  Keeping track of one extra A record
> (and associated  record if you go in that direction) isn't a bad thing.

And the discussion went on from there.  Sorry, I really didn't mean to 
poke a hornets' nest.

> (Personal preferences, of course)

Personal preference and dependent on the exact needs of the users of the 
data, of course.

Sam

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Antonio Querubin 

On Thu, 11 Sep 2014, Matus UHLAR - fantomas wrote:


If you point www CNAME @, the 'www' will have both MX and NS records same as
example.com.  Which may e.g. cause rejectd on backup MX hosts, apparently
not designed to receive mail for www.example.com.


Actually no.  All other RRs are supposed to be ignored (except for RRSIG, 
etc) once the CNAME exists.  Ie. the MX and NS RRs exist only for 
example.com, but not www.example.com.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Matus UHLAR - fantomas 

On 10.09.14 18:13, Kevin Darcy wrote:

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?


Completely your decision.
Some people will point it at example.com, some will point it at 
www.example.com. What you get is a mish-mosh. No consistency.


Do not mix multiple A and PTR. they are just different things.
You are creating issues where there are none.

If, on the other hand, www.example.com is a CNAME to example.com, 
then it's crystal clear where the reverse record will point -- 
example.com. There is no ambiguity or option for inconsistency.


If you point www CNAME @, the 'www' will have both MX and NS records same as
example.com.  Which may e.g. cause rejectd on backup MX hosts, apparently
not designed to receive mail for www.example.com.

The same applies for all other RRs for exmaple.com Alan named crap.
And that's why I also think it's better to define 'www' as A record, not as
CNAME

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-11 Thread Mark Elkins 
On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote:
> No, what I'm saying is that if
> 
> example.com owns an A record 203.0.113.48, and
> www.example.com owns an A record 203.0.113.48, then
> 
> where does 48.113.0.203.in-addr.arpa point?
> 
> Some people will point it at example.com, some will point it at 
> www.example.com. What you get is a mish-mosh. No consistency.

Although I prefer the use of a CNAME solution (CNAME www.example.com to
example.com), in the case of separate A (and ) records, one could
point the reverse to both names. Nothing wrong with a PTR record having
more than one answer. There is then no inconsistency, just choice. After
all, pretty much every NS record has at least two Right-Hand-Sides
(Answers)


> If, on the other hand, www.example.com is a CNAME to example.com, then 
> it's crystal clear where the reverse record will point -- example.com. 
> There is no ambiguity or option for inconsistency.
> 
>  - Kevin
> 
> On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:
> > Hey Kevin,
> >
> > This is not an issue at all.
> > A PTR is different then a "A" record and can be used by two reverse 
> > domain names and only the owner of the IP addresses space can define 
> > them.
> > I am not sure if two PTR records for two domains will be applied to 
> > one IP but it is possible for two IP addresses to have the same PTR.
> >
> > Can we even use a CNAME as a PTR???
> >
> > Eliezer
> >
> > On 09/11/2014 12:37 AM, Kevin Darcy wrote:
> >> Also, have you considered the forward/reverse ambiguity that arises when
> >> multiple owner names resolve to the same address? To which of those
> >> names does the PTR point?
> >>
> >>  - Kevin
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> >
> >
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Eliezer Croitoru 
Well this is a confusing point but it's rather an administrative 
decision to make.
If indeed the network\server\domain administrator is not aware of his 
services he will either have or will not have decision to make.

It will depend on whether he knows what he is doing.
Mish-mosh or banana he will eat it one way or another.

One conclusion he will probably learn is that dns records takes from 24 
to about 48 hours to be forgotten from dns caches :D


All The Bests,
Eliezer

On 09/11/2014 01:13 AM, Kevin Darcy wrote:

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?

Some people will point it at example.com, some will point it at
www.example.com. What you get is a mish-mosh. No consistency.

If, on the other hand, www.example.com is a CNAME to example.com, then
it's crystal clear where the reverse record will point -- example.com.
There is no ambiguity or option for inconsistency.

 - Kevin


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Kevin Darcy 

No, what I'm saying is that if

example.com owns an A record 203.0.113.48, and
www.example.com owns an A record 203.0.113.48, then

where does 48.113.0.203.in-addr.arpa point?

Some people will point it at example.com, some will point it at 
www.example.com. What you get is a mish-mosh. No consistency.


If, on the other hand, www.example.com is a CNAME to example.com, then 
it's crystal clear where the reverse record will point -- example.com. 
There is no ambiguity or option for inconsistency.


- Kevin

On 9/10/2014 5:48 PM, Eliezer Croitoru wrote:

Hey Kevin,

This is not an issue at all.
A PTR is different then a "A" record and can be used by two reverse 
domain names and only the owner of the IP addresses space can define 
them.
I am not sure if two PTR records for two domains will be applied to 
one IP but it is possible for two IP addresses to have the same PTR.


Can we even use a CNAME as a PTR???

Eliezer

On 09/11/2014 12:37 AM, Kevin Darcy wrote:

Also, have you considered the forward/reverse ambiguity that arises when
multiple owner names resolve to the same address? To which of those
names does the PTR point?

 - Kevin


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Eliezer Croitoru 

Hey Kevin,

This is not an issue at all.
A PTR is different then a "A" record and can be used by two reverse 
domain names and only the owner of the IP addresses space can define them.
I am not sure if two PTR records for two domains will be applied to one 
IP but it is possible for two IP addresses to have the same PTR.


Can we even use a CNAME as a PTR???

Eliezer

On 09/11/2014 12:37 AM, Kevin Darcy wrote:

Also, have you considered the forward/reverse ambiguity that arises when
multiple owner names resolve to the same address? To which of those
names does the PTR point?

 - Kevin


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Kevin Darcy 

On 9/10/2014 5:20 PM, Alan Clegg wrote:

On 9/10/14, 2:13 PM, Kevin Darcy wrote:

On 9/10/2014 11:58 AM, Alan Clegg wrote:

On 9/10/14, 8:42 AM, Sam Wilson wrote:


And you could reduce maintenance very slightly by replacing

www in  A   75.100.245.133

with

www in  CNAME   @

And now you have an MX record, 3 NS records and a bunch of other crap
associated with the WWW address.

And why is that a _bad_ thing?

(Personal preferences, of course)

Answered before asked.

Well, I was asking about your _particular_ preference, which seemed 
rather clear from your use of the word "crap". Why does it matter (in 
_your_ opinion) if the target of the "www" CNAME owns records of more 
types than just A and/or ?


Also, have you considered the forward/reverse ambiguity that arises when 
multiple owner names resolve to the same address? To which of those 
names does the PTR point?


- Kevin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Alan Clegg 
On 9/10/14, 2:13 PM, Kevin Darcy wrote:
> On 9/10/2014 11:58 AM, Alan Clegg wrote:
>> On 9/10/14, 8:42 AM, Sam Wilson wrote:
>>
>>> And you could reduce maintenance very slightly by replacing
>>>
>>> www in  A   75.100.245.133
>>>
>>> with 
>>>
>>> www in  CNAME   @

>> And now you have an MX record, 3 NS records and a bunch of other crap
>> associated with the WWW address.  

> And why is that a _bad_ thing?

(Personal preferences, of course)

Answered before asked.

AlanC



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Kevin Darcy 

On 9/10/2014 11:58 AM, Alan Clegg wrote:

On 9/10/14, 8:42 AM, Sam Wilson wrote:


And you could reduce maintenance very slightly by replacing

www in  A   75.100.245.133

with

www in  CNAME   @

And now you have an MX record, 3 NS records and a bunch of other crap
associated with the WWW address.

And why is that a _bad_ thing?

If I ever change that IP, I want to change it in *one*place*. The CNAME 
allows everything to automatically follow that change. Why necessitate 
multiple updates when a single update will do? If TTL-manipulation is 
necessary in order to minimize caching complications, the number of 
RRset updates is magnified, of course.


MXes and NSes are a non-issue, IMO, since the contexts in which people 
look up a "www" name (usually end-users trying to access a website) are 
usually quite disjoint from the use cases of MXes (automated systems 
delivering mail) or NSes (nameserver-to-nameserver traffic). I see 
little or no risk of confusion or misdirection.


I suppose it's _possible_ that some day a mail sender might mistype a 
recipient as u...@www.example.com instead of (as they should have) 
u...@example.com, and maybe in that scenario the CNAME will cause the 
recipient address to show up in the headers of the received message in 
an unexpected way. But, to me, this falls under the generic category of 
GIGO (garbage in, garbage out) -- you type something wrong into a 
computer system, you might not get the results you expected...


- Kevin



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Matus UHLAR - fantomas 

On 9/10/14, 8:42 AM, Sam Wilson wrote:

And you could reduce maintenance very slightly by replacing

www in  A   75.100.245.133

with

www in  CNAME   @


On 10.09.14 08:58, Alan Clegg wrote:

And now you have an MX record, 3 NS records and a bunch of other crap
associated with the WWW address.  Keeping track of one extra A record
(and associated  record if you go in that direction) isn't a bad thing.


simply said: don't CNAME to @.


(Personal preferences, of course)


yes, but still...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Alan Clegg 
On 9/10/14, 8:42 AM, Sam Wilson wrote:

> And you could reduce maintenance very slightly by replacing
> 
> www in  A   75.100.245.133
> 
> with 
> 
> www in  CNAME   @

And now you have an MX record, 3 NS records and a bunch of other crap
associated with the WWW address.  Keeping track of one extra A record
(and associated  record if you go in that direction) isn't a bad thing.

(Personal preferences, of course)

AlanC



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Sam Wilson 
In article ,
 sch...@adi.com (Thomas Schulz) wrote:

> > Hi,
> > 
> > xxx.com and IP address 192.168.1.100 is just a example domain name and IP
> > address. Our boss want everybody access our domain example.com through
> > browser, then it will redirect to our web site www.example.com. So I want
> > to get more information about unexpected impact when we changed DNS records.
> > 
> > Thanks for your help.
> > 
> > Best Regards,
> > Pete Fong
> 
> Here is how I have things set up here. Our domain is adi.com. We have
> three name servers set up. Our web site can be accessed as both
> www.adi.com and adi.com. Here is what I have on our zone file:
> 
> 
> @   in  ns  bluegill.adi.com.
> in  ns  a.dns.tds.net.
> in  ns  seahorse.adi.com.
> 
> bluegillin  A   75.100.245.131
> seahorsein  A   75.100.245.134
> www in  A   75.100.245.133
> @   in  A   75.100.245.133
> 
> @   in  mx  0   mackerel.adi.com.
> in  mx  10  seahorse.adi.com.
> in  mx  20  bluegill.adi.com.
> 
> Note that address 75.100.245.133 is entered twice.
> The mx records are to get email to work correctly.

And you could reduce maintenance very slightly by replacing

www in  A   75.100.245.133

with 

www in  CNAME   @

Though in Thomas' case the PTR record for 75.100.245.133 returns 
www.adi.com, so that's a good reason for not doing the CNAME thing.

Sam

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-10 Thread Thomas Schulz 
> Hi,
> 
> xxx.com and IP address 192.168.1.100 is just a example domain name and IP
> address. Our boss want everybody access our domain example.com through
> browser, then it will redirect to our web site www.example.com. So I want
> to get more information about unexpected impact when we changed DNS records.
> 
> Thanks for your help.
> 
> Best Regards,
> Pete Fong

Here is how I have things set up here. Our domain is adi.com. We have
three name servers set up. Our web site can be accessed as both
www.adi.com and adi.com. Here is what I have on our zone file:


@   in  ns  bluegill.adi.com.
in  ns  a.dns.tds.net.
in  ns  seahorse.adi.com.

bluegillin  A   75.100.245.131
seahorsein  A   75.100.245.134
www in  A   75.100.245.133
@   in  A   75.100.245.133

@   in  mx  0   mackerel.adi.com.
in  mx  10  seahorse.adi.com.
in  mx  20  bluegill.adi.com.

Note that address 75.100.245.133 is entered twice.
The mx records are to get email to work correctly.

Tom Schulz
Applied Dynamics Intl.
sch...@adi.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-09 Thread Pete Fong 
Hi,

xxx.com and IP address 192.168.1.100 is just a example domain name and IP
address. Our boss want everybody access our domain example.com through
browser, then it will redirect to our web site www.example.com. So I want
to get more information about unexpected impact when we changed DNS records.

Thanks for your help.

Best Regards,
Pete Fong




2014-09-08 20:02 GMT+08:00 /dev/rob0 :

> On Mon, Sep 08, 2014 at 03:43:22PM +0800, Pete Fong wrote:
> > The below item is our DNS (BIND) server configuration. our Domain*
> > xxx.com
>
> I think that is a porn site.  If you mean to use that name as an
> example, please use "example.com" instead.  Putting HTTP links to
> pornography in your emails is a sure way to fall afoul of various
> content filtering solutions which are in common use.
>
> See RFC 2606 regarding reserved domain names like "example.com".
>
> >  *is assigned IP address 192.168.1.100 which is
> > our one of DNS server. Can we change it to our web server IP
> > address ? Because we want anybody access our domain *xxx.com
> > * with internet browser then it will go to our
> > webpage. Am I correct ? I really appreciate anybody help.
>
> It's not unusual to point an "A" record for "@" at a HTTP server.
> Whatever you are not understanding here, I can't tell.
>
> > @  IN SOA ns1.xxx.com. root.ns1.xxx.com (
> >   2014090801 ; serial
> >   2h  ; refresh
> >   10m; retry
> >   1w ; expiry
> >   1h )
> >
> > IN NS ns1.xxx.com.
> > IN A  192.168.1.100
>
> This zone file would fail named-checkzone(8) testing if loaded as
> "xxx.com", because there is no "A" record for the NS name,
> "ns1.xxx.com."  This zone would fail to load.
>
> If any of your NS names are inside the zone, you must have either or
> both A and  records for those NS names.  Here is the same zone
> without the XXX and with all relative names:
>
> > @  IN SOA ns1 root.ns1 (
> >   2014090801 ; serial
> >   2h  ; refresh
> >   10m; retry
> >   1w ; expiry
> >   1h )
> >
> > IN NS ns1
> > IN A  192.168.1.100
> > ns1 IN A  192.168.1.100
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-09 Thread Pete Fong 
Hi Kevin,

Thanks for your help. Do not worry. The IP address 192.168.1.100 is just
for example.

Best Regards,
Pete Fong


2014-09-09 3:30 GMT+08:00 Kevin Darcy :

>  Based on the zone contents below, you shouldn't have any problem
> changing the 192.168.1.100 address to anything you want.
>
> But, of course, the zone is illegal because it only has 1 NS record
> published at the apex (there is a strict minimum of at least 2), and, as it
> stands now, if it is an Internet-facing zone, it's also illegal due to the
> presence of a private (192.168.*.*) address in the zone. You said that
> 192.168.1.100 is "our one of DNS server", but hopefully you don't mean that
> it's a nameserver for *this* zone, or that the zone is not Internet-facing,
> or the 192.168.1.100 address is presented in a NAT (network address
> translated) form to the Internet, since, again, you can't use private
> addresses on the Internet. By definition.
>
>
>
> - Kevin
> On 9/8/2014 3:43 AM, Pete Fong wrote:
>
>  Hi Everybody,
>
>  The below item is our DNS (BIND) server configuration. our Domain*
> xxx.com  *is assigned IP address 192.168.1.100 which is
> our one of DNS server. Can we change it to our web server IP address ?
> Because we want anybody access our domain *xxx.com * with
> internet browser then it will go to our webpage. Am I correct ? I really
> appreciate anybody help.
>
> @  IN SOA ns1.xxx.com. root.ns1.xxx.com (
>   2014090801 ; serial
>   2h  ; refresh
>   10m; retry
>   1w ; expiry
>   1h )
>
> IN NS ns1.xxx.com.
> IN A  192.168.1.100
>
>  Thank and Best Regards,
>  Pete Fong
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-08 Thread Kevin Darcy 
Based on the zone contents below, you shouldn't have any problem 
changing the 192.168.1.100 address to anything you want.


But, of course, the zone is illegal because it only has 1 NS record 
published at the apex (there is a strict minimum of at least 2), and, as 
it stands now, if it is an Internet-facing zone, it's also illegal due 
to the presence of a private (192.168.*.*) address in the zone. You said 
that 192.168.1.100 is "our one of DNS server", but hopefully you don't 
mean that it's a nameserver for *this* zone, or that the zone is not 
Internet-facing, or the 192.168.1.100 address is presented in a NAT 
(network address translated) form to the Internet, since, again, you 
can't use private addresses on the Internet. By definition.


- Kevin
On 9/8/2014 3:43 AM, Pete Fong wrote:

Hi Everybody,

The below item is our DNS (BIND) server configuration. our 
Domain*xxx.com  *is assigned IP address 192.168.1.100 
which is our one of DNS server. Can we change it to our web server IP 
address ? Because we want anybody access our domain *xxx.com 
* with internet browser then it will go to our 
webpage. Am I correct ? I really appreciate anybody help.


@  IN SOA ns1.xxx.com . root.ns1.xxx.com 
 (

  2014090801 ; serial
  2h  ; refresh
  10m; retry
  1w ; expiry
  1h )

IN NS ns1.xxx.com .
IN A  192.168.1.100

Thank and Best Regards,
Pete Fong


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-08 Thread /dev/rob0 
On Mon, Sep 08, 2014 at 03:43:22PM +0800, Pete Fong wrote:
> The below item is our DNS (BIND) server configuration. our Domain* 
> xxx.com

I think that is a porn site.  If you mean to use that name as an 
example, please use "example.com" instead.  Putting HTTP links to 
pornography in your emails is a sure way to fall afoul of various 
content filtering solutions which are in common use.

See RFC 2606 regarding reserved domain names like "example.com".

>  *is assigned IP address 192.168.1.100 which is
> our one of DNS server. Can we change it to our web server IP 
> address ? Because we want anybody access our domain *xxx.com 
> * with internet browser then it will go to our 
> webpage. Am I correct ? I really appreciate anybody help.

It's not unusual to point an "A" record for "@" at a HTTP server. 
Whatever you are not understanding here, I can't tell.

> @  IN SOA ns1.xxx.com. root.ns1.xxx.com (
>   2014090801 ; serial
>   2h  ; refresh
>   10m; retry
>   1w ; expiry
>   1h )
> 
> IN NS ns1.xxx.com.
> IN A  192.168.1.100

This zone file would fail named-checkzone(8) testing if loaded as 
"xxx.com", because there is no "A" record for the NS name, 
"ns1.xxx.com."  This zone would fail to load.

If any of your NS names are inside the zone, you must have either or 
both A and  records for those NS names.  Here is the same zone 
without the XXX and with all relative names:

> @  IN SOA ns1 root.ns1 (
>   2014090801 ; serial
>   2h  ; refresh
>   10m; retry
>   1w ; expiry
>   1h )
> 
> IN NS ns1
> IN A  192.168.1.100
> ns1 IN A  192.168.1.100
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-08 Thread Barry Margolin 
In article ,
 Pete Fong  wrote:

> Hi Matus UHLAR - fantomas,
> 
> Sorry, I do not understand the meaning of "It could only issue a problem if
> you pointed "example.com. NS example.com."
> or similar MX etc records."  Do you mind to explain more details ? Thank
> you very much.

NS records tell everyone where the DNS servers for the domain are. So 
xxx.com only has to be assigned the IP of the DNS server if you have an 
NS record that says that xxx.com is the DNS server for xxx.com.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-08 Thread Pete Fong 
Hi Matus UHLAR - fantomas,

Sorry, I do not understand the meaning of "It could only issue a problem if
you pointed "example.com. NS example.com."
or similar MX etc records."  Do you mind to explain more details ? Thank
you very much.

Best Regards,
Pete Fong



2014-09-08 16:06 GMT+08:00 Matus UHLAR - fantomas :

> On 08.09.14 15:43, Pete Fong wrote:
>
>> Subject: A record of domain name must be name server ?
>>
>
> no.
>
>  The below item is our DNS (BIND) server configuration. our Domain*
>> xxx.com
>> <http://xxx.com> *is assigned IP address 192.168.1.100 which is our one
>> of
>> DNS server. Can we change it to our web server IP address ?
>>
>
> yes.
>
> ... it's completely irelevant where does example.com A record point to.
>
>
> It could only issue a problem if you pointed "example.com. NS example.com
> ."
> or similar MX etc recods.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> I intend to live forever - so far so good. __
> _
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A record of domain name must be name server ?

2014-09-08 Thread Matus UHLAR - fantomas 

On 08.09.14 15:43, Pete Fong wrote:

Subject: A record of domain name must be name server ?


no.


The below item is our DNS (BIND) server configuration. our Domain* xxx.com
<http://xxx.com> *is assigned IP address 192.168.1.100 which is our one of
DNS server. Can we change it to our web server IP address ? 


yes.

... it's completely irelevant where does example.com A record point to.


It could only issue a problem if you pointed "example.com. NS example.com."
or similar MX etc recods.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A record of domain name must be name server ?

2014-09-08 Thread Pete Fong 
Hi Everybody,

The below item is our DNS (BIND) server configuration. our Domain* xxx.com
 *is assigned IP address 192.168.1.100 which is our one of
DNS server. Can we change it to our web server IP address ? Because we want
anybody access our domain *xxx.com * with internet browser
then it will go to our webpage. Am I correct ? I really appreciate anybody
help.

@  IN SOA ns1.xxx.com. root.ns1.xxx.com (
  2014090801 ; serial
  2h  ; refresh
  10m; retry
  1w ; expiry
  1h )

IN NS ns1.xxx.com.
IN A  192.168.1.100

Thank and Best Regards,
Pete Fong
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users