Re: BIND question

2018-04-12 Thread Matus UHLAR - fantomas 

On 12.04.18 08:29, Mark Andrews wrote:

The domain system provides such a feature using the canonical name
(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR.  If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.  This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.

Now go complain to the WC3 for not adding support for SRV to the protocol


you apparently mean W3C :-)


or for defining a RR which points to a HTTP(S) server like MX points to
a server for SMTP.


it was not apparently needed.
but maybe we would need defining RNAME that could recitect only one
given type of record, e.g.

@ IN RNAME A webhosting.example
  IN RNAME MX mailhosting.example


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND question

2018-04-11 Thread Mark Andrews 
RFC 1034

The domain system provides such a feature using the canonical name
(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR.  If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.  This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.

Now go complain to the WC3 for not adding support for SRV to the protocol
or for defining a RR which points to a HTTP(S) server like MX points to
a server for SMTP. 

Mark

> On 12 Apr 2018, at 8:13 am, praveen via bind-users  
> wrote:
> 
> I am seeing the below error when a zone is signed without an A record for 
> zone. However there is a an CNAME record for the same top-level domain 
> (zone), could this be causing the below error and why?
> 
> dnssec-signzone: error: dns_master_load: :33: zonename: CNAME and other data
> dnssec-signzone: fatal: failed loading zone from : CNAME and other data
> 
> On Wednesday, April 11, 2018, 5:56:01 PM EDT, Carl Byington 
>  wrote:
> 
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On Wed, 2018-04-11 at 21:06 +, praveen via bind-users wrote:
> > Is an "A" record mandatory entry for top-level domain (zone) when
> > using DNSSEC, DKIM, SPF and DMARC configuration?
> 
> 
> No. I have zones with all of that, with no A record at the apex, and
> have not seen any interoperability problems.
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEAREKAAYFAlrOfYMACgkQL6j7milTFsEX3wCdEPzfLvv+AD7ya88VNZg9cfDk
> OJEAn3mmxOfAeW/AfJeyND5V2LoYj3dO
> =DF0y
> -END PGP SIGNATURE-
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND question

2018-04-11 Thread praveen via bind-users 
I am seeing the below error when a zone is signed without an A record for zone. 
However there is a an CNAME record for the same top-level domain (zone), could 
this be causing the below error and why?

dnssec-signzone: error: dns_master_load: :33: zonename: CNAME and other data
dnssec-signzone: fatal: failed loading zone from : CNAME and other data

On Wednesday, April 11, 2018, 5:56:01 PM EDT, Carl Byington 
 wrote:  
 
 -BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2018-04-11 at 21:06 +, praveen via bind-users wrote:
> Is an "A" record mandatory entry for top-level domain (zone) when
> using DNSSEC, DKIM, SPF and DMARC configuration?

No. I have zones with all of that, with no A record at the apex, and
have not seen any interoperability problems.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlrOfYMACgkQL6j7milTFsEX3wCdEPzfLvv+AD7ya88VNZg9cfDk
OJEAn3mmxOfAeW/AfJeyND5V2LoYj3dO
=DF0y
-END PGP SIGNATURE-



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
  ___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND question

2018-04-11 Thread Carl Byington 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Wed, 2018-04-11 at 21:06 +, praveen via bind-users wrote:
> Is an "A" record mandatory entry for top-level domain (zone) when
> using DNSSEC, DKIM, SPF and DMARC configuration?

No. I have zones with all of that, with no A record at the apex, and
have not seen any interoperability problems.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlrOfYMACgkQL6j7milTFsEX3wCdEPzfLvv+AD7ya88VNZg9cfDk
OJEAn3mmxOfAeW/AfJeyND5V2LoYj3dO
=DF0y
-END PGP SIGNATURE-



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND question

2018-04-11 Thread praveen via bind-users 
All,
Operating BIND version "BIND 9.9.10-P1 (Extended Support Version)" DNSSEC 
signing in place. DKIM, SPF and DMARC records are also in place for top-level 
domain (zone). 
Is an "A" record mandatory entry for top-level domain (zone) when using DNSSEC, 
DKIM, SPF and DMARC configuration?
Thanks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A newbies Bind question

2009-02-02 Thread Barry Margolin 
In article ,
 "Peter Arends"  wrote:

> In addition to these recommendation, you can use MAC filtering to restrict
> users.
> This is ofcourse if you have a iptables based firewall with MAC module.

MAC filtering isn't much use if the clients are remote.  MAC addresses 
don't leave the local LAN.

-- 
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: A newbies Bind question

2009-02-01 Thread Peter Arends 
In addition to these recommendation, you can use MAC filtering to restrict
users.
This is ofcourse if you have a iptables based firewall with MAC module.

/Peter

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff Lightner
Sent: den 1 februari 2009 15:16
To: Matthew Pounsett; Peter Privat
Cc: bind-users@lists.isc.org
Subject: RE: A newbies Bind question

You can allow recursion (and caching)for specific (as opposed to all)
IPs external to your setup but its generally not a good idea unless
these IPs are static and trusted by you.  If your "friends" are using
ISPs they're almost certainly getting DHCP provided IPs (meaning
random).  You don't want to allow that kind of traffic into your system.


If you still want to use it despite the above you can add the following
to your named.conf's options section:

allow-query { internaldns; externaldns; };
allow-recursion { internaldns; externaldns; };

Then create acls for internaldns and externaldns:

acl "internaldns" {
x.x.x.x; x.x.x.x; 127.0.0.1;
};

acl "externaldns" {
x.x.x.x; x.x.x.x; 
};

Where x.x.x.x are the IPs you want to allow.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matthew Pounsett
Sent: Saturday, January 31, 2009 1:37 PM
To: Peter Privat
Cc: bind-users@lists.isc.org
Subject: Re: A newbies Bind question


On 31-Jan-2009, at 13:24, Peter Privat wrote:

> My question:
> Is it possible for my friends out there somewhere in cybespace to  
> also use my DNS server by entering its IP their DNS settings?
>
> So far I haven't managed to make it work. If another computer  
> somewhere out there in the cloud is entering the IP of my private  
> DNS server into their internet settings, they are not able to use  
> that DNS server. It doesn't provide DNS at all. Seems like it is  
> blocked or doesn't allow computers that is not on the same subnet,  
> or something. Is there a configuration that I've missed? How do the  
> ISP's make their DNS servers usable for everyone?

By default, BIND blocks IP addresses that aren't on a local network  
from using it for recursion.  Setting up an open DNS server which  
permits anyone to use it creates an easy vector for your DNS server to  
be used in Denial of Service attacks, so the default is to be  
completely closed.It is not recommended to open up your DNS server  
to the world.  If your friends have static IP addresses (i.e. the IP  
addresses of their computers aren't ever changed by their ISP) then  
you can allow them in using the 'allow-query' and 'allow-recursion'  
options.

There's HTML documentation for the 'options' grammar at
<https://www.isc.org/software/bind/documentation/arm95#id2576918 
 >
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you
have received this electronic transmission in error, please reply
immediately to the sender that you have received the message in error, and
delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: A newbies Bind question

2009-02-01 Thread Jeff Lightner 
You can allow recursion (and caching)for specific (as opposed to all)
IPs external to your setup but its generally not a good idea unless
these IPs are static and trusted by you.  If your "friends" are using
ISPs they're almost certainly getting DHCP provided IPs (meaning
random).  You don't want to allow that kind of traffic into your system.


If you still want to use it despite the above you can add the following
to your named.conf's options section:

allow-query { internaldns; externaldns; };
allow-recursion { internaldns; externaldns; };

Then create acls for internaldns and externaldns:

acl "internaldns" {
x.x.x.x; x.x.x.x; 127.0.0.1;
};

acl "externaldns" {
x.x.x.x; x.x.x.x; 
};

Where x.x.x.x are the IPs you want to allow.

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matthew Pounsett
Sent: Saturday, January 31, 2009 1:37 PM
To: Peter Privat
Cc: bind-users@lists.isc.org
Subject: Re: A newbies Bind question


On 31-Jan-2009, at 13:24, Peter Privat wrote:

> My question:
> Is it possible for my friends out there somewhere in cybespace to  
> also use my DNS server by entering its IP their DNS settings?
>
> So far I haven't managed to make it work. If another computer  
> somewhere out there in the cloud is entering the IP of my private  
> DNS server into their internet settings, they are not able to use  
> that DNS server. It doesn't provide DNS at all. Seems like it is  
> blocked or doesn't allow computers that is not on the same subnet,  
> or something. Is there a configuration that I've missed? How do the  
> ISP's make their DNS servers usable for everyone?

By default, BIND blocks IP addresses that aren't on a local network  
from using it for recursion.  Setting up an open DNS server which  
permits anyone to use it creates an easy vector for your DNS server to  
be used in Denial of Service attacks, so the default is to be  
completely closed.It is not recommended to open up your DNS server  
to the world.  If your friends have static IP addresses (i.e. the IP  
addresses of their computers aren't ever changed by their ISP) then  
you can allow them in using the 'allow-query' and 'allow-recursion'  
options.

There's HTML documentation for the 'options' grammar at
<https://www.isc.org/software/bind/documentation/arm95#id2576918 
 >
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: A newbies Bind question

2009-01-31 Thread Matthew Pounsett 


On 31-Jan-2009, at 13:24, Peter Privat wrote:


My question:
Is it possible for my friends out there somewhere in cybespace to  
also use my DNS server by entering its IP their DNS settings?


So far I haven't managed to make it work. If another computer  
somewhere out there in the cloud is entering the IP of my private  
DNS server into their internet settings, they are not able to use  
that DNS server. It doesn't provide DNS at all. Seems like it is  
blocked or doesn't allow computers that is not on the same subnet,  
or something. Is there a configuration that I've missed? How do the  
ISP's make their DNS servers usable for everyone?


By default, BIND blocks IP addresses that aren't on a local network  
from using it for recursion.  Setting up an open DNS server which  
permits anyone to use it creates an easy vector for your DNS server to  
be used in Denial of Service attacks, so the default is to be  
completely closed.It is not recommended to open up your DNS server  
to the world.  If your friends have static IP addresses (i.e. the IP  
addresses of their computers aren't ever changed by their ISP) then  
you can allow them in using the 'allow-query' and 'allow-recursion'  
options.


There's HTML documentation for the 'options' grammar at 





PGP.sig
Description: This is a digitally signed message part
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

A newbies Bind question

2009-01-31 Thread Peter Privat 
Hi,
My first posting here! :)

I have installed the Bind9 DNS server into an Debian (Ubuntu 8.04)
server. I manged to make it work for all the computers that belongs to
the same subnet, at a real internet IP subnet (not a private IP like 192
etc). It is also not behind a firewall. I have entered the DNS server IP
to all my computers attached to the same subnet. I can now both use my
private DNS server instead of the one from my ISP.

My question:
Is it possible for my friends out there somewhere in cybespace to also
use my DNS server by entering its IP their DNS settings?

So far I haven't managed to make it work. If another computer somewhere
out there in the cloud is entering the IP of my private DNS server into
their internet settings, they are not able to use that DNS server. It
doesn't provide DNS at all. Seems like it is blocked or doesn't allow
computers that is not on the same subnet, or something. Is there a
configuration that I've missed? How do the ISP's make their DNS servers
usable for everyone?

/Peter
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users