Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Wed, 2017-07-12 at 16:21 -0500, b...@zq3q.org wrote: > OK, I'm ready to consider other registrars, any suggestions > would be appreciated. I like gkg.net - they have an API so you can automatically upload new DS records when you do DNSSEC key rollovers. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEUEAREKAAYFAllmtQwACgkQL6j7milTFsGcNQCdEMVMhDjbb/G++ors2jJgH5Yp zHsAl3mvhHy0EybJzoO1g0rF+lLvDuc= =/PA6 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On 07/12/2017 03:21 PM, b...@zq3q.org wrote: OK, I'm ready to consider other registrars, any suggestions would be appreciated. $Dynadot++ has been good to me. I can pay them via PayPal and they support DS records for DNSSEC if you eventually want to mess with that. - I think they were reasonably priced too. I dislike the following and voted by spending my money elsewhere. $GoDaddy-- They try to up sell you ever chance they get and IMHO their web UI tries to make every possible chance to up sell possible. $Hover-- Formerly "It's Your Domain" (who was decent) changed to Hover and seemed to be a registrar as a side need of a different service they were selling. They really put me off. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Hi Reindl: On Tue 7/11/17 18:05 +0200 Reindl Harald wrote: > > Am 11.07.2017 um 15:57 schrieb b...@zq3q.org: > > Assume I register domain 'mynew.org' with registrar namecheap; and as an > > exercise, > > I plan to setup my own two authoritative DNS nameservers for 'mynew.org'. > > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > > is that going to work?** > > > > namecheap support seems to suggest that the personal DNS authorative > > nameservers > > for 'mynew.org', must be in 'mynew.org', as in > > > > ns1.mynew.org > > ns2.mynew.org > > for sure not > and i am repsonsible for both zones and some hundret others > on that nameservers over 15 years Thanks for confirming. > https://intodns.com/rhsoft.net confirms that all is fine Thanks for this tool! > and when your > registrar really has such crazy requirements switch to a sane one - > frankly it's even not helpful in case you need to switch nameservers > because in the case above they become GLUE records with a TTL of 172800 > independent from the zone TTL OK, I'm ready to consider other registrars, any suggestions would be appreciated. https://www.gandi.net/ has been suggested by Matthew Seaman. Looks good to me. related rant: http://zq3q.org/pz/#zycbu_Choosing_a_DNS_registrar > i had to switch a server which hosted websites and one of the > nameservers (i know don't mix it) to a different machine some years ago > and it was not funny that it took ages until webclients used the new IP > address while NDS would not have been a problem by just keep the old one > as additional slave until shut it down > > ns1.thelounge.net. ['85.124.176.242'] [TTL=172800] > ns2.thelounge.net. ['91.118.73.16'] [TTL=172800] > > [harry@rh:~]$ whois rhsoft.net > ... > Name Server: ns1.thelounge.net > Name Server: ns2.thelounge.net > DNSSEC: Unsigned > > [harry@rh:~]$ dig NS rhsoft.net @ns1.thelounge.net > ; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> NS rhsoft.net > @ns1.thelounge.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27172 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1024 > ;; QUESTION SECTION: > ;rhsoft.net.IN NS > > ;; ANSWER SECTION: > rhsoft.net. 86400 IN NS ns2.thelounge.net. > rhsoft.net. 86400 IN NS ns1.thelounge.net. --snip On Tue 7/11/17 21:33 +0200 Reindl Harald wrote: --snip > > What is a domain registrar with good support, that can guide me through > > getting this to work under linux (fedora 24 and bind 9.x)? I can buy a new > > domain > > if need be. > > no need - you can transfer your domains at any point in time Thanks. I may as well learn that process. --snip > > in case of .at we are directly registrar and our infrastructure talks > idrectly via > https://en.wikipedia.org/wiki/Extensible_Provisioning_Protocol to Thx for the above link. > nic.at, for other TLD's we use https://www.epag.de/ which belongs in the > meantime to GoDaddy Thx, I looked at https://www.epag.de/en/ > it should not be that hard to find a service which let you define the > nameservers of your domain - if it's a registrar at it's own or a > reseller don#t matter that much because the only point is whatever > interface that let you define "these hosts are the nameservers for > excample.com" -- regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
b...@zq3q.orgwrote: > One of my real hosts is below xen.prgmr.com, like the fake 'zap' above, > so I would have to email prgmr.com support to get them to add > > mynew.org. IN NS zap.xen.prgmr.com. > ^^^ << Is this valid? > > to the xen.prgmr.com zone. There's a bit of confusion here, but this is a legitimately confusing part of the DNS because there are multiple layers of indirection and two kinds of indirection... The first kind there are the delegation records in the parent zone, and the authoritative records at the apex of the child zone. The other kind, zones have name servers, and name servers have addresses. For example, my zone is dotat.at. It has the name servers dotat.at. 3600IN NS ns1.gratisdns.dk. dotat.at. 3600IN NS ns3.gratisdns.dk. dotat.at. 3600IN NS grey.dotat.at. dotat.at. 3600IN NS puck.nether.net. For a correct delegation, these NS records have to appear in the parent zone (which I configure through my registrar) and at the apex of my zone (on my master server, alongside the SOA etc.). The second level of indirection is from name server names to addresses. These are just normal hostname address records, so they appear in the authoritative zones indicted by their names. (You seemed to be confused about where NS records live. I hope this clarified it for you!) (To make GratisDNS and Puck authoritative for my zone, I used their user interfaces to ask them to act as secondaries, telling them what my master server IP addresses are. No changes to their DNS records, just their server configutation which isn't visible from the outside.) But, there's also glue. Glue is a special case for name server hostnames which are in the child zone - in my example this applies to grey.dotat.at. These hostnames need address records in the delegation to avoid a circular dependency. $ dig +noall +additional grey.dotat.at @d.ns.at grey.dotat.at. 10800 IN A 131.111.57.57 grey.dotat.at. 10800 IN 2001:630:212:110::d:7a7 You configure your glue records through your registrar alongside your delegation NS records. Usually you get to specify a list of nameserver names, each with optional addresses - you only need to specify the addresses when the hostname is in the child zone. Basically what you are doing with this registrar user interface is providing a COPY of data from the delegated zone: the apex NS records, and any addresses of nameservers whose hostnames are inside the delegated zone. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Fisher: Northwesterly 5 to 7, occasionally gale 8 in east. Moderate or rough. Showers. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On 11 Jul 2017, at 22:01, b...@zq3q.org wrote: As I wrote to Niall (msg dated 11 Jul 2017 15:04:32 -0500) , That hasn't reached me yet. I **do not** have a NS record for each of my two nameservers, in the domain zone that the respective nameserver itself is in. That is a mistake, I need to fix, right? Short answer: just no. Long answer: not unless either of your servers is providing name service for the zone that the nameserver itself is in. As I understand from your original message, this is not the case, so just no. I hope this helps. With best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Hi Matthew: On Tue 7/11/17 15:24 +0100 Matthew Seaman wrote: > On 2017/07/11 14:57, b...@zq3q.org wrote: > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > > is that going to work?** > > Yes, that will work. There is no requirement for any of the NSes for > a zone to be part of that zone or, conversely, not part of that zone. This seems imp: > Although if any of the NSes are in the zone, there should be glue > records added at the level above. As I wrote to Niall (msg dated 11 Jul 2017 15:04:32 -0500) , I **do not** have a NS record for each of my two nameservers, in the domain zone that the respective nameserver itself is in. That is a mistake, I need to fix, right? > > namecheap support seems to suggest that the personal DNS authorative > > nameservers for 'mynew.org', must be in 'mynew.org', as in > > > > ns1.mynew.org ns2.mynew.org > > This is not a requirement from the DNS side. It's normal for > providers to offer this -- vanity name servers are usually a selling > point. OK. Thanks for that term "vanity name servers". > Even so, if you can make ns1.mynew.org and ns2.mynew.org resolve to > the A or addresses of your VMs, you should be good to go. named > is going to work the same irrespective of whatever it thinks the > hostname of your VM is, and that can be different to the name users > look up in the DNS. > > Failing that, there are any number of other providers that will let > you register a domain, and the vast majority of those certainly will > let you specify your own nameservers. If you have a specific registrar in mind with good support pls let me know. -- thanks/regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Hi Niall: On Tue 7/11/17 15:24 +0100 "Niall O'Reilly" wrote: > On 11 Jul 2017, at 14:57, b...@zq3q.org wrote: > > > Assume I register domain 'mynew.org' with registrar namecheap; and as > > an exercise, > > I plan to setup my own two authoritative DNS nameservers for > > 'mynew.org'. > > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > > is that going to work?** > > Unless you misconfigure things, it should just work. **I think I have one thing wrong, pls confirm:** Assume my 'spare nameservers' are these fictious ones: pup.asdf.org zap.xen.prgmr.com I did **not** register: pup as a nameserver for mynew.org in asdf.org zap as a nameserver for mynew.org in xen.prgmr.com One of my real hosts *is below xen.prgmr.com*, like the fake 'zap' above, so I would have to email prgmr.com support to get them to add mynew.org. IN NS zap.xen.prgmr.com. ^^^ << Is this valid? to the xen.prgmr.com zone. Is this correct? -- I tried to get terminology roughly right. In my fictious example, I had to pick a registrar (not namecheap) to help me create the 'asdf.org'. Then to get a NS record for pup.asdf.org to be authoritative for "mynew.org." in the zone for 'asdf.org', I have to deal with the registrar's web GUI, and "register" pup.asdf.org as this NS. If course there is also a SOA, and NS record in the "mynew.org." zone. Sorry if I'm getting pedantic, but I would appreciate anyone correcting me so I understand. > > namecheap support seems to suggest that the personal DNS authorative > > nameservers > > for 'mynew.org', must be in 'mynew.org', as in > > > > ns1.mynew.org > > ns2.mynew.org > > Nonsense. Thanks. In fairness, different support email lead me in conflicting directions. They do have a 'custom DNS servers' option, that seems to support name servers that are "non vanity" / "outside-the-domain-they-are-authoritative-for" nameservers. That option silently failed for me (see "I think I have one thing wrong" above). It's frustrating that my registrar does not share any error logs that could pin point the problem. >OTOH, if your registrar is obdurate, you may need to find > a creative work-around. > > > This is not what I want, since I do not want to spin up 2 new servers. > > You can work around the obduracy without spinning up any new server. > Simply use the addresses of each of your existing servers in the > (you are using IPv6, I hope?) and A records for the new names. I prefer not to use a work around. I'm willing to go with another registrar, if someone could suggest one. -- In any case, see if I understand you: So, at the registrar level for mynew.org, I specify the vanity name servers ns1.mynew.org, and ns2.mynew.org with the IP addresses of pup and zap. I also add (sorry IP4) 'A' records for ns1.mynew.org, and ns2.mynew.org in the mynew.org zone for nameservers pup and zap. > Of course, this can only work if your servers have public, reachable > addresses. They are public. --snip THANKS Niall for the help and good words! -- regards, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Am 11.07.2017 um 20:56 schrieb b...@zq3q.org: On Tue 7/11/17 15:23 +0100 Tony Finch wrote: b...@zq3q.orgwrote: I have several linux VMs, that are under used, so I want to use them for the nameservers for 'mynew.org'. Neither are in 'mynew.org'; is that going to work? Yes, that is perfectly normal. For example, $ dig +noall +answer ns dotat.at dotat.at. 3559IN NS ns1.gratisdns.dk. dotat.at. 3559IN NS ns3.gratisdns.dk. dotat.at. 3559IN NS grey.dotat.at. dotat.at. 3559IN NS puck.nether.net. $ dig +noall +answer ns ac.uk ac.uk. 20993 IN NS ns0.ja.net. ac.uk. 20993 IN NS ns1.surfnet.nl. ac.uk. 20993 IN NS ns2.ja.net. ac.uk. 20993 IN NS ns3.ja.net. ac.uk. 20993 IN NS ns4.ja.net. ac.uk. 20993 IN NS auth03.ns.uu.net. ac.uk. 20993 IN NS ws-fra1.win-ip.dfn.de. Thanks for the good examples Tony. Nice to learn your "+noall +answer" dig syntax also. -- What is a domain registrar with good support, that can guide me through getting this to work under linux (fedora 24 and bind 9.x)? I can buy a new domain if need be. no need - you can transfer your domains at any point in time My current registrar may respond with a different person, for each mail for a given single issue, and I'm getting inconsistent answers. They will not tell me any of their log error info; not sure if they even look? They ignore several of my questions. In fairness they are sincere and trying in case of .at we are directly registrar and our infrastructure talks idrectly via https://en.wikipedia.org/wiki/Extensible_Provisioning_Protocol to nic.at, for other TLD's we use https://www.epag.de/ which belongs in the meantime to GoDaddy it should not be that hard to find a service which let you define the nameservers of your domain - if it's a registrar at it's own or a reseller don#t matter that much because the only point is whatever interface that let you define "these hosts are the nameservers for excample.com" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On Tue 7/11/17 15:23 +0100 Tony Finch wrote: > b...@zq3q.orgwrote: > > > I have several linux VMs, that are under used, so I want to use them > > for the nameservers for 'mynew.org'. Neither are in 'mynew.org'; > > is that going to work? > > Yes, that is perfectly normal. For example, > > $ dig +noall +answer ns dotat.at > dotat.at. 3559IN NS ns1.gratisdns.dk. > dotat.at. 3559IN NS ns3.gratisdns.dk. > dotat.at. 3559IN NS grey.dotat.at. > dotat.at. 3559IN NS puck.nether.net. > > $ dig +noall +answer ns ac.uk > ac.uk. 20993 IN NS ns0.ja.net. > ac.uk. 20993 IN NS ns1.surfnet.nl. > ac.uk. 20993 IN NS ns2.ja.net. > ac.uk. 20993 IN NS ns3.ja.net. > ac.uk. 20993 IN NS ns4.ja.net. > ac.uk. 20993 IN NS auth03.ns.uu.net. > ac.uk. 20993 IN NS ws-fra1.win-ip.dfn.de. Thanks for the good examples Tony. Nice to learn your "+noall +answer" dig syntax also. -- What is a domain registrar with good support, that can guide me through getting this to work under linux (fedora 24 and bind 9.x)? I can buy a new domain if need be. My current registrar may respond with a different person, for each mail for a given single issue, and I'm getting inconsistent answers. They will not tell me any of their log error info; not sure if they even look? They ignore several of my questions. In fairness they are sincere and trying. -- thanks, Tom ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
Am 11.07.2017 um 15:57 schrieb b...@zq3q.org: Assume I register domain 'mynew.org' with registrar namecheap; and as an exercise, I plan to setup my own two authoritative DNS nameservers for 'mynew.org'. I have several linux VMs, that are under used, so I want to use them for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; is that going to work?** namecheap support seems to suggest that the personal DNS authorative nameservers for 'mynew.org', must be in 'mynew.org', as in ns1.mynew.org ns2.mynew.org for sure not and i am repsonsible for both zones and some hundret others on that nameservers over 15 years https://intodns.com/rhsoft.net confirms that all is fine and when your registrar really has such crazy requirements switch to a sane one - frankly it's even not helpful in case you need to switch nameservers because in the case above they become GLUE records with a TTL of 172800 independent from the zone TTL i had to switch a server which hosted websites and one of the nameservers (i know don't mix it) to a different machine some years ago and it was not funny that it took ages until webclients used the new IP address while NDS would not have been a problem by just keep the old one as additional slave until shut it down ns1.thelounge.net. ['85.124.176.242'] [TTL=172800] ns2.thelounge.net. ['91.118.73.16'] [TTL=172800] [harry@rh:~]$ whois rhsoft.net ... Name Server: ns1.thelounge.net Name Server: ns2.thelounge.net DNSSEC: Unsigned [harry@rh:~]$ dig NS rhsoft.net @ns1.thelounge.net ; <<>> DiG 9.10.5-P2-RedHat-9.10.5-2.P2.fc25 <<>> NS rhsoft.net @ns1.thelounge.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27172 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1024 ;; QUESTION SECTION: ;rhsoft.net.IN NS ;; ANSWER SECTION: rhsoft.net. 86400 IN NS ns2.thelounge.net. rhsoft.net. 86400 IN NS ns1.thelounge.net. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On 11 Jul 2017, at 14:57, b...@zq3q.org wrote: Assume I register domain 'mynew.org' with registrar namecheap; and as an exercise, I plan to setup my own two authoritative DNS nameservers for 'mynew.org'. I have several linux VMs, that are under used, so I want to use them for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; is that going to work?** Unless you misconfigure things, it should just work. namecheap support seems to suggest that the personal DNS authorative nameservers for 'mynew.org', must be in 'mynew.org', as in ns1.mynew.org ns2.mynew.org Nonsense. OTOH, if your registrar is obdurate, you may need to find a creative work-around. This is not what I want, since I do not want to spin up 2 new servers. You can work around the obduracy without spinning up any new server. Simply use the addresses of each of your existing servers in the (you are using IPv6, I hope?) and A records for the new names. Of course, this can only work if your servers have public, reachable addresses. **Pls confirm, that I do not need to do this, and that I could use 2 existing linux hosts outside of mynew.org as personal DNS authorative nameservers.** Any additional related tips appreciated. See above. With best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
On 2017/07/11 14:57, b...@zq3q.org wrote: > I have several linux VMs, that are under used, so I want to use them > for the nameservers for 'mynew.org'. **Neither are in 'mynew.org'; > is that going to work?** Yes, that will work. There is no requirement for any of the NSes for a zone to be part of that zone or, conversely, not part of that zone. Although if any of the NSes are in the zone, there should be glue records added at the level above. > namecheap support seems to suggest that the personal DNS authorative > nameservers > for 'mynew.org', must be in 'mynew.org', as in > > ns1.mynew.org > ns2.mynew.org > This is not a requirement from the DNS side. It's normal for providers to offer this -- vanity name servers are usually a selling point. Even so, if you can make ns1.mynew.org and ns2.mynew.org resolve to the A or addresses of your VMs, you should be good to go. named is going to work the same irrespective of whatever it thinks the hostname of your VM is, and that can be different to the name users look up in the DNS. Failing that, there are any number of other providers that will let you register a domain, and the vast majority of those certainly will let you specify your own nameservers. Cheers, Matthew signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "spare hosts" as personal DNS nameservers for 'mynew.org'
b...@zq3q.orgwrote: > I have several linux VMs, that are under used, so I want to use them > for the nameservers for 'mynew.org'. Neither are in 'mynew.org'; > is that going to work? Yes, that is perfectly normal. For example, $ dig +noall +answer ns dotat.at dotat.at. 3559IN NS ns1.gratisdns.dk. dotat.at. 3559IN NS ns3.gratisdns.dk. dotat.at. 3559IN NS grey.dotat.at. dotat.at. 3559IN NS puck.nether.net. $ dig +noall +answer ns ac.uk ac.uk. 20993 IN NS ns0.ja.net. ac.uk. 20993 IN NS ns1.surfnet.nl. ac.uk. 20993 IN NS ns2.ja.net. ac.uk. 20993 IN NS ns3.ja.net. ac.uk. 20993 IN NS ns4.ja.net. ac.uk. 20993 IN NS auth03.ns.uu.net. ac.uk. 20993 IN NS ws-fra1.win-ip.dfn.de. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Shannon, Rockall, Malin, Hebrides: Cyclonic at first in Shannon, otherwise north or northeast, 4 or 5, becoming variable 3 or 4. Slight or moderate. Showers at first. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users