Re: [Pdns-users] CNAME Resoluion
Hello! icfd3.org and icdf3.org Looks like these are two different domain names. Kind regards, Sinisa "Sonny" Burina On Mon, Dec 5, 2022, 12:58 Tony Annese via Pdns-users < pdns-users@mailman.powerdns.com> wrote: > So PDNS is reporting these CNAMEs as errors/being out of zone > > > > root@nspower:~# pdnsutil check-zone icfd3.org > > Dec 05 09:42:24 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 > removed > > [Error] Record 'enterpriseenrollment.icdf3.org IN CNAME > enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is > out-of-zone. > > [Error] Record 'enterpriseregistration.icdf3.org IN CNAME > enterpriseregistration.windows.net' in zone 'icfd3.org' is out-of-zone. > > [Error] Record 'lyncdiscover.icdf3.org IN CNAME webdir.online.lync.com' > in zone 'icfd3.org' is out-of-zone. > > [Error] Record 'selector1._domainkey.icdf3.org IN CNAME > selector1-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone ' > icfd3.org' is out-of-zone. > > [Error] Record 'selector2._domainkey.icdf3.org IN CNAME > selector2-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone ' > icfd3.org' is out-of-zone. > > [Error] Record 'sip.icdf3.org IN CNAME sipdir.online.lync.com' in zone ' > icfd3.org' is out-of-zone. > > [Error] Record '_sip._tls.icdf3.org IN SRV 100 1 443 > sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. > > [Error] Record '_sipfederationtls._tcp.icdf3.org IN SRV 100 1 5061 > sipfed.online.lync.com' in zone 'icfd3.org' is out-of-zone. > > Checked 31 records of 'icfd3.org', 8 errors, 0 warnings. > > > > So how do I tell PDNS to allow out-of-zone CNAME (and SRV) records? > > > > > > *From: *Pdns-users on behalf of > Markus Ehrlicher via Pdns-users > *Date: *Monday, December 5, 2022 at 3:36 AM > *To: *'pdns-users@mailman.powerdns.com' > *Subject: *Re: [Pdns-users] CNAME Resoluion > > Hello, > > > > what does „pdnsutil check-zone icfd3.org“ on the Master say? > > > > best regards, > > Markus > > > > *Von:* Pdns-users *Im Auftrag > von *Tony Annese via Pdns-users > *Gesendet:* Montag, 5. Dezember 2022 12:20 > *An:* pdns-users@mailman.powerdns.com > *Betreff:* Re: [Pdns-users] CNAME Resoluion > > > > *Externe E-Mail* > > Vorsicht! Links und Anhänge können Schadcode enthalten oder nachladen. > Auffällige E-Mails als Anhang bitte an virench...@komsa.de zur Prüfung > weiterleiten. > > > > > Those were wildcard entries for the whole domain icfd3.org. > > > > I’ve removed those and get the same behavior. It also doesn’t explain why > barracuda058130353572.icfd3.org does resolve. > > > > PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. > I just added testing.icfd3.org and it was pushed out to the 2 slaves but > the CNAME for sip.icfd3.org isn’t even being pushed out to the slaves. > > > > > > *From: *Brian Candler > *Date: *Sunday, December 4, 2022 at 11:20 PM > *To: *Tony Annese , > pdns-users@mailman.powerdns.com > *Subject: *Re: [Pdns-users] CNAME Resoluion > > On 05/12/2022 05:03, Tony Annese via Pdns-users wrote: > > Here is the unobfuscated data. > > Thank you, because that now makes it possible to help you: > > $ dig +norec @ns.whidbey.net. sip.icfd3.org. any > ... > > ;; ANSWER SECTION: > sip.icfd3.org.3600INTXT"v=spf1 mx include: > ess.barracudanetworks.com include:spf.protection.outlook.com ~all" > sip.icfd3.org.3600INMX0 > d227914a.ess.barracudanetworks.com. > sip.icfd3.org.3600INMX10 > d227914b.ess.barracudanetworks.com. > > You cannot have other resource records alongside a CNAME. That's a > requirement of the DNS, not of Powerdns specifically. > > You should put A/ records there. Or if you want to avoid the > duplication of information, you can look into ALIAS records which do this > for you. > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
OMG Thank you! I had just cut and paste what the customer provided me! It works when I correct the typo. From: Brian Candler Date: Monday, December 5, 2022 at 10:00 AM To: Tony Annese , 'pdns-users@mailman.powerdns.com' Subject: Re: [Pdns-users] CNAME Resoluion On 05/12/2022 17:58, Tony Annese via Pdns-users wrote: [Error] Record 'enterpriseenrollment.icdf3.org IN CNAME enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is out-of-zone. Read the error carefully. Hint: icdf3.org != icfd3.org :-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
On 05/12/2022 17:58, Tony Annese via Pdns-users wrote: [Error] Record 'enterpriseenrollment.icdf3.org IN CNAME enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is out-of-zone. Read the error carefully. Hint: icdf3.org != icfd3.org :-) ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
So PDNS is reporting these CNAMEs as errors/being out of zone root@nspower:~# pdnsutil check-zone icfd3.org Dec 05 09:42:24 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed [Error] Record 'enterpriseenrollment.icdf3.org IN CNAME enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'enterpriseregistration.icdf3.org IN CNAME enterpriseregistration.windows.net' in zone 'icfd3.org' is out-of-zone. [Error] Record 'lyncdiscover.icdf3.org IN CNAME webdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'selector1._domainkey.icdf3.org IN CNAME selector1-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'selector2._domainkey.icdf3.org IN CNAME selector2-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone. [Error] Record 'sip.icdf3.org IN CNAME sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. [Error] Record '_sip._tls.icdf3.org IN SRV 100 1 443 sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone. [Error] Record '_sipfederationtls._tcp.icdf3.org IN SRV 100 1 5061 sipfed.online.lync.com' in zone 'icfd3.org' is out-of-zone. Checked 31 records of 'icfd3.org', 8 errors, 0 warnings. So how do I tell PDNS to allow out-of-zone CNAME (and SRV) records? From: Pdns-users on behalf of Markus Ehrlicher via Pdns-users Date: Monday, December 5, 2022 at 3:36 AM To: 'pdns-users@mailman.powerdns.com' Subject: Re: [Pdns-users] CNAME Resoluion Hello, what does „pdnsutil check-zone icfd3.org“ on the Master say? best regards, Markus Von: Pdns-users Im Auftrag von Tony Annese via Pdns-users Gesendet: Montag, 5. Dezember 2022 12:20 An: pdns-users@mailman.powerdns.com Betreff: Re: [Pdns-users] CNAME Resoluion Externe E-Mail Vorsicht! Links und Anhänge können Schadcode enthalten oder nachladen. Auffällige E-Mails als Anhang bitte an virench...@komsa.de<mailto:virench...@komsa.de> zur Prüfung weiterleiten. Those were wildcard entries for the whole domain icfd3.org. I’ve removed those and get the same behavior. It also doesn’t explain why barracuda058130353572.icfd3.org does resolve. PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. I just added testing.icfd3.org and it was pushed out to the 2 slaves but the CNAME for sip.icfd3.org isn’t even being pushed out to the slaves. From: Brian Candler mailto:b.cand...@pobox.com>> Date: Sunday, December 4, 2022 at 11:20 PM To: Tony Annese mailto:tony.ann...@whidbeytel.com>>, pdns-users@mailman.powerdns.com<mailto:pdns-users@mailman.powerdns.com> mailto:pdns-users@mailman.powerdns.com>> Subject: Re: [Pdns-users] CNAME Resoluion On 05/12/2022 05:03, Tony Annese via Pdns-users wrote: Here is the unobfuscated data. Thank you, because that now makes it possible to help you: $ dig +norec @ns.whidbey.net. sip.icfd3.org. any ... ;; ANSWER SECTION: sip.icfd3.org.3600INTXT"v=spf1 mx include:ess.barracudanetworks.com include:spf.protection.outlook.com ~all" sip.icfd3.org.3600INMX0 d227914a.ess.barracudanetworks.com. sip.icfd3.org.3600INMX10 d227914b.ess.barracudanetworks.com. You cannot have other resource records alongside a CNAME. That's a requirement of the DNS, not of Powerdns specifically. You should put A/ records there. Or if you want to avoid the duplication of information, you can look into ALIAS records which do this for you. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
Hello, what does "pdnsutil check-zone icfd3.org" on the Master say? best regards, Markus Von: Pdns-users Im Auftrag von Tony Annese via Pdns-users Gesendet: Montag, 5. Dezember 2022 12:20 An: pdns-users@mailman.powerdns.com Betreff: Re: [Pdns-users] CNAME Resoluion Externe E-Mail Vorsicht! Links und Anhänge können Schadcode enthalten oder nachladen. Auffällige E-Mails als Anhang bitte an virench...@komsa.de<mailto:virench...@komsa.de> zur Prüfung weiterleiten. Those were wildcard entries for the whole domain icfd3.org. I've removed those and get the same behavior. It also doesn't explain why barracuda058130353572.icfd3.org does resolve. PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. I just added testing.icfd3.org and it was pushed out to the 2 slaves but the CNAME for sip.icfd3.org isn't even being pushed out to the slaves. From: Brian Candler mailto:b.cand...@pobox.com>> Date: Sunday, December 4, 2022 at 11:20 PM To: Tony Annese mailto:tony.ann...@whidbeytel.com>>, pdns-users@mailman.powerdns.com<mailto:pdns-users@mailman.powerdns.com> mailto:pdns-users@mailman.powerdns.com>> Subject: Re: [Pdns-users] CNAME Resoluion On 05/12/2022 05:03, Tony Annese via Pdns-users wrote: Here is the unobfuscated data. Thank you, because that now makes it possible to help you: $ dig +norec @ns.whidbey.net. sip.icfd3.org. any ... ;; ANSWER SECTION: sip.icfd3.org.3600INTXT"v=spf1 mx include:ess.barracudanetworks.com include:spf.protection.outlook.com ~all" sip.icfd3.org.3600INMX0 d227914a.ess.barracudanetworks.com. sip.icfd3.org.3600INMX10 d227914b.ess.barracudanetworks.com. You cannot have other resource records alongside a CNAME. That's a requirement of the DNS, not of Powerdns specifically. You should put A/ records there. Or if you want to avoid the duplication of information, you can look into ALIAS records which do this for you. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
Those were wildcard entries for the whole domain icfd3.org. I’ve removed those and get the same behavior. It also doesn’t explain why barracuda058130353572.icfd3.org does resolve. PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. I just added testing.icfd3.org and it was pushed out to the 2 slaves but the CNAME for sip.icfd3.org isn’t even being pushed out to the slaves. From: Brian Candler Date: Sunday, December 4, 2022 at 11:20 PM To: Tony Annese , pdns-users@mailman.powerdns.com Subject: Re: [Pdns-users] CNAME Resoluion On 05/12/2022 05:03, Tony Annese via Pdns-users wrote: Here is the unobfuscated data. Thank you, because that now makes it possible to help you: $ dig +norec @ns.whidbey.net. sip.icfd3.org. any ... ;; ANSWER SECTION: sip.icfd3.org.3600INTXT"v=spf1 mx include:ess.barracudanetworks.com include:spf.protection.outlook.com ~all" sip.icfd3.org.3600INMX0 d227914a.ess.barracudanetworks.com. sip.icfd3.org.3600INMX10 d227914b.ess.barracudanetworks.com. You cannot have other resource records alongside a CNAME. That's a requirement of the DNS, not of Powerdns specifically. You should put A/ records there. Or if you want to avoid the duplication of information, you can look into ALIAS records which do this for you. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
On 05/12/2022 05:03, Tony Annese via Pdns-users wrote: Here is the unobfuscated data. Thank you, because that now makes it possible to help you: $ dig +norec @ns.whidbey.net. sip.icfd3.org. any ... ;; ANSWER SECTION: sip.icfd3.org. 3600 IN TXT "v=spf1 mx include:ess.barracudanetworks.com include:spf.protection.outlook.com ~all" sip.icfd3.org. 3600 IN MX 0 d227914a.ess.barracudanetworks.com. sip.icfd3.org. 3600 IN MX 10 d227914b.ess.barracudanetworks.com. You cannot have other resource records alongside a CNAME. That's a requirement of the DNS, not of Powerdns specifically. You should put A/ records there. Or if you want to avoid the duplication of information, you can look into ALIAS records which do this for you. ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
Here is the unobfuscated data.. sip is just a cname to a microsoft lynq server. The barracuda cname already existed and it does resolve. MariaDB [pdns]> select * from records where domain_id = 194 AND type = 'CNAME'; ++---+-+---+---+--+--+-+--+---+--+ | id | domain_id | name| type | content | ttl | prio | change_date | disabled | ordername | auth | ++---+-+---+---+--+--+-+--+---+--+ | 165361 | 194 | barracuda058130353572.icfd3.org | CNAME | encrypt.barracudanetworks.com | 7200 |0 | 2021011400 |0 | NULL |1 | | 185146 | 194 | sip.icfd3.org | CNAME | sipdir.online.lync.com| 3600 |0 | 2022120202 |0 | NULL |1 | ++---+-+---+---+--+--+-+--+---+--+ root@nspower:~# dig @localhost barracuda058130353572.icfd3.org sip.icfd3.org ; <<>> DiG 9.10.3-P4-Debian <<>> @localhost barracuda058130353572.icfd3.org sip.icfd3.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31335 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;barracuda058130353572.icfd3.org. INA ;; ANSWER SECTION: barracuda058130353572.icfd3.org. 7200 IN CNAME encrypt.barracudanetworks.com. ;; Query time: 5 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Dec 02 16:28:56 PST 2022 ;; MSG SIZE rcvd: 103 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 4463 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1680 ;; QUESTION SECTION: ;sip.icfd3.org. INA ;; Query time: 1 msec ;; SERVER: ::1#53(::1) ;; WHEN: Fri Dec 02 16:28:56 PST 2022 ;; MSG SIZE rcvd: 42 root@nspower:~# Message: 1 Date: Sat, 3 Dec 2022 14:01:53 +0100 From: Jan-Piet Mens To: "pdns-users@mailman.powerdns.com" Subject: Re: [Pdns-users] CNAME Resoluion Message-ID: Content-Type: text/plain; charset=us-ascii; format=flowed >Any suggestions? show whether sip. has other data and don't obfuscate names. -JP -- Subject: Digest Footer ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users -- End of Pdns-users Digest, Vol 239, Issue 3 ** ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
Any suggestions? show whether sip. has other data and don't obfuscate names. -JP ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
Re: [Pdns-users] CNAME Resoluion
The first query has the 'aa' flag but the second does not. That could be relevant m On Fri, Dec 2, 2022, at 19:34, Tony Annese via Pdns-users wrote: > I created a new CNAME record today and for some reason it won’t resolve. > Domain already had a CNAME record and that record resolves just fine. > > MariaDB [pdns]> select * from records where domain_id = 194 AND type = > 'CNAME'; > ++---+-+---+---+--+--+-+--+---+--+ > | id | domain_id | name| type | content > | ttl | prio | change_date | disabled | ordername | auth | > ++---+-+---+---+--+--+-+--+---+--+ > | 165361 | 194 | barracuda058130353572.example.org | CNAME | > encrypt.barracudanetworks.com | 7200 |0 | 2021011400 |0 | NULL >|1 | > | 185146 | 194 | sip.example.org | CNAME | > sipdir.online.lync.com| 3600 |0 | 2022120202 |0 | NULL >|1 | > ++---+-+---+---+--+--+-+--+---+--+ > > root@nspower:~# dig @localhost barracuda058130353572.example.org > sip.example.org > > ; <<>> DiG 9.10.3-P4-Debian <<>> @localhost barracuda058130353572.example.org > sip.example.org > ; (2 servers found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31335 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1680 > ;; QUESTION SECTION: > ;barracuda058130353572.example.org. INA > > ;; ANSWER SECTION: > barracuda058130353572.example.org. 7200 IN CNAME > encrypt.barracudanetworks.com. > > ;; Query time: 5 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Dec 02 16:28:56 PST 2022 > ;; MSG SIZE rcvd: 103 > > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 4463 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 1680 > ;; QUESTION SECTION: > ;sip.example.org. INA > > ;; Query time: 1 msec > ;; SERVER: ::1#53(::1) > ;; WHEN: Fri Dec 02 16:28:56 PST 2022 > ;; MSG SIZE rcvd: 42 > > root@nspower:~# > > Any suggestions? > > ___ > Pdns-users mailing list > Pdns-users@mailman.powerdns.com > https://mailman.powerdns.com/mailman/listinfo/pdns-users > ___ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
