Hello Fred - thank you for the quick response! Being a newbie I am not sure I understand your response. This is over my head. I’ll read it again after the holidays.
It sounds like the answer to my questions is -> it matters when it matters. As you said it is "implementation dependent". With a simple network (well defined, eh?) I am guessing it does not matter. I can have one A and one PTR record per network interface. So for my "deb12dell.localdomain" device, it is OK to have "two" or each, like this: deb12dell.localdomain. 60 IN A 192.168.60.175 175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain. deb12dell.localdomain. 60 IN A 192.168.65.180 180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain. Thank you! Merry Christmas / Happy Holidays, Jon > On Dec 23, 2023, at 6:00 AM, unbound-users-requ...@lists.nlnetlabs.nl wrote: > > Send Unbound-users mailing list submissions to > unbound-users@lists.nlnetlabs.nl > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > or, via email, send a message with subject or body 'help' to > unbound-users-requ...@lists.nlnetlabs.nl > > You can reach the person managing the list at > unbound-users-ow...@lists.nlnetlabs.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Unbound-users digest..." > > > Today's Topics: > > 1. A records, PTR records, and TTL setting (Jon Murphy) > 2. Re: A records, PTR records, and TTL setting (Fred Morris) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 22 Dec 2023 09:17:56 -0600 > From: Jon Murphy <jcmurph...@gmail.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: A records, PTR records, and TTL setting > Message-ID: <43b68b1a-5751-4bd6-b2dc-9c95b24ea...@gmail.com> > Content-Type: text/plain; charset=utf-8 > > Hello! Newbie here and I am looking for help with A records and PTR records. > I just started learning unbound and came across things that confuse me. I > am experimenting with unbound Version 1.18.0. My unbound is for a local > network. > > > I have one device that has two network interfaces (ethernet and Wi-Fi). > > I added this Ethernet to unbound: > deb12dell.localdomain. 60 IN A 192.168.60.175 > 175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain. > > For the 2nd network interface on "deb12dell" I added two more lines. And > yes, all seems fine! > deb12dell.localdomain. 60 IN A 192.168.65.180 > 180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain. > > then... > > I read somewhere that I should only have one A record per device (with > multiple interfaces). Like this: > deb12dell.localdomain. 60 IN A 192.168.60.175 > 175.60.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain. > 180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain. > > > And I read somewhere else I should only have one PTR record per device. Like > this: > deb12dell.localdomain. 60 IN A 192.168.65.180 > 180.65.168.192.in-addr.arpa. 60 IN PTR deb12dell.localdomain. > deb12dell.localdomain. 60 IN A 192.168.65.180 > > And the above two examples just do not "feel" right. > > So my question is: > - should there only be one A Record per device? > - or maybe only one PTR Record per device? > > I?ve searched Giggle and I looked through the mailing list but did not find > an answer. > > === > > ? Concerning TTL > If I send A & PTR records to unbound via `unbound-control local_data` and I > do NOT include the TTL value. Then I list the records via `unbound-control > list_local_data` and the new records show up with a default TTL value of 3600. > > I tried adding all of these items, separately, to unbound.conf to see if I > can set the default TTL but none work. > > server: > # cache TTL settings > cache-max-ttl: > cache-min-ttl: > cache-max-negative-ttl: > infra-host-ttl: > > How do I set the default TTL for A records and PTR records within > unbound.conf?? > > Best regards, Jon > > > > ------------------------------ > > Message: 2 > Date: Fri, 22 Dec 2023 11:37:04 -0800 (PST) > From: Fred Morris <m3047-unbound-...@m3047.net> > To: unbound-users@lists.nlnetlabs.nl > Subject: Re: A records, PTR records, and TTL setting > Message-ID: <alpine.LSU.2.21.2312221039020.26513@flame.m3047> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > This isn't specific to Unbound.. Can't help you with the TTL questions. > > On Fri, 22 Dec 2023, Jon Murphy via Unbound-users wrote: >> >> Hello! Newbie here and I am looking for help with A records and PTR >> records. > > Any time you have multiple RRs (records) the results are "implementation > dependent". The only thing you cannot have multiples of is CNAME (a number > of DNS server implementations enforce this). > >> I have one device that has two network interfaces (ethernet and Wi-Fi). >> [...] >> then... >> [...] > > Any time you have an oname (FQDN) which resolves to multiple addresses, > some application is going to choose the wrong one for reasons you do not > comprehend. It is done for load balancing and sometimes failover, but it > works poorly unless you wrote the client software as well. This kind of > load balancing is oftentimes pushed down the stack with anycast, where > server selection is done with routing (different servers all answer at the > same address). > > That hints at the first problem, which is that sometimes only one address > is reachable from a given network / segment. > > Unless you want client applications to try both the ethernet and wifi > interfaces, don't list them both as the same name. flame.m3047.net has > four interfaces. That one is in the public DNS, the other three are > published in a private TLD (yes, I enjoy running through the forest naked > covered in honey): flame.m3047, wlan0.flame.m3047, eth2.flame.m3047. None > of those addresses is reachable from the other ones. > > People hate search lists, but maybe it would have been smarter to name the > latter two flame.wlan0.m3047 and flame.eth2.m3047 and then if DHCP handed > out wlan0.m3047 and eth2.m3047 as the domain depending on which segment a > device was connected to, it would be able to pick the correct interface if > I simply specified flame (but not flame., an obscure search list thing). > > I have another box with two addresses on a single interface because it > publishes two DNS services on the same network segment (a "normal" DNS > service, and RKVDNS[0] for security telemetry). Technically the box is > reachable on either address, but you might not get the answer you expect > if you talk to the wrong address. (If you want to SSH to the box you can > use either address, but DNS queries obviously return very different > results). > >> And I read somewhere else I should only have one PTR record per device. Like >> this: > > When you're using PTRs for on-label purposes technically multiple PTRs are > allowed, but it causes problems for how they are used. PTR records are > widely used for crappy security, but sometimes that's all there is. > > For instance NFS, if you have multiple PTRs and you use host based access > controls you need to list them all. Email servers are vetted by peers > based on the PTR and A / AAAA records validating each other, which breaks > with multiple PTRs. > > I mentioned elsewhere that you can only ever have one CNAME, and since > PTRs are built the same way they're sometimes utilized for off-label > purposes (such as fanout[2]). > > Another issue with PTRs and CNAMEs is that the PTR typically points to > what the CNAME points to (if there is any PTR at all), which isn't all > that helpful. I use Dnstap telemetry to populate a Response Policy Zone > with PTR records reflecting the name which was actually looked up[1]. > > As part of my RPZ implementation I (also) follow best practices and have > both a white and a block list. When I whitelist stuff it's often in some > cesspool like cloudfront, so I create -owner PTR records as documentation: > DE6F7G5I6V6QF.CLOUDFRONT.NET-OWNER.whitelist.m3047.net. 600 IN PTR > UMBRELLA.COM. > >> [...] >> I?ve searched Giggle and I looked through the mailing list but did not find >> an answer. > > I use Gmrgle, but you be you. :-p > > -- > > Fred Morris, internet plumber > > -- > > [0] https://github.com/m3047/rkvdns > [1] https://github.com/m3047/rear_view_rpz > [2] https://github.com/m3047/rkvdns_examples/tree/main/fanout > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Unbound-users mailing list > Unbound-users@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > > > ------------------------------ > > End of Unbound-users Digest, Vol 48, Issue 5 > ********************************************
