Agree that getting DNAME into the TLDs and served is a political issue rather than a technical one. However, that isn't much consolation; political issues are less tractable than technical ones :-( As a very small player, dealing with retail registrars like godaddy, mydomain, and the like, my leverage is zero. (I was pretty happy with the days when an e-mail, or just a phone call to Jon or Joyce would get a change made. But those days are gone.)
I found a draft of BNAME - while it seems workable, it's another solution that would hit name servers, resolvers and take time to deploy -- and require registants to get their registrars to put a special record into the TLD. I think my suggestion to do the work for aliasing in the name server is more practical than BNAME. The TLD would delegate in the familiar way to a server; the server just has to fetch/translate the data from another zone rather than a file. And no impact on resolvers. No new record types, and the politics are limited to the domain getting the benefit. Everyone would see the domain normally (as today); only the authoritative server for the aliased domain would know that there's anything special about it, and that server would do the extra work. Since it's responsible for the domain getting the benefit, it seems fair for it to do the work. And since named as a forwarder/resolver would have to know how to track down BNAMEs under that proposal, asking named to track down aliases on the authoritative side seems like no more (and probably less) work. So, if I wanted to solve the problem that BNAME is trying to address (and my orignal problem), I'd pursue a server solution rather than BNAME. However, in the meantime it looks like I'll need to come up with some solution on the back end to keep the aliased zones in sync. Maybe just AXFER the real zones periodically, run sed over them and write / sign traditional zone files. Yuck; another kludge that will not-quite-properly paper over a problem. --------------------------------------------------------- This communication may not represent my employer's views, if any, on the matters discussed. -----Original Message----- From: Mark Andrews [mailto:ma...@isc.org] Sent: Friday, July 01, 2011 21:58 To: Timothe Litt Cc: 'Jon F.'; bind-us...@isc.org Subject: Re: DNAME? When DNAME was being developed the working group had to make a decision about whether DNAME should redirect the node it was at or just the names below it. The decision was made to do the latter because it didn't require TLD operators to know about DNAME at the cost of a little more work to keep the apex records in sync. In hindsight we should have done both as there are use cases for both. Getting other types added to TLDs isn't a technical issue, its a political issue. There are TLDs that accept MX, A, AAAA and I believe DNAME today instead of NS records at what would be the delegation point. It's just as easy to serve these records as it is to serve a delegation. Mark In message <2fa4ed65dac044849aa3f57fbcfe2...@sb.litts.net>, "Timothe Litt" writ es: > This is a multi-part message in MIME format. > > --===============7538508973042255473== > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_000C_01CC37F1.C5C06C70" > > This is a multi-part message in MIME format. > > ------=_NextPart_000_000C_01CC37F1.C5C06C70 > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 7bit > > Yes, the example.us zone loads. As I mentioned, no errors in > named.log, and the statistics webserver (in named) shows example.us as > active, albeit with '-' for the serial number instead of the number in the zone file. > > How did you get a DNAME into .com? > > I did make example.us a zone - it is one, isn't it? If the DNAME has > to go in .us, I don't see making this scheme work. As a practical > matter, registrars will put NS records into the TLDs, and some (with > encouragement) are starting to accept DNSSEC records for the TLDs). > But I've yet to see one that provides a means for a registrant to have a DNAME inserted... > Unless I'm missing something. Did you actually manage to do this, or > is your setup working in third+-level domains? > > I was hoping/expecting that since my server is the authoritiative > server for example.us, the DNAME could go in the example.us zone. I > expected that when, as the authoritative server, it was asked for > foo.example.us, it would respond with foo.example.net. But the RFC > wasn't clear, which is why I asked. > > thanks. > > --------------------------------------------------------- > This communication may not represent my employer's views, if any, on > the matters discussed. > > > > > _____ > > From: Jon F. [mailto:pikel....@gmail.com] > Sent: Thursday, June 30, 2011 16:11 > To: Timothe Litt > Cc: bind-users@lists.isc.org > Subject: Re: DNAME? > > > I have a similar set up to that and it works. Have you checked the > logs to make sure the zone properly loaded? I'm assuming the zone data > you posted below is from the example.us zone but your first question > makes it sound like you put it in a seperate zone. That would explain > the SERVFAIL if the zone data never loaded but the server was > authoritative. It does need to be in the .us. > > > ;; ANSWER SECTION: > example.com. 60 IN DNAME example.net. > test.example.com. 60 IN CNAME test.example.net. > test.example.net. 60 IN A 127.0.0.1 > > > > And that's with zone data like this: > example.com. IN NS ns1.example.net. > example.com. IN NS ns2.example.net. > example.com. IN A 10.0.0.1 > example.com. IN DNAME example.net. > > > Truthfully I haven't looked at DNAME's in a long time so I'm unsure > how to do it fully for a domain without adding an A record as well. > But what your doing works, it's just not very pretty. Someone may have a better way. > > > > > On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt <l...@acm.org> wrote: > > > I have domain example.net in production, and have recently acquired > example.us and example.info. > > For whatever reason, I want example.us to simply mirror example.net, > which is dynamically udpdated (and dnssec). And I want example.us to > be zero maintenance. (Well, OK I know I need separate DNSSEC keys, but > I don't want to mirror every update made in .net to .us) > > So, I add a zone to ns1.example.net that looks like: > (In view "internal") > zone "example.us" { > auto-dnssec maintain; > type master; > allow-transfer { key "TSIG_GLOBAL_KEY"; }; > file "EXAMPLE_US.DB"; > update-policy { > grant "TSIG_GLOBAL_KEY" subdomain example.us. ANY ; > }; > }; > > $ORIGIN . > $TTL 600 ; 10 minutes > example.us. IN SOA ns1.example.net. > examplenetadmin.example.net. ( > 2011063001 ; serial > 172800 ; refresh (2 days) > 600 ; retry (10 minutes) > 2419200 ; expire (4 weeks) > 600 ; minimum (10 minutes) > ) > example.us. IN DNAME example.net. > example.us. IN NS ns1.example.net. > example.us. IN NS ns2.example.net. > > I get SERVFAIL with dig if I ask about, say www.example.us > @ns1.example.net (www.example.net does exist). > > I see nothing in the named.log, except the trace 99 /notrace commands > bracketing the dig, and if I turn on querylog: > client <ns1 IP>#33256: view internal: query: www.example.us IN A + > (<ns1 > IP>). > > If I look at the named statistics channel, I see that example.us is > being served, but the zone serial is '-', not '2011063001'. > > Questions: > o Am I confused about DNAME placement - would it have to go in .US? > If so, is this possible? (I don't mean technically possible - I mean > practically - e.g. thru a registrar such as godaddy, enom, etc). If > not, what explains the SERVFAIL? > o Why is '-' reported for the zone serial? > o I understand that DNAME and MX don't play well together > (DNAME is essentially CNAME, and MX doesn't allow > CNAMEs). I suspect I'd have to live with that - unless there > are wiser heads? > o Is there a better approach? (Assume that I'll also want to > do the same thing to example.info...) > > Thanks. > > --------------------------------------------------------- > This communication may not represent my employer's views, if any, on > the matters discussed. > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > -- > Jonathan French > pikel....@gmail.com > > > ------=_NextPart_000_000C_01CC37F1.C5C06C70 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <HTML><HEAD> <META content=3D"text/html; charset=3Dus-ascii" = > http-equiv=3DContent-Type> <META name=3DGENERATOR content=3D"MSHTML > 8.00.6001.19088"></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><FONT > color=3D#0000ff size=3D2 = face=3DArial><SPAN=20 > class=3D480580717-01072011>Yes, the example.us zone loads. As I > = mentioned,=20 no errors in named.log, and the statistics webserver > (in named) shows = example.us=20 as active, albeit with '-' for the > serial number instead of the number = in the=20 zone > file.</SPAN></FONT></DIV> <DIV dir=3Dltr align=3Dleft><FONT > color=3D#0000ff size=3D2 = face=3DArial><SPAN=20 > class=3D480580717-01072011></SPAN></FONT> </DIV> > <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 = > face=3DArial><SPAN=20 > class=3D480580717-01072011>How did you get a > DNA= > ME int<SPAN=20 > class=3D480580717-01072011>o .com?</SPAN> <SPAN=20 > class=3D480580717-01072011></SPAN><BR></SPAN></FONT></DIV> > <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 = > face=3DArial><SPAN=20 class=3D480580717-01072011>I did make example.us > a zone - it is one, = isn't=20 it? If the DNAME has to go in > .us, I don't see making this scheme=20 work. As a practical > matter, registrars will put NS records into = the TLDs,=20 and some > (with encouragement) are starting to accept DNSSEC records for = > the=20 TLDs). But I've yet to see one that provides a means for > a = registrant to=20 have a DNAME inserted... Unless > I'm missing = something. =20 Did you actually manage to do this, > or is your setup working in = > third+-level=20 > domains?</SPAN></FONT></DIV> > <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 = > face=3DArial><SPAN=20 > class=3D480580717-01072011></SPAN></FONT> </DIV> > <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 = > face=3DArial><SPAN=20 class=3D480580717-01072011>I was > hoping/expecting that since my server = is the=20 authoritiative > server for example.us, the DNAME could go in the = example.us=20 > zone. I expected that when, as the authoritative server, it was > = asked for=20 foo.example.us, it would respond with > foo.example.net. = </SPAN></FONT><FONT=20 color=3D#0000ff > size=3D2 face=3DArial><SPAN = class=3D480580717-01072011>But the > RFC=20 wasn't clear, which is why I asked.</SPAN></FONT></DIV> > <DIV><FONT color=3D#0000ff size=3D2 face=3DArial></FONT> </DIV> > <DIV><SPAN class=3D480580717-01072011><FONT color=3D#0000ff > size=3D2=20 > face=3DArial>thanks.</FONT></SPAN></DIV><!-- Converted from text/plain > = format --> <P><FONT=20 > size=3D2>---------------------------------------------------------<BR> > Thi= > s=20 > communication may not represent my employer's views,<BR>if any, on the > = matters=20 discussed.<BR> </FONT> </P> <DIV><FONT > color=3D#0000ff size=3D2 face=3DArial></FONT> </DIV><BR> > <DIV dir=3Dltr lang=3Den-us class=3DOutlookMessageHeader align=3Dleft> > <HR tabIndex=3D-1> <FONT size=3D2 face=3DTahoma><B>From:</B> Jon F. = > [mailto:pikel....@gmail.com]=20 <BR><B>Sent:</B> Thursday, June 30, > 2011 16:11<BR><B>To:</B> Timothe=20 Litt<BR><B>Cc:</B> > bind-users@lists.isc.org<BR><B>Subject:</B> Re:=20 > DNAME?<BR></FONT><BR></DIV> <DIV></DIV>I have a similar set up to that > and it works. Have you = checked the=20 logs to make sure the zone > properly loaded? I'm assuming the zone data = you=20 posted below is > from the <A href=3D"http://example.us";>example.us</A> = zone but=20 > your first question makes it sound like you put it in a seperate zone. > = That=20 would explain the SERVFAIL if the zone data never loaded but > the server = was=20 authoritative. It does need to be in the > .us.<BR><BR><BR>;; ANSWER=20 SECTION:<BR><A=20 > href=3D"http://example.com";>example.com</A>. &n > bsp= > ; =20 > 60 IN =20 > DNAME <A > href=3D"http://example.net";>example.net</A>.<BR><A=20 > href=3D"http://test.example.com";>test.example.com</A>. &nbs > p;&= > nbsp;=20 > 60 IN =20 > CNAME <A = > href=3D"http://test.example.net";>test.example.net</A>.<BR><A=20 > href=3D"http://test.example.net";>test.example.net</A>. &nbs > p;&= > nbsp; =20 > 60 IN =20 > A 127.0.0.1<BR><BR><BR><BR>And = > that's with=20 zone data like this:<BR><A = > href=3D"http://example.com";>example.com</A>. IN=20 NS <A > href=3D"http://ns1.example.net";>ns1.example.net</A>.<BR><A=20 > href=3D"http://example.com";>example.com</A>. IN NS <A=20 > href=3D"http://ns2.example.net";>ns2.example.net</A>.<BR><A=20 > href=3D"http://example.com";>example.com</A>. IN A > 10.0.0.1<BR><A=20 href=3D"http://example.com";>example.com</A>. IN > DNAME <A=20 > href=3D"http://example.net";>example.net</A>.<BR><BR><BR>Truthfully I = > haven't=20 looked at DNAME's in a long time so I'm unsure how to do it > fully for a = domain=20 without adding an A record as well. But what > your doing works, it's just = not=20 very pretty. Someone may have a > better way.<BR><BR><BR><BR> <DIV class=3Dgmail_quote>On Thu, Jun 30, > 2011 at 2:01 PM, Timothe Litt = <SPAN=20 dir=3Dltr><<A = > href=3D"mailto:l...@acm.org";>l...@acm.org</A>></SPAN> wrote:<BR> > <BLOCKQUOTE=20 > style=3D"BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; = > PADDING-LEFT: 1ex"=20 > class=3Dgmail_quote>I have domain <A href=3D"http://example.net"=20 > target=3D_blank>example.net</A> in production, and have recently = > acquired<BR><A=20 > href=3D"http://example.us"; target=3D_blank>example.us</A> and <A=20 > href=3D"http://example.info"; = > target=3D_blank>example.info</A>.<BR><BR>For whatever=20 > reason, I want <A href=3D"http://example.us"; = > target=3D_blank>example.us</A> to=20 > simply mirror <A href=3D"http://example.net"; = > target=3D_blank>example.net</A>,=20 > which<BR>is dynamically udpdated (and dnssec). And I want <A=20 > href=3D"http://example.us"; target=3D_blank>example.us</A> to be=20 > zero<BR>maintenance. (Well, OK I know I need separate DNSSEC keys, > but = I don't=20 > want<BR>to mirror every update made in .net to .us)<BR><BR>So, I add > a = zone to=20 > <A href=3D"http://ns1.example.net"; > target=3D_blank>ns1.example.net</A> = that looks=20 > like:<BR>(In view "internal")<BR> zone "<A=20 > href=3D"http://example.us"; target=3D_blank>example.us</A>" > {<BR> = =20 > auto-dnssec maintain;<BR> type=20 > master;<BR> allow-transfer { key = > "TSIG_GLOBAL_KEY";=20 > };<BR> file "EXAMPLE_US.DB";<BR> = > =20 > update-policy {<BR> = > grant=20 > "TSIG_GLOBAL_KEY" subdomain <A href=3D"http://example.us"=20 > target=3D_blank>example.us</A>. ANY ;<BR> = > };<BR> =20 > };<BR><BR>$ORIGIN .<BR>$TTL 600 ; > 10 = > > minutes<BR><A href=3D"http://example.us"; = > target=3D_blank>example.us</A>. =20 > IN SOA <A=20 > href=3D"http://ns1.example.net"; = > target=3D_blank>ns1.example.net</A>.<BR><A=20 > href=3D"http://examplenetadmin.example.net"=20 > target=3D_blank>examplenetadmin.example.net</A>. (<BR> > = =20 > > = =20 > 2011063001 ; serial<BR> > = =20 > = > 172800=20 > ; refresh (2 days)<BR> > = =20 > = > 600=20 > ; retry (10 minutes)<BR> = > =20 > > = =20 > 2419200 ; expire (4 weeks)<BR> > = =20 > > = =20 > 600 ; minimum (10 > minutes)<BR> = =20 > > = =20 > )<BR><A href=3D"http://example.us"=20 > target=3D_blank>example.us</A>. IN DNAME <A=20 > href=3D"http://example.net"; target=3D_blank>example.net</A>.<BR><A=20 > href=3D"http://example.us"; target=3D_blank>example.us</A>. IN NS <A=20 > href=3D"http://ns1.example.net"; = > target=3D_blank>ns1.example.net</A>.<BR><A=20 > href=3D"http://example.us"; target=3D_blank>example.us</A>. IN NS <A=20 > href=3D"http://ns2.example.net"; = > target=3D_blank>ns2.example.net</A>.<BR><BR>I get=20 > SERVFAIL with dig if I ask about, say <A = > href=3D"http://www.example.us"=20 > target=3D_blank>www.example.us</A> @<A > href=3D"http://ns1.example.net"; = > > target=3D_blank>ns1.example.net</A><BR>(<A = > href=3D"http://www.example.net"=20 > target=3D_blank>www.example.net</A> does exist).<BR><BR>I see > nothing = in the=20 > named.log, except the trace 99 /notrace commands<BR>bracketing the = > dig, and if=20 > I turn on querylog:<BR>client <ns1 IP>#33256: view internal: = > query: <A=20 > href=3D"http://www.example.us"; target=3D_blank>www.example.us</A> IN > A = > +=20 > (<ns1<BR>IP>).<BR><BR>If I look at the named statistics > channel, = I see=20 > that <A href=3D"http://example.us"; target=3D_blank>example.us</A> is=20 > being<BR>served, but the zone serial is '-', not=20 > '2011063001'.<BR><BR>Questions:<BR> o Am I > = confused=20 > about DNAME placement - would it have to go in .US?<BR>If so, is this=20 > possible? (I don't mean technically possible - I = > mean<BR>practically -=20 > e.g. thru a registrar such as godaddy, enom, etc). If = > not,<BR>what=20 > explains the SERVFAIL?<BR> o Why is '-' reported > = for the=20 > zone serial?<BR> o I understand that DNAME > = and MX=20 > don't play well together (DNAME is<BR>essentially CNAME, and MX = > doesn't=20 > allow<BR> CNAMEs). I suspect > = I'd have=20 > to live with that - unless there are<BR>wiser heads?<BR> > = =20 > o Is there a better approach? (Assume that I'll also > want = to do=20 > the<BR>same thing to=20 > = > example.info...)<BR><BR>Thanks.<BR><BR>------------------------------- > ---= > -----------------------<BR>This=20 > communication may not represent my employer's views,<BR>if any, on > the = matters=20 > = > discussed.<BR><BR><BR>_______________________________________________< > BR>= > Please=20 > visit <A href=3D"https://lists.isc.org/mailman/listinfo/bind-users"=20 > > target=3D_blank>https://lists.isc.org/mailman/listinfo/bind-users</A> = to=20 > unsubscribe from this list<BR><BR>bind-users mailing list<BR><A=20 > = > href=3D"mailto:bind-users@lists.isc.org";>bind-users@lists.isc.org</A>< > BR>= > <A=20 > href=3D"https://lists.isc.org/mailman/listinfo/bind-users"=20 > = > target=3D_blank>https://lists.isc.org/mailman/listinfo/bind-users</A>< > BR>= > </BLOCKQUOTE></DIV><BR><BR=20 > clear=3Dall><BR>-- <BR>Jonathan French <DIV><A > href=3D"mailto:pikel....@gmail.com"=20 > target=3D_blank>pikel....@gmail.com</A></DIV><BR></BODY></HTML> > > ------=_NextPart_000_000C_01CC37F1.C5C06C70-- > > > --===============7538508973042255473== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > --===============7538508973042255473==-- > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
