> On 11 Sep 2020, at 22:22, Rob McEwen <r...@invaluement.com> wrote:
> 
> On 9/11/2020 2:46 AM, Mark Andrews wrote:
>> validate-except (I typo’d it the second time, unfortunately expect and 
>> except are both valid words).
> 
> I got so far down the rabbit trail with your other points, somehow I missed 
> that. Thanks. This should solve my problem!
> 
>> If you actually used a zone names with a DNAME
> 
> Great suggestion! I didn't know about that.
> However, since i use CloudFlare' DNS for my authoritative DNS - which is 
> critical for prevention of DDOS attacks - and they don't actually support 
> DNAME, my hands are tied. (or so it SEEMS - see my question about a possible 
> workaround at the end of this email)

Cloudflare don’t want to deal with the extra database lookup to see if there is 
a DNAME and the CNAME synthesis.  By rejecting zones with DNAMEs they can get 
away with this stance.
 
> My actual direct query service involves my own rbldnsd servers in 42 cities 
> around the world (all hiding behind secret host names that a criminal 
> couldn't easily find) - and those are pointed to by NS records in my 
> CloudFlare DNS, so then the actual direct DNS queries, and the vast majority 
> of my DNS traffic for direct queries to my own DNSBL, goes to those 42 
> servers around the world, NOT to CloudFlare - but CloudFlare is the starting 
> point - the first query goes to CloudFlare, then the DNS server doing the 
> asking "knows" for a while to use one of my own servers, and not bother 
> CloudFlare with any more traffic for a while. (again, this is for my direct 
> query service - for my smaller subscribers - my servers can handle THAT 
> traffic)
> But since CloudFlare is the authoritative server for invaluement.com, that is 
> where the DNAME you're suggesting would need to be setup. Since they don't 
> support that, I'm not able to implement that at this time. 
> SEE: https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4
> 
> ...also, them not supporting it - makes me a little nervous about others not 
> supporting it. But maybe that fear is unreasonable since it is only the 
> "revolvers" that need this feature, not authoritative-only services? This is 
> something that DNS caching servers like BIND, have been supporting for 
> decades, correct?

DNAME is 2 decades old (August 1999).  It came in between DNSSEC version 2 (RFC 
2535, KEY/SIG/NXT) and DNSSEC version 3 (RFC 4033/4034/4035, 
DNSKEY/RRSIG/NSEC/DS).  DNSSEC version 3 requires validators to support DNAME.  
All versions of BIND 9 have supported DNAME.  I can’t remember if we added 
DNAME support to BIND 8 or not.  DNSSEC version 4 added NSEC3 and is backwards 
compatible with DNSSEC version 3.  DNSSEC version 4 is what almost all 
validators support today.

> Please tell don't tell me that only a very recent version of BIND does this 
> correctly. ;) That would probably kill this idea!
> POSSIBLE WORKAROUND?: So assuming that DNAME is widely supported by many DNS 
> caching servers, old and new... I wonder if I could do something similar to 
> what I do for my direct query service, using NS records to delegate this to 
> another BIND DNS server that I would run on my own server - so for 
> "example.invaluement.com" - I'd create a BIND instance on my own server 
> hosting "example.invaluement.com" as the authoritative server for that zone, 
> implementing the DNAME records you suggested. Then put a NS record on my 
> cloudflare telling the world that THIS server is the authoritative server for 
> "example.invaluement.com" (with TTL for some hours). Do you think that would 
> work?

Delegating to authoritative servers that support DNAME will work.

> -- 
> Rob McEwen
> 
> https://www.invaluement.com
> 
> +1 (478) 475-9032
> 
> 
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to