> On 11 Sep 2020, at 22:22, Rob McEwen <r...@invaluement.com> wrote: > > On 9/11/2020 2:46 AM, Mark Andrews wrote: >> validate-except (I typo’d it the second time, unfortunately expect and >> except are both valid words). > > I got so far down the rabbit trail with your other points, somehow I missed > that. Thanks. This should solve my problem! > >> If you actually used a zone names with a DNAME > > Great suggestion! I didn't know about that. > However, since i use CloudFlare' DNS for my authoritative DNS - which is > critical for prevention of DDOS attacks - and they don't actually support > DNAME, my hands are tied. (or so it SEEMS - see my question about a possible > workaround at the end of this email)
Cloudflare don’t want to deal with the extra database lookup to see if there is a DNAME and the CNAME synthesis. By rejecting zones with DNAMEs they can get away with this stance. > My actual direct query service involves my own rbldnsd servers in 42 cities > around the world (all hiding behind secret host names that a criminal > couldn't easily find) - and those are pointed to by NS records in my > CloudFlare DNS, so then the actual direct DNS queries, and the vast majority > of my DNS traffic for direct queries to my own DNSBL, goes to those 42 > servers around the world, NOT to CloudFlare - but CloudFlare is the starting > point - the first query goes to CloudFlare, then the DNS server doing the > asking "knows" for a while to use one of my own servers, and not bother > CloudFlare with any more traffic for a while. (again, this is for my direct > query service - for my smaller subscribers - my servers can handle THAT > traffic) > But since CloudFlare is the authoritative server for invaluement.com, that is > where the DNAME you're suggesting would need to be setup. Since they don't > support that, I'm not able to implement that at this time. > SEE: https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4 > > ...also, them not supporting it - makes me a little nervous about others not > supporting it. But maybe that fear is unreasonable since it is only the > "revolvers" that need this feature, not authoritative-only services? This is > something that DNS caching servers like BIND, have been supporting for > decades, correct? DNAME is 2 decades old (August 1999). It came in between DNSSEC version 2 (RFC 2535, KEY/SIG/NXT) and DNSSEC version 3 (RFC 4033/4034/4035, DNSKEY/RRSIG/NSEC/DS). DNSSEC version 3 requires validators to support DNAME. All versions of BIND 9 have supported DNAME. I can’t remember if we added DNAME support to BIND 8 or not. DNSSEC version 4 added NSEC3 and is backwards compatible with DNSSEC version 3. DNSSEC version 4 is what almost all validators support today. > Please tell don't tell me that only a very recent version of BIND does this > correctly. ;) That would probably kill this idea! > POSSIBLE WORKAROUND?: So assuming that DNAME is widely supported by many DNS > caching servers, old and new... I wonder if I could do something similar to > what I do for my direct query service, using NS records to delegate this to > another BIND DNS server that I would run on my own server - so for > "example.invaluement.com" - I'd create a BIND instance on my own server > hosting "example.invaluement.com" as the authoritative server for that zone, > implementing the DNAME records you suggested. Then put a NS record on my > cloudflare telling the world that THIS server is the authoritative server for > "example.invaluement.com" (with TTL for some hours). Do you think that would > work? Delegating to authoritative servers that support DNAME will work. > -- > Rob McEwen > > https://www.invaluement.com > > +1 (478) 475-9032 > > > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users