Greg, I need to sit with the web developer and hash it out, I think its to avoid re-writing the links in the web pages that use the domain name rather than the fully qualified name. ie Wadsworth.org in anchors rather than www.wadsworth.org.
I see an alternate fix for this if that is the case, something other than pointing the apex record and the cname provided by cloudfront. The web server admin seems to think Route 53 is a solution but that is another can of worms as I'm understanding their documentation to say that I have to host my domain at AWS rather than on-prem. I'll see if I can't get the one-on-one I need with the web developer, rather than the web server administrator. Thanks, you are saying what I thought you might say. The Route 53 solution talks about Alias RR as if they are universal, which is not what I took from what I read, nor your statements. I'll push on this a little bit more internally. Stefane - thank you for your input as well, I'll recheck my delegation and see where we've lost proper delegation. John - I had suggested a redirect on our external server, the server admin laughed at me, also the security czar had me block access to the origin server in the DMZ from internet access. Even the on-prem intranet is directed by cname for WWW to the Cloudfront server rather than the one in the DMZ. Also - exactly, you pointed right to the heard of the issue. And while browsers seem to provide the www. Prefix, anchors do not. Ged - I just put up the server in the spring, will check and update if we are somehow running an older version. Thanks to all and happy holidays, Brian From: Greg Choules <gregchoules+bindus...@googlemail.com> Sent: Tuesday, December 24, 2024 10:00 AM To: Cuttler, Brian R (HEALTH) <brian.cutt...@health.ny.gov> Cc: bind-users <bind-users@lists.isc.org> Subject: Re: cname for apex record ATTENTION: This email came from an external source. Do not open attachments or click on links from unknown senders or unexpected emails. Hi Brian. You can't redirect your entire zone from inside the zone itself. CNAME absolutely will not do it, by design (also DNAME). The reason is, the way that DNS works. wadsworth.org<http://wadsworth.org/> has been delegated to a bunch of DNS servers (see below), which are presumably run by you and associated entities. As far as the world is concerned, that set of NS is now completely responsible for wadsworth.org<http://wadsworth.org/> and everything underneath it. They host the zone called wadsworth.org<http://wadsworth.org/> and you can put into that zone almost anything you like, for names (excluding CNAMEs and DNAMEs) at that name, or anything below that name. ;; QUESTION SECTION: ;wadsworth.org<http://wadsworth.org/>. IN NS ;; ANSWER SECTION: wadsworth.org<http://wadsworth.org/>. 86400 IN NS pauling.wadsworth.org<http://pauling.wadsworth.org/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS cmtu.mt.ns.els-gms.att.net<http://cmtu.mt.ns.els-gms.att.net/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS b24.ns.els-gms.att.net<http://b24.ns.els-gms.att.net/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS b23.ns.els-gms.att.net<http://b23.ns.els-gms.att.net/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS m24.ns.els-gms.att.net<http://m24.ns.els-gms.att.net/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS ns0.ny.gov<http://ns0.ny.gov/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS ns1.ny.gov<http://ns1.ny.gov/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS m23.ns.els-gms.att.net<http://m23.ns.els-gms.att.net/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS ns1.albany.edu<http://ns1.albany.edu/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS cbru.br.ns.els-gms.att.net<http://cbru.br.ns.els-gms.att.net/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS ns2.ny.gov<http://ns2.ny.gov/>. wadsworth.org<http://wadsworth.org/>. 86400 IN NS beacon.health.state.ny.us<http://beacon.health.state.ny.us/>. So if the world already knows where you are, the only way to change its point of view is to change the delegation in the parent - .org in your case. Many people have wished it could over the years, me included, and hence was born the quest for a record type that does allow you to do this, which might have been called, for example, ALIAS. However, there is (still) no standardised ALIAS function, by that name or any other. What some commercial DNS providers have done is to fudge an alias-like function, so it appears that you have redirected your whole zone somewhere else. CNAME/DNAME are very old now. More recently, a couple of other RRTYPEs - SVCB and HTTPS - have been standardised (and are supported by BIND) that do allow you to alias the apex (the zone itself) *but* not for any query, only for queries matching those RRTPEs. Thus clients need to be SVCB/HTTPS-aware and ask the right question. So they are not a magic replacement for CNAME. Why do these people want you to alias your entire zone to them anyway? I hope that helps. Christmas cheers, Greg. On Tue, 24 Dec 2024 at 14:39, Cuttler, Brian R (HEALTH) via bind-users <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> wrote: Hello bind users. We are running bind 9.14.28 on Ubuntu and have an offsite provider for our DNS services. The cname we create for our webserver www.wadsworth.org<http://www.wadsworth.org/> is working well. However, I've been asked if we can point the apex record at the external webserver. If I'm understanding the docs I've looked at, there are ways if we had external DNS services, rather than the on-prem Bind server, or if bind supported the Alias RR. I know it can, but does not natively, or at least not the document I found which indicates we'd need to modify the source code. I'm looking for guidance on how to point the named domain name, the apex record at the IP addresses provided by the cname name we are using for our webserver. Thanks in advance, Brian Brian Cuttler, System and Network Administration Wadsworth Center, NYS Department of Health Albany, NY 12201 POB 509 brian.cutt...@health.ny.gov<mailto:brian.cutt...@health.ny.gov> 518 486-1697 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
