Apologies, meant to write Stephane and not Stefane.

From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Cuttler, Brian 
R (HEALTH) via bind-users
Sent: Tuesday, December 24, 2024 10:23 AM
To: Greg Choules <gregchoules+bindus...@googlemail.com>
Cc: bind-users <bind-users@lists.isc.org>
Subject: RE: cname for apex record


ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.

Greg,

I need to sit with the web developer and hash it out, I think its to avoid 
re-writing the links in the web pages that use the domain name rather than the 
fully qualified name.
ie Wadsworth.org in anchors rather than 
www.wadsworth.org<http://www.wadsworth.org/>.

I see an alternate fix for this if that is the case, something other than 
pointing the apex record and the cname provided by cloudfront.

The web server admin seems to think Route 53 is a solution but that is another 
can of worms as I'm understanding their documentation to say that I have to 
host my domain at AWS rather than on-prem.

I'll see if I can't get the one-on-one I need with the web developer, rather 
than the web server administrator.

Thanks, you are saying what I thought you might say. The Route 53 solution 
talks about Alias RR as if they are universal, which is not what I took from 
what I read, nor your statements.

I'll push on this a little bit more internally.

Stefane - thank you for your input as well, I'll recheck my delegation and see 
where we've lost proper delegation.

John - I had suggested a redirect on our external server, the server admin 
laughed at me, also the security czar had me block access to the origin server 
in the DMZ from internet access.
Even the on-prem intranet is directed by cname for WWW to the Cloudfront server 
rather than the one in the DMZ.
Also - exactly, you pointed right to the heard of the issue. And while browsers 
seem to provide the www. Prefix, anchors do not.

Ged - I just put up the server in the spring, will check and update if we are 
somehow running an older version.

Thanks to all and happy holidays,
Brian


From: Greg Choules 
<gregchoules+bindus...@googlemail.com<mailto:gregchoules+bindus...@googlemail.com>>
Sent: Tuesday, December 24, 2024 10:00 AM
To: Cuttler, Brian R (HEALTH) 
<brian.cutt...@health.ny.gov<mailto:brian.cutt...@health.ny.gov>>
Cc: bind-users <bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>>
Subject: Re: cname for apex record


ATTENTION: This email came from an external source. Do not open attachments or 
click on links from unknown senders or unexpected emails.

Hi Brian.
You can't redirect your entire zone from inside the zone itself. CNAME 
absolutely will not do it, by design (also DNAME).

The reason is, the way that DNS works. wadsworth.org<http://wadsworth.org/> has 
been delegated to a bunch of DNS servers (see below), which are presumably run 
by you and associated entities. As far as the world is concerned, that set of 
NS is now completely responsible for wadsworth.org<http://wadsworth.org/> and 
everything underneath it. They host the zone called 
wadsworth.org<http://wadsworth.org/> and you can put into that zone almost 
anything you like, for names (excluding CNAMEs and DNAMEs) at that name, or 
anything below that name.

;; QUESTION SECTION:
;wadsworth.org<http://wadsworth.org/>. IN NS

;; ANSWER SECTION:
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
pauling.wadsworth.org<http://pauling.wadsworth.org/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
cmtu.mt.ns.els-gms.att.net<http://cmtu.mt.ns.els-gms.att.net/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
b24.ns.els-gms.att.net<http://b24.ns.els-gms.att.net/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
b23.ns.els-gms.att.net<http://b23.ns.els-gms.att.net/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
m24.ns.els-gms.att.net<http://m24.ns.els-gms.att.net/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
ns0.ny.gov<http://ns0.ny.gov/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
ns1.ny.gov<http://ns1.ny.gov/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
m23.ns.els-gms.att.net<http://m23.ns.els-gms.att.net/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
ns1.albany.edu<http://ns1.albany.edu/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
cbru.br.ns.els-gms.att.net<http://cbru.br.ns.els-gms.att.net/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
ns2.ny.gov<http://ns2.ny.gov/>.
wadsworth.org<http://wadsworth.org/>. 86400 IN NS 
beacon.health.state.ny.us<http://beacon.health.state.ny.us/>.

So if the world already knows where you are, the only way to change its point 
of view is to change the delegation in the parent - .org in your case.

Many people have wished it could over the years, me included, and hence was 
born the quest for a record type that does allow you to do this, which might 
have been called, for example, ALIAS. However, there is (still) no standardised 
ALIAS function, by that name or any other. What some commercial DNS providers 
have done is to fudge an alias-like function, so it appears that you have 
redirected your whole zone somewhere else.

CNAME/DNAME are very old now. More recently, a couple of other RRTYPEs - SVCB 
and HTTPS - have been standardised (and are supported by BIND) that do allow 
you to alias the apex (the zone itself) *but* not for any query, only for 
queries matching those RRTPEs. Thus clients need to be SVCB/HTTPS-aware and ask 
the right question. So they are not a magic replacement for CNAME.

Why do these people want you to alias your entire zone to them anyway?

I hope that helps.
Christmas cheers, Greg.

On Tue, 24 Dec 2024 at 14:39, Cuttler, Brian R (HEALTH) via bind-users 
<bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>> wrote:

Hello bind users.

We are running bind 9.14.28 on Ubuntu and have an offsite provider for our DNS 
services.
The cname we create for our webserver 
www.wadsworth.org<http://www.wadsworth.org/> is working well.
However, I've been asked if we can point the apex record at the external 
webserver.

If I'm understanding the docs I've looked at, there are ways if we had external 
DNS services, rather than the on-prem Bind server, or if bind supported the 
Alias RR.
I know it can, but does not natively, or at least not the document I found 
which indicates we'd need to modify the source code.

I'm looking for guidance on how to point the named domain name, the apex record 
at the IP addresses provided by the cname name we are using for our webserver.

Thanks in advance,
Brian

Brian Cuttler, System and Network Administration
Wadsworth Center, NYS Department of Health
Albany, NY 12201 POB 509
brian.cutt...@health.ny.gov<mailto:brian.cutt...@health.ny.gov>
518 486-1697

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to