Re: question about CNAME

[Stephane Bortzmeyer]

On Thu, Mar 12, 2009 at 12:32:35PM +0800,
 tzq tang  wrote 
 a message of 132 lines which said:

> > I think I should explain the question more clearly,

You need first to learn about email. The "superior to" sign > is here
to *quote* what you respond to. Do not use it for your own text or it
will be quite difficult to read.

> > email.xx  A   12.2.23.4 

:-) The format of the right-hand side will probably not be accepted by
BIND :-)

> > and in another DNS server I add an CNAME record as follows:
> > email  CNAME  email.xx.zone.com .
> > but it dosen't work.who can tell me why ?

Invalid syntax. BIND will tell you that at startup.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: XFR quota setting?

[Chris Thompson]

On Mar 11 2009, Niall O'Reilly wrote:


On Wed, 2009-03-11 at 16:41 -0500, Peter Laws wrote:

Seriously, though, what is the default quota and is it actually
configurable?


Sorry.  No idea what or whether.  RTFM time for us both!  8-)


Which ought to take less than the time to post here :-(

options "transfers-out" setting, default 10. 


Although the '... quota reached' messages alarmed me at first,
the following message announcing recovery (confirmed by manual
checking of SOA serials) reassured me enough to make me feel 
that no further attention was needed.


If it's occurring a lot, you could have stuck or nearly-stuck
transfers going on. "rndc status" will tell you how many. You may
need to adjust "max-transfer-time-out"/"max-transfer-idle-out"
rather than "transfers-out".

--
Chris Thompson
Email: c...@cam.ac.uk
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Two outgoing queries for each incoming query

[My Name]

Is this possible with 9.6.0-P1 or do I need to change the code (all ideas
where to start are welcome, I haven't looked at the code yet).

I want to setup a forwarder and each incoming query (in fact only A or )
should be sent to two different upstream servers.

Joe
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: question about CNAME

[Sten Carlsen]

Stephane Bortzmeyer wrote:
> On Thu, Mar 12, 2009 at 12:32:35PM +0800,
>  tzq tang  wrote 
>  a message of 132 lines which said:
>
>   
>>> I think I should explain the question more clearly,
>>>   
>
> You need first to learn about email. The "superior to" sign > is here
> to *quote* what you respond to. Do not use it for your own text or it
> will be quite difficult to read.
>
>   
>>> email.xx  A   12.2.23.4 
>>>   
>
> :-) The format of the right-hand side will probably not be accepted by
> BIND :-)
>   
Most likely this is also a stupid mailprogram adding links as it thinks
it should.
>   
>>> and in another DNS server I add an CNAME record as follows:
>>> email  CNAME  email.xx.zone.com .
>>> but it dosen't work.who can tell me why ?
>>>   
What do you expect it to do? I get the feeling that you want to be able
to do a lookup using just "email" as the full name for the server?
If that is not the case, you need to show the whole file for the second
server as the meaning of the line is only clear when you see it in context.
>
> Invalid syntax. BIND will tell you that at startup.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>   

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

   "MALE BOVINE MANURE!!!" 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two outgoing queries for each incoming query

[R Dicaire]

On Thu, Mar 12, 2009 at 7:43 AM, My Name  wrote:
> I want to setup a forwarder and each incoming query (in fact only A or )
> should be sent to two different upstream servers.

Why?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: XFR quota setting?

[Laws, Peter C.]

On Mar 11 2009, Niall O'Reilly wrote:

>On Wed, 2009-03-11 at 16:41 -0500, Peter Laws wrote:
>> Seriously, though, what is the default quota and is it actually
>> configurable?
>
> Sorry.  No idea what or whether.  RTFM time for us both!  8-)

Which ought to take less than the time to post here :-(

options "transfers-out" setting, default 10.


Yes, but if you're grepping for "xfer", you'll never find that.  

Thanks, though, this is what I wanted to know.  

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two outgoing queries for each incoming query

[Gregory Hicks]

> Date: Thu, 12 Mar 2009 13:43:44 +0200
> Subject: Two outgoing queries for each incoming query
> From: My Name 
> To: bind-users@lists.isc.org
> 
> Is this possible with 9.6.0-P1 or do I need to change the code (all
> ideas where to start are welcome, I haven't looked at the code yet).
>
> I want to setup a forwarder and each incoming query (in fact only A
> or ) should be sent to two different upstream servers.

Why?  Bind already does this.  If there are two (or more) servers
serving a zone, it will already query all of them for the initial
query.  However, it uses the answer from the server that has the
fastest response time.

Regards,
Gregory Hicks
-
Gregory Hicks   | Principal Systems Engineer
| Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: XFR quota setting?

[Peter Laws]

Chris Thompson wrote:


If it's occurring a lot, you could have stuck or nearly-stuck
transfers going on. "rndc status" will tell you how many. You may
need to adjust "max-transfer-time-out"/"max-transfer-idle-out"
rather than "transfers-out".


Fiddled with the transfer-* settings and made the quota errors go away. 
Underlying issue seems to be traffic being intermittently blocked between 
the master and the slaves.  Not really a BIND issue.


--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Peaceful coexistence with Windows domain

[Peter Laws]

Our environment includes a couple of AD servers.  They serve DNS to PCs 
using AD (but not all PCs).  They allow DDNS for clients and slave the rest 
of our environment's zones.  For some reason, they *forward* every other 
query to us, but never mind that.  Look it up your own damn ... well, never 
mind.


At any rate, we don't actually delegate "their" zone to them.  This causes 
problems, as you can imagine.


I'm told that the reason we're doing things this way is that we don't want 
any of those "internal addresses" to be queried by the unwashed masses 
lurking outside our perimeter.


So my thought was, well, let's delegate the zone to the AD servers.  Since 
they are already ACLed (or whatever MS calls it), no one will be able to 
see "their" records off-campus but on-campus folks will be able to 
(finally) resolv addresses in that zone regardless of where they point 
(internally) for DNS.


Except that they need an MX record for that zone.

So adding the NS record to delegate the zone to them properly meant that no 
one could see the MX from the outside (since the MS-DNS is ACLed).


If I dump the delegation and make an MX record in the master, mail will be 
OK, but then no one can query records in that zone because it's not 
actually delegated unless they point at MS-DNS.


We thought of slaving that zone on the master, but then we run into 
security, who doesn't want any of that "internal information" leaked out. 
No problem, since we're slaving the zone, we'll pop an ACL on it.  Problem 
solved!  Hurray.


Except for that MX record.

Once you delegate a zone, you *delegate* the zone.  The MX is invisible.


So my requirements are to 1) allow that MX record to be seen "outside", 2) 
allow any host in our environment to be able to query names in any zone 
regardless of which system they point at for DNS, and 3) not have any 
records in that zone be visible "outside" save for that MX.


I'm assuming that switching our configuration to use views would help, but 
we'd like to avoid that, at least for now.


Any quick fixes?

I checked, and per the MS-People, MS-DNS cannot put ACLs on particular 
records.  Neither can BIND, so no surprise there.


Which rock do I need to look under?

--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Two outgoing queries for each incoming query

[Mark Andrews]

In message <200903121454.n2cesvel019...@metis.hicks-net.net>, Gregory Hicks wri
tes:
> 
> > Date: Thu, 12 Mar 2009 13:43:44 +0200
> > Subject: Two outgoing queries for each incoming query
> > From: My Name 
> > To: bind-users@lists.isc.org
> > 
> > Is this possible with 9.6.0-P1 or do I need to change the code (all
> > ideas where to start are welcome, I haven't looked at the code yet).
> >
> > I want to setup a forwarder and each incoming query (in fact only A
> > or ) should be sent to two different upstream servers.
> 
> Why?  Bind already does this.  If there are two (or more) servers
> serving a zone, it will already query all of them for the initial
> query.  However, it uses the answer from the server that has the
> fastest response time.

No.  It will query multiple servers in turn as needed to
satisfy queries.  RTT estimates are most effective with
infrastructure zones as those are the ones queried most
often.  Named tries to minimize the number of queries it
makes.
 
> Regards,
> Gregory Hicks
> -
> Gregory Hicks   | Principal Systems Engineer
> | Direct:   408.569.7928
> 
> People sleep peaceably in their beds at night only because rough men
> stand ready to do violence on their behalf -- George Orwell
> 
> The price of freedom is eternal vigilance.  -- Thomas Jefferson
> 
> "The best we can hope for concerning the people at large is that they
> be properly armed." --Alexander Hamilton
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Peaceful coexistence with Windows domain

[Kevin Darcy]

Peter Laws wrote:
Our environment includes a couple of AD servers. They serve DNS to PCs 
using AD (but not all PCs). They allow DDNS for clients and slave the 
rest of our environment's zones. For some reason, they *forward* every 
other query to us, but never mind that. Look it up your own damn ... 
well, never mind.


At any rate, we don't actually delegate "their" zone to them. This 
causes problems, as you can imagine.


I'm told that the reason we're doing things this way is that we don't 
want any of those "internal addresses" to be queried by the unwashed 
masses lurking outside our perimeter.


So my thought was, well, let's delegate the zone to the AD servers. 
Since they are already ACLed (or whatever MS calls it), no one will be 
able to see "their" records off-campus but on-campus folks will be 
able to (finally) resolv addresses in that zone regardless of where 
they point (internally) for DNS.


Except that they need an MX record for that zone.

So adding the NS record to delegate the zone to them properly meant 
that no one could see the MX from the outside (since the MS-DNS is 
ACLed).


If I dump the delegation and make an MX record in the master, mail 
will be OK, but then no one can query records in that zone because 
it's not actually delegated unless they point at MS-DNS.


We thought of slaving that zone on the master, but then we run into 
security, who doesn't want any of that "internal information" leaked 
out. No problem, since we're slaving the zone, we'll pop an ACL on it. 
Problem solved! Hurray.


Except for that MX record.

Once you delegate a zone, you *delegate* the zone. The MX is invisible.


So my requirements are to 1) allow that MX record to be seen 
"outside", 2) allow any host in our environment to be able to query 
names in any zone regardless of which system they point at for DNS, 
and 3) not have any records in that zone be visible "outside" save for 
that MX.


I'm assuming that switching our configuration to use views would help, 
but we'd like to avoid that, at least for now.


Any quick fixes?

I checked, and per the MS-People, MS-DNS cannot put ACLs on particular 
records. Neither can BIND, so no surprise there.


Which rock do I need to look under?

You can't really have it both ways, either the zone is visible or it 
isn't. The MX record is at the very top of the zone -- what is often 
called the "apex" -- so it's not like you can delegate it and put an ACL 
on the delegated zone.


It seems a little inconsistent to me that your Security folks don't mind 
the MX record being exposed but they're paranoid about the zone's other 
"internal" stuff leaking out.


I don't see any way to to meet the requirements you've been given, as 
you've described them. There's nothing really unusual about having 
separate internal-versus-external versions of your namespace, and the 
delegation structure doesn't need to be the same for both. So why not 
just stick with an undelegated AD zone in the external version? You can 
still delegate it in the internal version, if it makes you feel better.


- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Peaceful coexistence with Windows domain

[Ben Bridges]

> If I dump the delegation and make an MX record in the master, mail will be
> OK, but then no one can query records in that zone because it's not
> actually delegated unless they point at MS-DNS.

Is there a reason why you can't point all of your internal hosts (AD and 
non-AD) at your AD's for resolution?
 



From: bind-users-boun...@lists.isc.org on behalf of Peter Laws
Sent: Thu 3/12/2009 4:51 PM
To: bind-us...@isc.org
Subject: Peaceful coexistence with Windows domain



Our environment includes a couple of AD servers.  They serve DNS to PCs
using AD (but not all PCs).  They allow DDNS for clients and slave the rest
of our environment's zones.  For some reason, they *forward* every other
query to us, but never mind that.  Look it up your own damn ... well, never
mind.

At any rate, we don't actually delegate "their" zone to them.  This causes
problems, as you can imagine.

I'm told that the reason we're doing things this way is that we don't want
any of those "internal addresses" to be queried by the unwashed masses
lurking outside our perimeter.

So my thought was, well, let's delegate the zone to the AD servers.  Since
they are already ACLed (or whatever MS calls it), no one will be able to
see "their" records off-campus but on-campus folks will be able to
(finally) resolv addresses in that zone regardless of where they point
(internally) for DNS.

Except that they need an MX record for that zone.

So adding the NS record to delegate the zone to them properly meant that no
one could see the MX from the outside (since the MS-DNS is ACLed).

If I dump the delegation and make an MX record in the master, mail will be
OK, but then no one can query records in that zone because it's not
actually delegated unless they point at MS-DNS.

We thought of slaving that zone on the master, but then we run into
security, who doesn't want any of that "internal information" leaked out.
No problem, since we're slaving the zone, we'll pop an ACL on it.  Problem
solved!  Hurray.

Except for that MX record.

Once you delegate a zone, you *delegate* the zone.  The MX is invisible.


So my requirements are to 1) allow that MX record to be seen "outside", 2)
allow any host in our environment to be able to query names in any zone
regardless of which system they point at for DNS, and 3) not have any
records in that zone be visible "outside" save for that MX.

I'm assuming that switching our configuration to use views would help, but
we'd like to avoid that, at least for now.

Any quick fixes?

I checked, and per the MS-People, MS-DNS cannot put ACLs on particular
records.  Neither can BIND, so no surprise there.

Which rock do I need to look under?

--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: question about CNAME

[tzq tang]

thanks for your response.I do this test between two intranet machine and
each of them has a local IP.10.0.0.13,additionally the both domain are in
the same DNS SERVER 10.0.0.13 ,the zone file as follows:
ZONE 1:
$ORIGIN .
$TTL 86400  ; 1 day
test.comIN SOA  test.com. www.test.com. (
19970229 ; serial
10 ; refresh (10 seconds)
10 ; retry (10 seconds)
30 ; expire (30 seconds)
30 ; minimum (30 seconds)
)
NS  localhost.
A   10.0.0.13
$ORIGIN test.com.
1   PTR localhost.
email   CNAME  email.tzqian.com.

ZONE 2:

$ORIGIN .
$TTL 86400  ; 1 day
tzqian.com  IN SOA  tzqian.com. support.tzqian.com. (
1997022706 ; serial
10 ; refresh (10 seconds)
10 ; retry (10 seconds)
30 ; expire (30 seconds)
30 ; minimum (30 seconds)
)
NS  localhost.
A   10.0.0.13
$ORIGIN tzqian.com.
1   PTR localhost.
email   A   10.0.0.1


On Thu, Mar 12, 2009 at 7:55 PM, Scott Haneda  wrote:

> Can you just post your zone file, copy and paste, and do not change any
> data in it, use real IP's.  Or at least obfuscate them in a way that makes
> sense to the rest of us.  There really is not a lot of sense in obfuscating
> a public data store anyway.
>
> Here is an example:
>
> Server #1
> email.serverIN  A  192.168.1.100
>
> Server #2
> email   IN  CNAME  email.server.yourzone.com.
>
> I am still not sure I understand your issues, you need to show us both
> zones, and tell us each zones host name.
>
> On Mar 11, 2009, at 7:28 PM, tzq tang wrote:
>
>  I think I should explain the question more clearly,I am wondering how
>> cname reflect the address,so I do a test in my server
>> to add an A record as follows (zone.com):
>> email.xx  A   12.2.23.4
>> and in another DNS server I add an CNAME record as follows:
>> email  CNAME  email.xx.zone.com.
>> but it dosen't work.who can tell me why ?
>>
>
> --
> Scott * If you contact me off list replace talklists@ with scott@ *
>
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Trouble publishing dkim via nsupdate

[Mark Andrews]

In message <20090313031347.ga19...@csy.ca>, Shane W writes:
> Hey all,
> 
> I am trying to publish a dkim record in a signed dynamic
> zone using nsupdate.  My query looks like the below but
> nsupdate is having none of it, giving formerr.  Can anyone
> see an obvious error with this query:  Pasting the entry
> directly into the zone (freeze/thaw) does work but then the
> record doesn't get signed.
> 
> nsupdate:
> zone csy.ca
> update delete continuum._domainkey.csy.ca any
> update add continuum._domainkey.csy.ca 86400 txt "k=rsa\; t=y\; p=MIGfMA0GCSq
> GSIb3DQEBAQUAA4GNADCBiQKBgQDGDqQOjvR2NkesUp+rMl164OdruvyT/hcvwWpPJVZZpYJ7C0rU
> FoZeGdIsi0Riv8wbMd0YspPEfXEslt+neNBTp+nGtkbzpV23PnVwxaqaCpUOZtc7LN2BTKLnpQATL
> 30JJE6LwafHPmM5I9S6y1pBQBV9KLdBuxG4+xlIwQf6HwIDAQAB"
> send

Remove the "any" from the delete command.
update delete continuum._domainkey.csy.ca


> output with -d
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  11757
> ;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
> ;; QUESTION SECTION:
> ;csy.ca.ANY SOA
> 
> ;; ANSWER SECTION:
> csy.ca. 86400   IN  SOA continuum.ns.csy.ca. hostmast
> er.csy.ca. 207 14400 900 2419200 3600
> 
> ;; AUTHORITY SECTION:
> csy.ca. 86400   IN  NS  dme6.ns.csy.ca.
> csy.ca. 86400   IN  NS  dme7.ns.csy.ca.
> csy.ca. 86400   IN  NS  continuum.ns.csy.ca.
> csy.ca. 86400   IN  NS  dme5.ns.csy.ca.
> 
> ;; ADDITIONAL SECTION:
> dme5.ns.csy.ca. 86400   IN  A   63.219.151.12
> dme6.ns.csy.ca. 86400   IN  A   64.246.42.203
> dme7.ns.csy.ca. 86400   IN  A   205.234.170.139
> continuum.ns.csy.ca.3600IN  A   70.71.3.27
> 
> Found zone name: csy.ca
> The master is: continuum.ns.csy.ca
> Sending update to 70.71.3.27#53
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   2080
> ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 0
> ;; ZONE SECTION:
> ;csy.ca.ANY SOA
> 
> ;; UPDATE SECTION:
> continuum._domainkey.csy.ca. 0  ANY ANY
> continuum._domainkey.csy.ca. 86400 ANY  TXT "k=rsa\; t=y\; p=MIGfMA0GCSqG
> SIb3DQEBAQUAA4GNADCBiQKBgQDGDqQOjvR2NkesUp+rMl164OdruvyT/hcvwWpPJVZZpYJ7C0rUF
> oZeGdIsi0Riv8wbMd0YspPEfXEslt+neNBTp+nGtkbzpV23PnVwxaqaCpUOZtc7LN2BTKLnpQATL3
> 0JJE6LwafHPmM5I9S6y1pBQBV9KLdBuxG4+xlIwQf6HwIDAQAB"
> 
> 
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: FORMERR, id:   2080
> ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> 
> Thanks,
> Shane
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Peaceful coexistence with Windows domain

[Kevin Darcy]

You mean, other than the fact that MS-DNS is an inferior DNS 
implementation and, as pointed out in the original post, would need to 
forward all queries for names outside of the AD zones?



- Kevin



Ben Bridges wrote:
> If I dump the delegation and make an MX record in the master, mail 
will be

> OK, but then no one can query records in that zone because it's not
> actually delegated unless they point at MS-DNS.
Is there a reason why you can't point all of your internal hosts (AD 
and non-AD) at your AD's for resolution?
 



*From:* bind-users-boun...@lists.isc.org on behalf of Peter Laws
*Sent:* Thu 3/12/2009 4:51 PM
*To:* bind-us...@isc.org
*Subject:* Peaceful coexistence with Windows domain

Our environment includes a couple of AD servers.  They serve DNS to PCs
using AD (but not all PCs).  They allow DDNS for clients and slave the 
rest

of our environment's zones.  For some reason, they *forward* every other
query to us, but never mind that.  Look it up your own damn ... well, 
never

mind.

At any rate, we don't actually delegate "their" zone to them.  This causes
problems, as you can imagine.

I'm told that the reason we're doing things this way is that we don't want
any of those "internal addresses" to be queried by the unwashed masses
lurking outside our perimeter.

So my thought was, well, let's delegate the zone to the AD servers.  Since
they are already ACLed (or whatever MS calls it), no one will be able to
see "their" records off-campus but on-campus folks will be able to
(finally) resolv addresses in that zone regardless of where they point
(internally) for DNS.

Except that they need an MX record for that zone.

So adding the NS record to delegate the zone to them properly meant 
that no

one could see the MX from the outside (since the MS-DNS is ACLed).

If I dump the delegation and make an MX record in the master, mail will be
OK, but then no one can query records in that zone because it's not
actually delegated unless they point at MS-DNS.

We thought of slaving that zone on the master, but then we run into
security, who doesn't want any of that "internal information" leaked out.
No problem, since we're slaving the zone, we'll pop an ACL on it.  Problem
solved!  Hurray.

Except for that MX record.

Once you delegate a zone, you *delegate* the zone.  The MX is invisible.


So my requirements are to 1) allow that MX record to be seen "outside", 2)
allow any host in our environment to be able to query names in any zone
regardless of which system they point at for DNS, and 3) not have any
records in that zone be visible "outside" save for that MX.

I'm assuming that switching our configuration to use views would help, but
we'd like to avoid that, at least for now.

Any quick fixes?

I checked, and per the MS-People, MS-DNS cannot put ACLs on particular
records.  Neither can BIND, so no surprise there.

Which rock do I need to look under?

--
Peter Laws / N5UWY
National Weather Center / Network Operations Center
University of Oklahoma Information Technology
pl...@ou.edu
---
Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you!
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: question about CNAME

[Ben Bridges]

What is not working?  Are you not getting the CNAME record for email.test.com?  
Are you not getting the A record for email.tzqian.com?  Are both zones on the 
same dns server, or is each zone on a separate server?  Which server are you 
querying, and from what device are you issuing the query?

 


From: bind-users-boun...@lists.isc.org on behalf of tzq tang
Sent: Thu 3/12/2009 10:19 PM
To: Scott Haneda
Cc: bind-users@lists.isc.org
Subject: Re: question about CNAME


thanks for your response.I do this test between two intranet machine and each 
of them has a local IP.10.0.0.13,additionally the both domain are in the same 
DNS SERVER 10.0.0.13 ,the zone file as follows:
ZONE 1:
$ORIGIN .
$TTL 86400  ; 1 day
test.comIN SOA  test.com. www.test.com. (
19970229 ; serial
10 ; refresh (10 seconds)
10 ; retry (10 seconds)
30 ; expire (30 seconds)
30 ; minimum (30 seconds)
)
NS  localhost.
A   10.0.0.13
$ORIGIN test.com.
1   PTR localhost.
email   CNAME  email.tzqian.com.

ZONE 2:

$ORIGIN .
$TTL 86400  ; 1 day
tzqian.com  IN SOA  tzqian.com. support.tzqian.com. (
1997022706 ; serial
10 ; refresh (10 seconds)
10 ; retry (10 seconds)
30 ; expire (30 seconds)
30 ; minimum (30 seconds)
)
NS  localhost.
A   10.0.0.13
$ORIGIN tzqian.com.
1   PTR localhost.
email   A   10.0.0.1



On Thu, Mar 12, 2009 at 7:55 PM, Scott Haneda  wrote:


Can you just post your zone file, copy and paste, and do not change any 
data in it, use real IP's.  Or at least obfuscate them in a way that makes 
sense to the rest of us.  There really is not a lot of sense in obfuscating a 
public data store anyway.

Here is an example:

Server #1
email.serverIN  A  192.168.1.100

Server #2
email   IN  CNAME  email.server.yourzone.com.

I am still not sure I understand your issues, you need to show us both 
zones, and tell us each zones host name. 


On Mar 11, 2009, at 7:28 PM, tzq tang wrote:



I think I should explain the question more clearly,I am 
wondering how cname reflect the address,so I do a test in my server
to add an A record as follows (zone.com):
email.xx  A   12.2.23.4
and in another DNS server I add an CNAME record as follows:
email  CNAME  email.xx.zone.com.
but it dosen't work.who can tell me why ?



--
Scott * If you contact me off list replace talklists@ with scott@ *




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

rDNS for /20

[Jeff Lasman]

I've read the relevant parts of DNS and Bind over and over again, and 
I'm still going crazy.  I've searched this list going back about three 
years.  I've googled.  Each step confuses me more .

I'm trying to set up a reverse delegation to two nameservers for a /20.

Netmask is 255.255.240.0 (I think).

Is there a cookbook somewhere?

Thanks in advance for any possible help.

Jeff
-- 
Jeff Lasman, Nobaloney Internet Services
P.O. Box 52200, Riverside, CA  92517
Our blists address used on lists is for list email only
voice:  +1 951 643-5345, or see: 
"http://www.nobaloney.net/contactus.html";
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rDNS for /20

[Mark Andrews]

In message <200903122311.24920.bli...@nobaloney.net>, Jeff Lasman writes:
> I've read the relevant parts of DNS and Bind over and over again, and 
> I'm still going crazy.  I've searched this list going back about three 
> years.  I've googled.  Each step confuses me more .
> 
> I'm trying to set up a reverse delegation to two nameservers for a /20.
> 
> Netmask is 255.255.240.0 (I think).
> 
> Is there a cookbook somewhere?
> 
> Thanks in advance for any possible help.

Just set up each of the /24's which make up the /20.
 
> Jeff
> -- 
> Jeff Lasman, Nobaloney Internet Services
> P.O. Box 52200, Riverside, CA  92517
> Our blists address used on lists is for list email only
> voice:  +1 951 643-5345, or see: 
> "http://www.nobaloney.net/contactus.html";
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rDNS for /20

[Doug Barton]

Jeff Lasman wrote:
> I've read the relevant parts of DNS and Bind over and over again, and 
> I'm still going crazy.  I've searched this list going back about three 
> years.  I've googled.  Each step confuses me more .

It would help if you described in more detail what you've tried, and
what is confusing you.

> I'm trying to set up a reverse delegation to two nameservers for a /20.

The easiest way to do this is to set it up as 16 /24s. Are you trying
to do something different?

> Netmask is 255.255.240.0 (I think).

I'm not sure why you're mentioning this, is there some relevance to
what you're trying to do?


hope this helps,

Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users