Re: SRV on multiple subdomains

2024-05-15 Thread Matus UHLAR - fantomas 

On 14.05.24 14:20, DEMBLANS Mathieu wrote:

A part of the subdomains are managed by us, others subdomains by an other 
entity.


If you really have multiple subdomains for exanmle.com managed by different 
entities, then yes, wildcard is not good idea.

This applies to A and MX records as well.

So we can't configure a generic target for all subdomains as each entity 
has its own target for SRV entries.


You can't even setup wildcard for *.example.com to provide 
server1.example.com A/MX record, because the _imap._tcp.server1.example.com 
would make the wildcard invalid for server1.example.com.


Simply, wildcarding is not for case like this.



-Message d'origine-
De : bind-users  De la part de Matus UHLAR - 
fantomas
Envoyé : mardi 14 mai 2024 15:58
À : bind-users@lists.isc.org
Objet : Re: SRV on multiple subdomains

On 14.05.24 13:08, DEMBLANS Mathieu wrote:

I have a question about configuration simplification for SRV configuration 
(maybe it can be applyed for other entries).

We manage multiple subdomain of a main one (server1.example.com, 
server2.example.com,...).
For A and MX entries, we use a general domain definitions with wildcard but is 
there a way to do so for SRV without having to define all subdomains (we have 
several dizains of it) ?

We have to define some SRV entries with the same target like :
_imap._tcp.server1.example.com  IN SRV main.exemple.com
_imap._tcp.server2.example.com  IN SRV main.exemple.com



I assume that _imap._tcp should be configurable per domain, so there should not 
be needed any need for things like _imap._tcp.server1.example.com
- you should use _imap._tcp.example.com


For example something like _imap._tcp.*.example.com  IN SRV main.example.com.
I read in a doc that the < * > can only be the  leftmost label in the name.


correct.


Is there an other way to simplify or does I have to add each entry individually?


no, but the question is if you really need this.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

bind_dlz and views and samba

2024-05-15 Thread Peter Carlson 
As I understand it bind_dlz does not support multiple views, I have to 
following scenario and am trying to figure out how to configure it:


 * Internal (192.168.10.0/24)
 o resolve internal domain xyz.com
 o resolve internal samba domain xyz.lab
 o resolve single address xyz.3cx.us to 192.168.10.25
 * External is resolved by a different server and xyz.3cx.us resolves
   to a public address
 * VPN (10.9.0.0/24)
 o resolve internal domain xyz.com
 o resolve internal samba domain xyz.lab
 o resolve single address xyz.3cx.us via normal public dns or
   alternatively resolve to external address

I initially set this up with views:


    acl internals { 192.168.10.0/24; 192.168.11.0/24; localhost; };
    acl vpn   { 10.9.0.0/24; };

    view trusted {
    match-clients { internals; };
    zone "MYDOMAIN.com" IN { type master; file 
"/etc/bind/db.MYDOMAIN.com"; allow-update { none; }; };
    zone "3cx.us" IN { type master; file "/etc/bind/db.3cx.us"; 
allow-update { none; }; };

    };

    view vpn {
    match-clients { vpn; };
    zone "MYDOMAIN.com" IN { type master; file 
"/etc/bind/db.MYDOMAIN.com"; allow-update { none; }; };

    };


But this crashes as soon as I add:


dlz "AD DNS Zone" {
 database "dlopen 
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so";

};


So I split out DNS from ADDC, configured bind on DC to forward to 
another DNS and setup views there, but that doesnt work either as all 
requests now come from IP of the DC and so the ACLs wont match.


Any ideas how I can accomplish this?

Peter

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users