domain keys and name-checking
Barry Margolin
barmar at alum.mit.edu
Mon Oct 20 20:45:08 UTC 2008
In article <gdh3dp$4q3$1 at sf1.isc.org>,
"D. Stussy" <spam at bde-arc.ampr.org> wrote:
> "aklist" <aklist_bind at enigmedia.com> wrote in message
> news:gdausb$15ol$1 at sf1.isc.org...
> > > My guess is that you inserted that line between records for the same
> > > name, that were making use of the feature of automatically reusing the
> > > name from the previous line, e.g. you started with:
> > >
> > > foo IN A 1.2.3.4
> > > IN A 2.3.4.5
> > >
> > > and changed it to:
> > >
> > > foo IN A 1.2.3.4
> > > server._domainkey IN TXT "k=rsa; p=[very long string]"
> > > IN A 2.3.4.5
> > >
> > > Now the second A record is assigned to server._domainkey, which is not a
> > > valid hostname.
> >
> > Hi: I'm close to fixing this...I moved the "sever._domainkeys..." record
> to
> > the bottom of the domain, and named-checkzone doesn't object.
> >
> > However, I have a subdomain that I'm trying to declare at the same time,
> and
> > when I append it to the end of the domain I get an "ignoring out-of-zone
> > data" error for all the subdomain's A records. (The subdomain only
> contains
> > a single server, which is a mailserver with 5 IPs assigned to it.) My
> > complete domain looks like this:
> >
> > $TTL 3h
> > @ IN SOA ns.parent.com. hostmaster.parent.com. (
> > 2008101601 ; serial
> > 3h ; refresh
> > 1h ; retry
> > 1w ; expire
> > 1h ) ; neg cache
> > ;
> > NS ns.parent.com.
> > NS ns1.parent.com.
> > ;
> > MX 10 mail
> > ;
> > TXT "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
> > ;
> > A aaa.bbb.ccc.41
> > mail A aaa.bbb.ccc.42
> > www A aaa.bbb.ccc.41
> > ;
> > server._domainkey.domain.com. IN TXT "k=rsa; p=[long string]"
> > ;
> > $ORIGIN sub.domain.com.
> > server A aaa.bbb.ccc.42
> > server A aaa.bbb.ddd.12
> > server A aaa.bbb.ddd.13
> > server A aaa.bbb.ddd.14
> > server A aaa.bbb.ddd.15
> > MX 10 server
> > ;
> > TXT "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
>
> If it's really a subdomain, then the $ORIGIN statement should be a RELATIVE
> name (especially since there's only one such statement). The same thing
> goes with the _domainkey label(s).
That's just a style choice, not a requirement. Although it's a good way
to avoid many unintended "out-of-zone data" errors.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list