domain keys and name-checking

Barry Margolin barmar at alum.mit.edu
Mon Oct 20 20:45:08 UTC 2008 

In article <gdh3dp$4q3$1 at sf1.isc.org>,
 "D. Stussy" <spam at bde-arc.ampr.org> wrote:

> "aklist" <aklist_bind at enigmedia.com> wrote in message
> news:gdausb$15ol$1 at sf1.isc.org...
> > > My guess is that you inserted that line between records for the same
> > > name, that were making use of the feature of automatically reusing the
> > > name from the previous line, e.g. you started with:
> > >
> > > foo IN A 1.2.3.4
> > >    IN A 2.3.4.5
> > >
> > > and changed it to:
> > >
> > > foo IN A 1.2.3.4
> > > server._domainkey IN TXT "k=rsa; p=[very long string]"
> > >    IN A 2.3.4.5
> > >
> > > Now the second A record is assigned to server._domainkey, which is not a
> > > valid hostname.
> >
> > Hi: I'm close to fixing this...I moved the "sever._domainkeys..." record
> to
> > the bottom of the domain, and named-checkzone doesn't object.
> >
> > However, I have a subdomain that I'm trying to declare at the same time,
> and
> > when I append it to the end of the domain I get an "ignoring out-of-zone
> > data" error for all the subdomain's A records. (The subdomain only
> contains
> > a single server, which is a mailserver with 5 IPs assigned to it.) My
> > complete domain looks like this:
> >
> > $TTL 3h
> > @ IN SOA ns.parent.com. hostmaster.parent.com. (
> >         2008101601 ; serial
> >         3h ; refresh
> >         1h ; retry
> >         1w ; expire
> >         1h ) ;  neg cache
> > ;
> >         NS      ns.parent.com.
> >         NS      ns1.parent.com.
> > ;
> >         MX      10 mail
> > ;
> >         TXT     "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
> > ;
> >              A       aaa.bbb.ccc.41
> > mail       A       aaa.bbb.ccc.42
> > www     A       aaa.bbb.ccc.41
> > ;
> > server._domainkey.domain.com. IN TXT "k=rsa; p=[long string]"
> > ;
> > $ORIGIN sub.domain.com.
> > server      A       aaa.bbb.ccc.42
> > server      A       aaa.bbb.ddd.12
> > server      A       aaa.bbb.ddd.13
> > server      A       aaa.bbb.ddd.14
> > server      A       aaa.bbb.ddd.15
> >         MX      10 server
> > ;
> >         TXT     "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
> 
> If it's really a subdomain, then the $ORIGIN statement should be a RELATIVE
> name (especially since there's only one such statement).  The same thing
> goes with the _domainkey label(s).

That's just a style choice, not a requirement.  Although it's a good way 
to avoid many unintended "out-of-zone data" errors.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list