domain keys and name-checking

D. Stussy spam at bde-arc.ampr.org
Mon Oct 20 22:09:03 UTC 2008


"Barry Margolin" <barmar at alum.mit.edu> wrote in message
news:gdir0q$1s7e$1 at sf1.isc.org...
> In article <gdh3dp$4q3$1 at sf1.isc.org>,
>  "D. Stussy" <spam at bde-arc.ampr.org> wrote:
> > "aklist" <aklist_bind at enigmedia.com> wrote in message
> > news:gdausb$15ol$1 at sf1.isc.org...
> > > > My guess is that you inserted that line between records for the same
> > > > name, that were making use of the feature of automatically reusing
the
> > > > name from the previous line, e.g. you started with:
> > > >
> > > > foo IN A 1.2.3.4
> > > >    IN A 2.3.4.5
> > > >
> > > > and changed it to:
> > > >
> > > > foo IN A 1.2.3.4
> > > > server._domainkey IN TXT "k=rsa; p=[very long string]"
> > > >    IN A 2.3.4.5
> > > >
> > > > Now the second A record is assigned to server._domainkey, which is
not a
> > > > valid hostname.
> > >
> > > Hi: I'm close to fixing this...I moved the "sever._domainkeys..."
record
> > to
> > > the bottom of the domain, and named-checkzone doesn't object.
> > >
> > > However, I have a subdomain that I'm trying to declare at the same
time,
> > and
> > > when I append it to the end of the domain I get an "ignoring
out-of-zone
> > > data" error for all the subdomain's A records. (The subdomain only
> > contains
> > > a single server, which is a mailserver with 5 IPs assigned to it.) My
> > > complete domain looks like this:
> > >
> > > $TTL 3h
> > > @ IN SOA ns.parent.com. hostmaster.parent.com. (
> > >         2008101601 ; serial
> > >         3h ; refresh
> > >         1h ; retry
> > >         1w ; expire
> > >         1h ) ;  neg cache
> > > ;
> > >         NS      ns.parent.com.
> > >         NS      ns1.parent.com.
> > > ;
> > >         MX      10 mail
> > > ;
> > >         TXT     "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
> > > ;
> > >              A       aaa.bbb.ccc.41
> > > mail       A       aaa.bbb.ccc.42
> > > www     A       aaa.bbb.ccc.41
> > > ;
> > > server._domainkey.domain.com. IN TXT "k=rsa; p=[long string]"
> > > ;
> > > $ORIGIN sub.domain.com.
> > > server      A       aaa.bbb.ccc.42
> > > server      A       aaa.bbb.ddd.12
> > > server      A       aaa.bbb.ddd.13
> > > server      A       aaa.bbb.ddd.14
> > > server      A       aaa.bbb.ddd.15
> > >         MX      10 server
> > > ;
> > >         TXT     "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
> >
> > If it's really a subdomain, then the $ORIGIN statement should be a
RELATIVE
> > name (especially since there's only one such statement).  The same thing
> > goes with the _domainkey label(s).
>
> That's just a style choice, not a requirement.  Although it's a good way
> to avoid many unintended "out-of-zone data" errors.

That's why I said SHOULD instead of MUST.




More information about the bind-users mailing list