domain keys and name-checking
D. Stussy
spam at bde-arc.ampr.org
Mon Oct 20 22:09:03 UTC 2008
"Barry Margolin" <barmar at alum.mit.edu> wrote in message
news:gdir0q$1s7e$1 at sf1.isc.org...
> In article <gdh3dp$4q3$1 at sf1.isc.org>,
> "D. Stussy" <spam at bde-arc.ampr.org> wrote:
> > "aklist" <aklist_bind at enigmedia.com> wrote in message
> > news:gdausb$15ol$1 at sf1.isc.org...
> > > > My guess is that you inserted that line between records for the same
> > > > name, that were making use of the feature of automatically reusing
the
> > > > name from the previous line, e.g. you started with:
> > > >
> > > > foo IN A 1.2.3.4
> > > > IN A 2.3.4.5
> > > >
> > > > and changed it to:
> > > >
> > > > foo IN A 1.2.3.4
> > > > server._domainkey IN TXT "k=rsa; p=[very long string]"
> > > > IN A 2.3.4.5
> > > >
> > > > Now the second A record is assigned to server._domainkey, which is
not a
> > > > valid hostname.
> > >
> > > Hi: I'm close to fixing this...I moved the "sever._domainkeys..."
record
> > to
> > > the bottom of the domain, and named-checkzone doesn't object.
> > >
> > > However, I have a subdomain that I'm trying to declare at the same
time,
> > and
> > > when I append it to the end of the domain I get an "ignoring
out-of-zone
> > > data" error for all the subdomain's A records. (The subdomain only
> > contains
> > > a single server, which is a mailserver with 5 IPs assigned to it.) My
> > > complete domain looks like this:
> > >
> > > $TTL 3h
> > > @ IN SOA ns.parent.com. hostmaster.parent.com. (
> > > 2008101601 ; serial
> > > 3h ; refresh
> > > 1h ; retry
> > > 1w ; expire
> > > 1h ) ; neg cache
> > > ;
> > > NS ns.parent.com.
> > > NS ns1.parent.com.
> > > ;
> > > MX 10 mail
> > > ;
> > > TXT "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
> > > ;
> > > A aaa.bbb.ccc.41
> > > mail A aaa.bbb.ccc.42
> > > www A aaa.bbb.ccc.41
> > > ;
> > > server._domainkey.domain.com. IN TXT "k=rsa; p=[long string]"
> > > ;
> > > $ORIGIN sub.domain.com.
> > > server A aaa.bbb.ccc.42
> > > server A aaa.bbb.ddd.12
> > > server A aaa.bbb.ddd.13
> > > server A aaa.bbb.ddd.14
> > > server A aaa.bbb.ddd.15
> > > MX 10 server
> > > ;
> > > TXT "v=spf1 ip4:aaa.bbb.ccc.40/29 a mx -all"
> >
> > If it's really a subdomain, then the $ORIGIN statement should be a
RELATIVE
> > name (especially since there's only one such statement). The same thing
> > goes with the _domainkey label(s).
>
> That's just a style choice, not a requirement. Although it's a good way
> to avoid many unintended "out-of-zone data" errors.
That's why I said SHOULD instead of MUST.
More information about the bind-users
mailing list