Timothe Litt litt at acm.org
Fri Jul 1 17:21:22 UTC 2011

Yes, the example.us zone loads.  As I mentioned, no errors in named.log, and
the statistics webserver (in named) shows example.us as active, albeit with
'-' for the serial number instead of the number in the zone file.
How did you get a DNAME into .com? 

I did make example.us a zone - it is one, isn't it?  If the DNAME has to go
in .us, I don't see making this scheme work.  As a practical matter,
registrars will put NS records into the TLDs, and some (with encouragement)
are starting to accept DNSSEC records for the TLDs).  But I've yet to see
one that provides a means for a registrant to have a DNAME inserted...
Unless I'm missing something.  Did you actually manage to do this, or is
your setup working in third+-level domains?
I was hoping/expecting that since my server is the authoritiative server for
example.us, the DNAME could go in the example.us zone.  I expected that
when, as the authoritative server, it was asked for foo.example.us, it would
respond with foo.example.net.  But the RFC wasn't clear, which is why I

This communication may not represent my employer's views,
if any, on the matters discussed.



From: Jon F. [mailto:pikel.m95 at gmail.com] 
Sent: Thursday, June 30, 2011 16:11
To: Timothe Litt
Cc: bind-users at lists.isc.org
Subject: Re: DNAME?

I have a similar set up to that and it works. Have you checked the logs to
make sure the zone properly loaded? I'm assuming the zone data you posted
below is from the example.us zone but your first question makes it sound
like you put it in a seperate zone. That would explain the SERVFAIL if the
zone data never loaded but the server was authoritative. It does need to be
in the .us.

example.com.           60      IN      DNAME   example.net.
test.example.com.     60      IN      CNAME   test.example.net.
test.example.net.       60      IN      A

And that's with zone data like this:
example.com.  IN NS ns1.example.net.
example.com.   IN NS ns2.example.net.
example.com.  IN A
example.com. IN DNAME example.net.

Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to
do it fully for a domain without adding an A record as well. But what your
doing works, it's just not very pretty. Someone may have a better way.

On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt <litt at acm.org> wrote:

I have domain example.net in production, and have recently acquired
example.us and example.info.

For whatever reason, I want example.us to simply mirror example.net, which
is dynamically udpdated (and dnssec).  And I want example.us to be zero
maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want
to mirror every update made in .net to .us)

So, I add a zone to ns1.example.net that looks like:
(In view "internal")
   zone "example.us" {
       auto-dnssec maintain;
       type master;
       allow-transfer { key "TSIG_GLOBAL_KEY"; };
       file "EXAMPLE_US.DB";
       update-policy {
           grant "TSIG_GLOBAL_KEY" subdomain example.us. ANY ;

$TTL 600        ; 10 minutes
example.us.               IN SOA  ns1.example.net.
examplenetadmin.example.net. (
                               2011063001 ; serial
                               172800     ; refresh (2 days)
                               600        ; retry (10 minutes)
                               2419200    ; expire (4 weeks)
                               600        ; minimum (10 minutes)
example.us.     IN DNAME example.net.
example.us. IN NS ns1.example.net.
example.us. IN NS ns2.example.net.

I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net
(www.example.net does exist).

I see nothing in the named.log, except the trace 99 /notrace commands
bracketing the dig, and if I turn on querylog:
client <ns1 IP>#33256: view internal: query: www.example.us IN A + (<ns1

If I look at the named statistics channel, I see that example.us is being
served, but the zone serial is '-', not '2011063001'.

       o Am I confused about DNAME placement - would it have to go in .US?
If so, is this possible?  (I don't mean technically possible - I mean
practically - e.g. thru a registrar such as godaddy, enom, etc).  If not,
what explains the SERVFAIL?
     o Why is '-' reported for the zone serial?
       o I understand that DNAME and MX don't play well together (DNAME is
essentially CNAME, and MX doesn't allow
         CNAMEs).  I suspect I'd have to live with that - unless there are
wiser heads?
       o Is there a better approach?  (Assume that I'll also want to do the
same thing to example.info...)


This communication may not represent my employer's views,
if any, on the matters discussed.

Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org

Jonathan French 
pikel.m95 at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20110701/f4c1858a/attachment.html>

More information about the bind-users mailing list