DNAME?
Mark Andrews
marka at isc.org
Sat Jul 2 01:58:12 UTC 2011
When DNAME was being developed the working group had to make a
decision about whether DNAME should redirect the node it was at or
just the names below it. The decision was made to do the latter
because it didn't require TLD operators to know about DNAME at the
cost of a little more work to keep the apex records in sync.
In hindsight we should have done both as there are use cases for
both. Getting other types added to TLDs isn't a technical issue,
its a political issue. There are TLDs that accept MX, A, AAAA and
I believe DNAME today instead of NS records at what would be the
delegation point. It's just as easy to serve these records as it
is to serve a delegation.
Mark
In message <2FA4ED65DAC044849AA3F57FBCFE2CA5 at sb.litts.net>, "Timothe Litt" writ
es:
> This is a multi-part message in MIME format.
>
> --===============7538508973042255473==
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_000C_01CC37F1.C5C06C70"
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_000C_01CC37F1.C5C06C70
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> Yes, the example.us zone loads. As I mentioned, no errors in named.log, and
> the statistics webserver (in named) shows example.us as active, albeit with
> '-' for the serial number instead of the number in the zone file.
>
> How did you get a DNAME into .com?
>
> I did make example.us a zone - it is one, isn't it? If the DNAME has to go
> in .us, I don't see making this scheme work. As a practical matter,
> registrars will put NS records into the TLDs, and some (with encouragement)
> are starting to accept DNSSEC records for the TLDs). But I've yet to see
> one that provides a means for a registrant to have a DNAME inserted...
> Unless I'm missing something. Did you actually manage to do this, or is
> your setup working in third+-level domains?
>
> I was hoping/expecting that since my server is the authoritiative server for
> example.us, the DNAME could go in the example.us zone. I expected that
> when, as the authoritative server, it was asked for foo.example.us, it would
> respond with foo.example.net. But the RFC wasn't clear, which is why I
> asked.
>
> thanks.
>
> ---------------------------------------------------------
> This communication may not represent my employer's views,
> if any, on the matters discussed.
>
>
>
>
> _____
>
> From: Jon F. [mailto:pikel.m95 at gmail.com]
> Sent: Thursday, June 30, 2011 16:11
> To: Timothe Litt
> Cc: bind-users at lists.isc.org
> Subject: Re: DNAME?
>
>
> I have a similar set up to that and it works. Have you checked the logs to
> make sure the zone properly loaded? I'm assuming the zone data you posted
> below is from the example.us zone but your first question makes it sound
> like you put it in a seperate zone. That would explain the SERVFAIL if the
> zone data never loaded but the server was authoritative. It does need to be
> in the .us.
>
>
> ;; ANSWER SECTION:
> example.com. 60 IN DNAME example.net.
> test.example.com. 60 IN CNAME test.example.net.
> test.example.net. 60 IN A 127.0.0.1
>
>
>
> And that's with zone data like this:
> example.com. IN NS ns1.example.net.
> example.com. IN NS ns2.example.net.
> example.com. IN A 10.0.0.1
> example.com. IN DNAME example.net.
>
>
> Truthfully I haven't looked at DNAME's in a long time so I'm unsure how to
> do it fully for a domain without adding an A record as well. But what your
> doing works, it's just not very pretty. Someone may have a better way.
>
>
>
>
> On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt <litt at acm.org> wrote:
>
>
> I have domain example.net in production, and have recently acquired
> example.us and example.info.
>
> For whatever reason, I want example.us to simply mirror example.net, which
> is dynamically udpdated (and dnssec). And I want example.us to be zero
> maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want
> to mirror every update made in .net to .us)
>
> So, I add a zone to ns1.example.net that looks like:
> (In view "internal")
> zone "example.us" {
> auto-dnssec maintain;
> type master;
> allow-transfer { key "TSIG_GLOBAL_KEY"; };
> file "EXAMPLE_US.DB";
> update-policy {
> grant "TSIG_GLOBAL_KEY" subdomain example.us. ANY ;
> };
> };
>
> $ORIGIN .
> $TTL 600 ; 10 minutes
> example.us. IN SOA ns1.example.net.
> examplenetadmin.example.net. (
> 2011063001 ; serial
> 172800 ; refresh (2 days)
> 600 ; retry (10 minutes)
> 2419200 ; expire (4 weeks)
> 600 ; minimum (10 minutes)
> )
> example.us. IN DNAME example.net.
> example.us. IN NS ns1.example.net.
> example.us. IN NS ns2.example.net.
>
> I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net
> (www.example.net does exist).
>
> I see nothing in the named.log, except the trace 99 /notrace commands
> bracketing the dig, and if I turn on querylog:
> client <ns1 IP>#33256: view internal: query: www.example.us IN A + (<ns1
> IP>).
>
> If I look at the named statistics channel, I see that example.us is being
> served, but the zone serial is '-', not '2011063001'.
>
> Questions:
> o Am I confused about DNAME placement - would it have to go in .US?
> If so, is this possible? (I don't mean technically possible - I mean
> practically - e.g. thru a registrar such as godaddy, enom, etc). If not,
> what explains the SERVFAIL?
> o Why is '-' reported for the zone serial?
> o I understand that DNAME and MX don't play well together (DNAME is
> essentially CNAME, and MX doesn't allow
> CNAMEs). I suspect I'd have to live with that - unless there are
> wiser heads?
> o Is there a better approach? (Assume that I'll also want to do the
> same thing to example.info...)
>
> Thanks.
>
> ---------------------------------------------------------
> This communication may not represent my employer's views,
> if any, on the matters discussed.
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
>
> --
> Jonathan French
> pikel.m95 at gmail.com
>
>
> ------=_NextPart_000_000C_01CC37F1.C5C06C70
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META content=3D"text/html; charset=3Dus-ascii" =
> http-equiv=3DContent-Type>
> <META name=3DGENERATOR content=3D"MSHTML 8.00.6001.19088"></HEAD>
> <BODY>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011>Yes, the example.us zone loads. As I =
> mentioned,=20
> no errors in named.log, and the statistics webserver (in named) shows =
> example.us=20
> as active, albeit with '-' for the serial number instead of the number =
> in the=20
> zone file.</SPAN></FONT></DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011></SPAN></FONT> </DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011>How did you get a DNA=
> ME int<SPAN=20
> class=3D480580717-01072011>o .com?</SPAN> <SPAN=20
> class=3D480580717-01072011></SPAN><BR></SPAN></FONT></DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011>I did make example.us a zone - it is one, =
> isn't=20
> it? If the DNAME has to go in .us, I don't see making this scheme=20
> work. As a practical matter, registrars will put NS records into =
> the TLDs,=20
> and some (with encouragement) are starting to accept DNSSEC records for =
> the=20
> TLDs). But I've yet to see one that provides a means for a =
> registrant to=20
> have a DNAME inserted... Unless I'm missing =
> something. =20
> Did you actually manage to do this, or is your setup working in =
> third+-level=20
> domains?</SPAN></FONT></DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011></SPAN></FONT> </DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011>I was hoping/expecting that since my server =
> is the=20
> authoritiative server for example.us, the DNAME could go in the =
> example.us=20
> zone. I expected that when, as the authoritative server, it was =
> asked for=20
> foo.example.us, it would respond with foo.example.net. =
> </SPAN></FONT><FONT=20
> color=3D#0000ff size=3D2 face=3DArial><SPAN =
> class=3D480580717-01072011>But the RFC=20
> wasn't clear, which is why I asked.</SPAN></FONT></DIV>
> <DIV><FONT color=3D#0000ff size=3D2 face=3DArial></FONT> </DIV>
> <DIV><SPAN class=3D480580717-01072011><FONT color=3D#0000ff size=3D2=20
> face=3DArial>thanks.</FONT></SPAN></DIV><!-- Converted from text/plain =
> format -->
> <P><FONT=20
> size=3D2>---------------------------------------------------------<BR>Thi=
> s=20
> communication may not represent my employer's views,<BR>if any, on the =
> matters=20
> discussed.<BR> </FONT> </P>
> <DIV><FONT color=3D#0000ff size=3D2 face=3DArial></FONT> </DIV><BR>
> <DIV dir=3Dltr lang=3Den-us class=3DOutlookMessageHeader align=3Dleft>
> <HR tabIndex=3D-1>
> <FONT size=3D2 face=3DTahoma><B>From:</B> Jon F. =
> [mailto:pikel.m95 at gmail.com]=20
> <BR><B>Sent:</B> Thursday, June 30, 2011 16:11<BR><B>To:</B> Timothe=20
> Litt<BR><B>Cc:</B> bind-users at lists.isc.org<BR><B>Subject:</B> Re:=20
> DNAME?<BR></FONT><BR></DIV>
> <DIV></DIV>I have a similar set up to that and it works. Have you =
> checked the=20
> logs to make sure the zone properly loaded? I'm assuming the zone data =
> you=20
> posted below is from the <A href=3D"http://example.us">example.us</A> =
> zone but=20
> your first question makes it sound like you put it in a seperate zone. =
> That=20
> would explain the SERVFAIL if the zone data never loaded but the server =
> was=20
> authoritative. It does need to be in the .us.<BR><BR><BR>;; ANSWER=20
> SECTION:<BR><A=20
> href=3D"http://example.com">example.com</A>.  =
> ; =20
> 60 IN =20
> DNAME <A href=3D"http://example.net">example.net</A>.<BR><A=20
> href=3D"http://test.example.com">test.example.com</A>. &=
> nbsp;=20
> 60 IN =20
> CNAME <A =
> href=3D"http://test.example.net">test.example.net</A>.<BR><A=20
> href=3D"http://test.example.net">test.example.net</A>. &=
> nbsp; =20
> 60 IN =20
> A 127.0.0.1<BR><BR><BR><BR>And =
> that's with=20
> zone data like this:<BR><A =
> href=3D"http://example.com">example.com</A>. IN=20
> NS <A href=3D"http://ns1.example.net">ns1.example.net</A>.<BR><A=20
> href=3D"http://example.com">example.com</A>. IN NS <A=20
> href=3D"http://ns2.example.net">ns2.example.net</A>.<BR><A=20
> href=3D"http://example.com">example.com</A>. IN A 10.0.0.1<BR><A=20
> href=3D"http://example.com">example.com</A>. IN DNAME <A=20
> href=3D"http://example.net">example.net</A>.<BR><BR><BR>Truthfully I =
> haven't=20
> looked at DNAME's in a long time so I'm unsure how to do it fully for a =
> domain=20
> without adding an A record as well. But what your doing works, it's just =
> not=20
> very pretty. Someone may have a better way.<BR><BR><BR><BR>
> <DIV class=3Dgmail_quote>On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt =
> <SPAN=20
> dir=3Dltr><<A =
> href=3D"mailto:litt at acm.org">litt at acm.org</A>></SPAN> wrote:<BR>
> <BLOCKQUOTE=20
> style=3D"BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; =
> PADDING-LEFT: 1ex"=20
> class=3Dgmail_quote>I have domain <A href=3D"http://example.net"=20
> target=3D_blank>example.net</A> in production, and have recently =
> acquired<BR><A=20
> href=3D"http://example.us" target=3D_blank>example.us</A> and <A=20
> href=3D"http://example.info" =
> target=3D_blank>example.info</A>.<BR><BR>For whatever=20
> reason, I want <A href=3D"http://example.us" =
> target=3D_blank>example.us</A> to=20
> simply mirror <A href=3D"http://example.net" =
> target=3D_blank>example.net</A>,=20
> which<BR>is dynamically udpdated (and dnssec). And I want <A=20
> href=3D"http://example.us" target=3D_blank>example.us</A> to be=20
> zero<BR>maintenance. (Well, OK I know I need separate DNSSEC keys, but =
> I don't=20
> want<BR>to mirror every update made in .net to .us)<BR><BR>So, I add a =
> zone to=20
> <A href=3D"http://ns1.example.net" target=3D_blank>ns1.example.net</A> =
> that looks=20
> like:<BR>(In view "internal")<BR> zone "<A=20
> href=3D"http://example.us" target=3D_blank>example.us</A>" {<BR> =
> =20
> auto-dnssec maintain;<BR> type=20
> master;<BR> allow-transfer { key =
> "TSIG_GLOBAL_KEY";=20
> };<BR> file "EXAMPLE_US.DB";<BR> =
> =20
> update-policy {<BR> =
> grant=20
> "TSIG_GLOBAL_KEY" subdomain <A href=3D"http://example.us"=20
> target=3D_blank>example.us</A>. ANY ;<BR> =
> };<BR> =20
> };<BR><BR>$ORIGIN .<BR>$TTL 600 ; 10 =
>
> minutes<BR><A href=3D"http://example.us" =
> target=3D_blank>example.us</A>. =20
> IN SOA <A=20
> href=3D"http://ns1.example.net" =
> target=3D_blank>ns1.example.net</A>.<BR><A=20
> href=3D"http://examplenetadmin.example.net"=20
> target=3D_blank>examplenetadmin.example.net</A>. (<BR> =
> =20
> =
> =20
> 2011063001 ; serial<BR> =
> =20
> =
> 172800=20
> ; refresh (2 days)<BR> =
> =20
> =
> 600=20
> ; retry (10 minutes)<BR> =
> =20
> =
> =20
> 2419200 ; expire (4 weeks)<BR> =
> =20
> =
> =20
> 600 ; minimum (10 minutes)<BR> =
> =20
> =
> =20
> )<BR><A href=3D"http://example.us"=20
> target=3D_blank>example.us</A>. IN DNAME <A=20
> href=3D"http://example.net" target=3D_blank>example.net</A>.<BR><A=20
> href=3D"http://example.us" target=3D_blank>example.us</A>. IN NS <A=20
> href=3D"http://ns1.example.net" =
> target=3D_blank>ns1.example.net</A>.<BR><A=20
> href=3D"http://example.us" target=3D_blank>example.us</A>. IN NS <A=20
> href=3D"http://ns2.example.net" =
> target=3D_blank>ns2.example.net</A>.<BR><BR>I get=20
> SERVFAIL with dig if I ask about, say <A =
> href=3D"http://www.example.us"=20
> target=3D_blank>www.example.us</A> @<A href=3D"http://ns1.example.net" =
>
> target=3D_blank>ns1.example.net</A><BR>(<A =
> href=3D"http://www.example.net"=20
> target=3D_blank>www.example.net</A> does exist).<BR><BR>I see nothing =
> in the=20
> named.log, except the trace 99 /notrace commands<BR>bracketing the =
> dig, and if=20
> I turn on querylog:<BR>client <ns1 IP>#33256: view internal: =
> query: <A=20
> href=3D"http://www.example.us" target=3D_blank>www.example.us</A> IN A =
> +=20
> (<ns1<BR>IP>).<BR><BR>If I look at the named statistics channel, =
> I see=20
> that <A href=3D"http://example.us" target=3D_blank>example.us</A> is=20
> being<BR>served, but the zone serial is '-', not=20
> '2011063001'.<BR><BR>Questions:<BR> o Am I =
> confused=20
> about DNAME placement - would it have to go in .US?<BR>If so, is this=20
> possible? (I don't mean technically possible - I =
> mean<BR>practically -=20
> e.g. thru a registrar such as godaddy, enom, etc). If =
> not,<BR>what=20
> explains the SERVFAIL?<BR> o Why is '-' reported =
> for the=20
> zone serial?<BR> o I understand that DNAME =
> and MX=20
> don't play well together (DNAME is<BR>essentially CNAME, and MX =
> doesn't=20
> allow<BR> CNAMEs). I suspect =
> I'd have=20
> to live with that - unless there are<BR>wiser heads?<BR> =
> =20
> o Is there a better approach? (Assume that I'll also want =
> to do=20
> the<BR>same thing to=20
> =
> example.info...)<BR><BR>Thanks.<BR><BR>----------------------------------=
> -----------------------<BR>This=20
> communication may not represent my employer's views,<BR>if any, on the =
> matters=20
> =
> discussed.<BR><BR><BR>_______________________________________________<BR>=
> Please=20
> visit <A href=3D"https://lists.isc.org/mailman/listinfo/bind-users"=20
> target=3D_blank>https://lists.isc.org/mailman/listinfo/bind-users</A> =
> to=20
> unsubscribe from this list<BR><BR>bind-users mailing list<BR><A=20
> =
> href=3D"mailto:bind-users at lists.isc.org">bind-users at lists.isc.org</A><BR>=
> <A=20
> href=3D"https://lists.isc.org/mailman/listinfo/bind-users"=20
> =
> target=3D_blank>https://lists.isc.org/mailman/listinfo/bind-users</A><BR>=
> </BLOCKQUOTE></DIV><BR><BR=20
> clear=3Dall><BR>-- <BR>Jonathan French
> <DIV><A href=3D"mailto:pikel.m95 at gmail.com"=20
> target=3D_blank>pikel.m95 at gmail.com</A></DIV><BR></BODY></HTML>
>
> ------=_NextPart_000_000C_01CC37F1.C5C06C70--
>
>
> --===============7538508973042255473==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============7538508973042255473==--
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list