Timothe Litt litt at acm.org
Thu Jun 30 19:01:18 UTC 2011

I have domain example.net in production, and have recently acquired
example.us and example.info.

For whatever reason, I want example.us to simply mirror example.net, which
is dynamically udpdated (and dnssec).  And I want example.us to be zero
maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want
to mirror every update made in .net to .us)

So, I add a zone to ns1.example.net that looks like:
(In view "internal")
    zone "example.us" {
	auto-dnssec maintain;
	type master; 
	allow-transfer { key "TSIG_GLOBAL_KEY"; }; 
	file "EXAMPLE_US.DB";
	update-policy {
	    grant "TSIG_GLOBAL_KEY" subdomain example.us. ANY ;

$TTL 600        ; 10 minutes
example.us.               IN SOA  ns1.example.net.
examplenetadmin.example.net. (
                                2011063001 ; serial
                                172800     ; refresh (2 days)
                                600        ; retry (10 minutes)
                                2419200    ; expire (4 weeks)
                                600        ; minimum (10 minutes)
example.us.	IN DNAME example.net.
example.us. IN NS ns1.example.net. 
example.us. IN NS ns2.example.net.

I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net
(www.example.net does exist).

I see nothing in the named.log, except the trace 99 /notrace commands
bracketing the dig, and if I turn on querylog:
client <ns1 IP>#33256: view internal: query: www.example.us IN A + (<ns1

If I look at the named statistics channel, I see that example.us is being
served, but the zone serial is '-', not '2011063001'.

	o Am I confused about DNAME placement - would it have to go in .US?
If so, is this possible?  (I don't mean technically possible - I mean
practically - e.g. thru a registrar such as godaddy, enom, etc).  If not,
what explains the SERVFAIL?
      o Why is '-' reported for the zone serial?
	o I understand that DNAME and MX don't play well together (DNAME is
essentially CNAME, and MX doesn't allow
	  CNAMEs).  I suspect I'd have to live with that - unless there are
wiser heads?
	o Is there a better approach?  (Assume that I'll also want to do the
same thing to example.info...)


This communication may not represent my employer's views,
if any, on the matters discussed. 

More information about the bind-users mailing list