norecursion on external zone, but how do I allow CNAMEs to be fully resolved?

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri May 20 08:47:43 UTC 2011


On 19.05.11 23:16, Tory M Blue wrote:
> My external zone config has allow-recursion ( none; );
> 
> However I have some 3rd party sites that I CNAME too. Akamai for
> example, yes CNAME to CNAME , i know I know :)..
> 
> Well my primary NS servers will only provide the CNAME record:
> 
> ;; QUESTION SECTION:
> ;cdn.domain.net.		IN	A
> 
> ;; ANSWER SECTION:
> cdn.domain.net.	300	IN	CNAME	cdn.domain.net.edgesuite.net.
> 
> This causes all types of failures if just using dig, or Linux built in
> lookup mechanism, or heck Perl or PHP methods as well. None of the
> stated methods, know that they should now query
> cdn.domain.net.edgesuite.net, so they provide the CNAME and SERVFAIL
> or whatever.
> 
> Is there a way to allow any host to actually do a recursive lookup if
> the request starts out on my domain,  in order to receive the A
> record?

I doubt so. Even if there was, clients should not trust those responses.
Clients just have to find out about cdn.domain.net.edgesuite.net themselves.

> Or do I just have to enable recursion on my external zone? The
> problem there obviously, is now joe and frank can use my dns servers
> because it performs a bit better than their ISP's. I don't want that,
> but I do want to provide the extended information for that CNAME
> record.

That wouldn't help. They will use your server for all queries (you don't
want that) or they use their isp's server for all queries, and it will not
trust your server about cdn.domain.net.edgesuite.net.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)



More information about the bind-users mailing list