Simple question about zone and CNAME

Mark Andrews marka at isc.org
Mon Apr 8 21:58:54 UTC 2013 

In message <5162E2A1.7000003 at att.net>, "Barry S. Finkel" writes:
> On 4/8/2013 9:10 AM, bind-users-request at lists.isc.org wrote:
> > In article <mailman.59.1365230565.20661.bind-users at lists.isc.org>, Phil
> > Mayers <p.mayers at imperial.ac.uk> wrote:
> >> >Sam Wilson<Sam.Wilson at ed.ac.uk>  wrote:
> >> >
> >>> > >[adding an A record for ed.ac.uk.]
> >>> > >
> >> >
> >> >If your AD realm is also called ed.ac.uk then adding an A record will
> >> >definitely affect things.
> > Which is exactly the opposite of what our AD guys said, but not with
> > such great conviction.:-)
> >
> > Sam
> 
> AD clients, if they do not know about SRV records for finding the
> LDAP servers, will use the "A" records for the AD domain to locate
> the Domain Controllers.  Where I used to work we did not segregate
> AD, so internally,
> 
>       example.com
> 
> pointed to the Domain Controllers.  Externally,
> 
>       example.com
> 
> had no IP address because the DCs were not accessible from the
> external Internet.  When we had the DC addresses externally, then
> AD clients would see the addresses, try to authenticate to the AD,
> experience timeouts, and get frustrated.

Do the AD clients to the correct thing with the "no service offered"
SRV record (e.g. "SRV 0 0 0 .")?  It is designed to stop fallback to
A/AAAA records when the service is explicitly not there.

RFC 2782
        A Target of "." means that the service is decidedly not
        available at this domain.

If they do there should be no confusion with the use of address records
between AD and HTTP/HTTPS.

>  Without an external
> address, AD clients do not try to access the DCs.  The drawback
> is that we can not have
> 
>       example.com
> 
> externally have the same address as
> 
>       www.example.com
> 
> to aid browser users.
> --Barry Finkel
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list