3rd party CNAMEs and open recursion

John Miller johnmill at brandeis.edu
Mon Mar 4 21:35:05 UTC 2013 

On 03/04/2013 03:26 PM, Verne Britton wrote:
> my test server (its up and down a lot) is at yournameserver with these two test zones ... what I want to be able to do is:
>
> 1. serve the A records as authoritative

Looks like it's working in that regard:

jm at workstation:~$ dig +norecurse @yournameserver wvstateu.edu ns
;; QUESTION SECTION:
;wvstateu.edu.			IN	NS
;; ANSWER SECTION:
wvstateu.edu.		86400	IN	NS	nameserv3.wvnet.edu.

jm at workstation:~$ dig +norecurse @yournameserver wvstateu.edu
;; QUESTION SECTION:
;wvstateu.edu.			IN	A
;; ANSWER SECTION:
wvstateu.edu.		86400	IN	A	98.129.177.93
;; AUTHORITY SECTION:
wvstateu.edu.		86400	IN	NS	nameserv3.wvnet.edu.

jm at workstation:~$ dig +norecurse @yournameserver gmail.wvstateu.edu
;; QUESTION SECTION:
;gmail.wvstateu.edu.		IN	A
;; ANSWER SECTION:
gmail.wvstateu.edu.	3600	IN	CNAME	ghs.l.google.com.


> 2. somehow handle resolutions coming at me for the CNAMEs

Looks like that's working; see above.

>
> 3. not have a public open recursive server
>

jm at workstation:~$ dig @yournameserver gmail.com

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 23091
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;gmail.com.			IN	A


So from my side of things, all of your requirements are being met ;-)

Can you post a copy of your dig command where the server _is_ trying to 
follow up the CNAME resolution?  Based on your config, the server should 
try to follow up the CNAME (answer recursively) for anything in the 
"trusted" ACL, which includes your server itself.

Some questions:
- What's the overall purpose of this server?  To answer recursive 
queries from internal clients?  To answer authoritative queries from 
internal clients (hidden master)?  To answer authoritative queries from 
the outside world?  Right now, you're doing all three, which isn't 
ideal.  Far better to separate things out.

John

>
> Verne
> --------------------------------------------------------------------
> Verne Britton, Lead Systems Programmer   voice:   (304) 293-5192 x230
> Systems Support Group                    (in WV, call 1-800-253-1558)
> West Virginia Network for                FAX:     (304) 293-5540
>       Educational Telecomputing           verne at wvnet.edu
> 837 Chestnut Ridge Road                  http://myweb.wvnet.edu/~verne
> Morgantown, WV  26505                    http://www.wvnet.edu
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list