3rd party CNAMEs and open recursion
John Miller
johnmill at brandeis.edu
Mon Mar 4 21:35:05 UTC 2013
On 03/04/2013 03:26 PM, Verne Britton wrote:
> my test server (its up and down a lot) is at yournameserver with these two test zones ... what I want to be able to do is:
>
> 1. serve the A records as authoritative
Looks like it's working in that regard:
jm at workstation:~$ dig +norecurse @yournameserver wvstateu.edu ns
;; QUESTION SECTION:
;wvstateu.edu. IN NS
;; ANSWER SECTION:
wvstateu.edu. 86400 IN NS nameserv3.wvnet.edu.
jm at workstation:~$ dig +norecurse @yournameserver wvstateu.edu
;; QUESTION SECTION:
;wvstateu.edu. IN A
;; ANSWER SECTION:
wvstateu.edu. 86400 IN A 98.129.177.93
;; AUTHORITY SECTION:
wvstateu.edu. 86400 IN NS nameserv3.wvnet.edu.
jm at workstation:~$ dig +norecurse @yournameserver gmail.wvstateu.edu
;; QUESTION SECTION:
;gmail.wvstateu.edu. IN A
;; ANSWER SECTION:
gmail.wvstateu.edu. 3600 IN CNAME ghs.l.google.com.
> 2. somehow handle resolutions coming at me for the CNAMEs
Looks like that's working; see above.
>
> 3. not have a public open recursive server
>
jm at workstation:~$ dig @yournameserver gmail.com
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 23091
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;gmail.com. IN A
So from my side of things, all of your requirements are being met ;-)
Can you post a copy of your dig command where the server _is_ trying to
follow up the CNAME resolution? Based on your config, the server should
try to follow up the CNAME (answer recursively) for anything in the
"trusted" ACL, which includes your server itself.
Some questions:
- What's the overall purpose of this server? To answer recursive
queries from internal clients? To answer authoritative queries from
internal clients (hidden master)? To answer authoritative queries from
the outside world? Right now, you're doing all three, which isn't
ideal. Far better to separate things out.
John
>
> Verne
> --------------------------------------------------------------------
> Verne Britton, Lead Systems Programmer voice: (304) 293-5192 x230
> Systems Support Group (in WV, call 1-800-253-1558)
> West Virginia Network for FAX: (304) 293-5540
> Educational Telecomputing verne at wvnet.edu
> 837 Chestnut Ridge Road http://myweb.wvnet.edu/~verne
> Morgantown, WV 26505 http://www.wvnet.edu
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list