.prod issues

Paul Vixie paul at redbarn.org
Fri Sep 5 16:15:53 UTC 2014


> I have a subdomain prod.mydomain.com today all of our internal
> resources that use this prod subdomain stopped being able to reach
> eachother.  I believe the issue is related to the release of .prod as
> a TLD.  Is there a way I can block this TLD or point it back to my
> environment?
>
> Currently, I have added mdots:2 to resolv.conf as a workaround.

i think you probably mean ndots not mdots. that's a fine workaround as
long as you control all your stub resolvers (which is where the ndots
logic runs) and they are all running the BIND stub resolver (for which
ndots is a unique feature; see RFC 1535 for the history).

a likely better workaround is to use DNS RPZ (so, you'll need BIND 9.9
or later on your recursive servers) and put in a local rule like "*.PROD
CNAME ." to cause all of the search-path logic of all your stub
resolvers (whether they have ndots logic, or not) to never see the PROD
TLD, and thus, fall through to your local PROD.EXAMPLE.COM names.

sadly, i think a lot of people in a lot of places are going to do this
to a lot of the new GTLD's. but the new GTLD's have been on greased
rails since inception, and no amount of warnings about this kind of
damage did more than slow things down briefly. so, the hounds of DNS
hell are now loose. good thing we have RPZ i guess.

vixie


More information about the bind-users mailing list