<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 9/11/2020 2:46 AM, Mark Andrews
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0B40F2E2-60B9-4918-B0B0-8732C84D60CB@isc.org">
<pre class="moz-quote-pre" wrap="">validate-except (I typo’d it the second time, unfortunately expect and except are both valid words).</pre>
</blockquote>
<p><br>
I got so far down the rabbit trail with your other points, somehow
I missed that. Thanks. This should solve my problem!<br>
</p>
<p><br>
</p>
<blockquote type="cite"
cite="mid:0B40F2E2-60B9-4918-B0B0-8732C84D60CB@isc.org">If you
actually used a zone names with a DNAME</blockquote>
<p><br>
Great suggestion! I didn't know about that.<br>
</p>
<p>However, since i use CloudFlare' DNS for my authoritative DNS -
which is critical for prevention of DDOS attacks - and they don't
actually support DNAME, my hands are tied. (or so it SEEMS - see
my question about a possible workaround at the end of this email)</p>
<p>My actual direct query service involves my own rbldnsd servers in
42 cities around the world (all hiding behind secret host names
that a criminal couldn't easily find) - and those are pointed to
by NS records in my CloudFlare DNS, so then the actual direct DNS
queries, and the vast majority of my DNS traffic for direct
queries to my own DNSBL, goes to those 42 servers around the
world, NOT to CloudFlare - but CloudFlare is the starting point -
the first query goes to CloudFlare, then the DNS server doing the
asking "knows" for a while to use one of my own servers, and not
bother CloudFlare with any more traffic for a while. (again, this
is for my direct query service - for my smaller subscribers - my
servers can handle THAT traffic)<br>
</p>
<p>But since CloudFlare is the authoritative server for
invaluement.com, that is where the DNAME you're suggesting would
need to be setup. Since they don't support that, I'm not able to
implement that at this time. <br>
</p>
<p>SEE:
<a class="moz-txt-link-freetext" href="https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4">https://community.cloudflare.com/t/dname-records-on-cloudflare/16642/4</a></p>
<p>...also, them not supporting it - makes me a little nervous about
others not supporting it. But maybe that fear is unreasonable
since it is only the "revolvers" that need this feature, not
authoritative-only services? This is something that DNS caching
servers like BIND, have been supporting for decades, correct?
Please tell don't tell me that <u>only</u> a very <u>recent</u>
version of BIND does this correctly. ;) That would probably kill
this idea!<br>
</p>
<p><b>POSSIBLE WORKAROUND?:</b> So assuming that DNAME is widely
supported by many DNS caching servers, old and new... I wonder if
I could do something similar to what I do for my direct query
service, using NS records to delegate this to another BIND DNS
server that I would run on my own server - so for
"example.invaluement.com" - I'd create a BIND instance on my own
server hosting "example.invaluement.com" as the authoritative
server for that zone, implementing the DNAME records you
suggested. Then put a NS record on my cloudflare telling the world
that THIS server is the authoritative server for
"example.invaluement.com" (with TTL for some hours). Do you think
that would work?</p>
<pre class="moz-signature" cols="72">--
Rob McEwen
<a class="moz-txt-link-freetext" href="https://www.invaluement.com">https://www.invaluement.com</a>
+1 (478) 475-9032
</pre>
</body>
</html>