<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
span.EmailStyle21
{font-family:"Calibri",sans-serif;
color:windowtext}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
-->
</style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div id="nine_body_n193f94-73ef1" class="nine_body mceEditable" dir="auto" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12.0pt; line-height:1.3; color:#1f497d">
<div class="nine-pg" dir="auto">I feel your pain. You do have to pick your battles and if you don't have anyone to back you up it becomes much, much harder.</div>
<div class="nine-pg" dir="auto"><br>
</div>
<div class="nine-pg" dir="auto">The over-arching issue here is that devs want everything to be easy for them at the expense of infrastructure. My favorite phrase to devs especially web devs is "this is a completely manufactured problem that you created and
you need to solve". They act like bookmarks and links are immutable and the world is going to end if something 404's.</div>
<div class="nine-pg" dir="auto"><br>
</div>
<div class="nine-pg" dir="auto">Warning: you roll over and sell out your DNS to Route53 or Akamai you'll never get it back in house because web devs will cry and be sad. <grin> Just sayin ... </div>
<div class="nine-pg" dir="auto"><br>
</div>
<div class="nine-pg" dir="auto">John</div>
<div class="nine-pg blank sign" dir="auto"><br>
</div>
<div id="nine-sign-n193f94-73ef1" class="nine_signature" dir="auto">
<div class="nine-pg" dir="auto">Sent from <a href="http://www.9folders.com/" style="text-decoration:none; color:#009bdf">
Nine</a></div>
</div>
</div>
<div class="quoted_output_body">
<div id="quoted_header_n193f94-73ef1" class="quoted_header_editor fold" dir="auto">
<hr style="border:none; height:1px; color:#e1e1e1; background-color:#e1e1e1">
<div dir="auto" style="border:none; padding:3.0pt 0cm 0cm 0cm"><span style="font-size:11.0pt; font-family:Calibri,Arial,Helvetica,sans-serif"><b>From:</b> "Cuttler, Brian R (HEALTH) via bind-users" <bind-users@lists.isc.org><br>
<b>Sent:</b> Tuesday, December 24, 2024 9:23 AM<br>
<b>To:</b> Greg Choules<br>
<b>Cc:</b> bind-users<br>
<b>Subject:</b> RE: cname for apex record<br>
</span></div>
</div>
<br type="attribution">
</div>
<div>
<div class="WordSection1">
<p class="MsoNormal">Greg,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I need to sit with the web developer and hash it out, I think its to avoid re-writing the links in the web pages that use the domain name rather than the fully qualified name.<br>
ie Wadsworth.org in anchors rather than www.wadsworth.org. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I see an alternate fix for this if that is the case, something other than pointing the apex record and the cname provided by cloudfront.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The web server admin seems to think Route 53 is a solution but that is another can of worms as I’m understanding their documentation to say that I have to host my domain at AWS rather than on-prem.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’ll see if I can’t get the one-on-one I need with the web developer, rather than the web server administrator.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks, you are saying what I thought you might say. The Route 53 solution talks about Alias RR as if they are universal, which is not what I took from what I read, nor your statements.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’ll push on this a little bit more internally.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Stefane – thank you for your input as well, I’ll recheck my delegation and see where we’ve lost proper delegation.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">John – I had suggested a redirect on our external server, the server admin laughed at me, also the security czar had me block access to the origin server in the DMZ from internet access.<br>
Even the on-prem intranet is directed by cname for WWW to the Cloudfront server rather than the one in the DMZ.</p>
<p class="MsoNormal">Also – exactly, you pointed right to the heard of the issue. And while browsers seem to provide the www. Prefix, anchors do not.<br>
<br>
Ged – I just put up the server in the spring, will check and update if we are somehow running an older version.
</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks to all and happy holidays,</p>
<p class="MsoNormal">Brian</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Greg Choules <gregchoules+bindusers@googlemail.com>
<br>
<b>Sent:</b> Tuesday, December 24, 2024 10:00 AM<br>
<b>To:</b> Cuttler, Brian R (HEALTH) <brian.cuttler@health.ny.gov><br>
<b>Cc:</b> bind-users <bind-users@lists.isc.org><br>
<b>Subject:</b> Re: cname for apex record</p>
</div>
</div>
<p class="MsoNormal"> </p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%; border-collapse:collapse">
<tbody>
<tr>
<td style="border:solid #CBCBCB 3.0pt; background:#E35205; padding:0in 3.75pt 0in 3.75pt">
<p align="center" style="text-align:center; line-height:105%"><i><span style="font-size:10.0pt; line-height:105%; color:yellow">ATTENTION: This email came from an external source. Do not open attachments or click on links from unknown senders or unexpected
emails.</span></i></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">Hi Brian. </p>
<div>
<p class="MsoNormal">You can't redirect your entire zone from inside the zone itself. CNAME absolutely will not do it, by design (also DNAME). </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">The reason is, the way that DNS works. <a href="http://wadsworth.org/" target="_blank">
wadsworth.org</a> has been delegated to a bunch of DNS servers (see below), which are presumably run by you and associated entities. As far as the world is concerned, that set of NS is now completely responsible for
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a> and everything underneath it. They host the zone called
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a> and you can put into that zone almost anything you like, for names (excluding CNAMEs and DNAMEs) at that name, or anything below that name.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">;; QUESTION SECTION:<br>
;<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. IN NS<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://pauling.wadsworth.org/" target="_blank">
pauling.wadsworth.org</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://cmtu.mt.ns.els-gms.att.net/" target="_blank">
cmtu.mt.ns.els-gms.att.net</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://b24.ns.els-gms.att.net/" target="_blank">
b24.ns.els-gms.att.net</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://b23.ns.els-gms.att.net/" target="_blank">
b23.ns.els-gms.att.net</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://m24.ns.els-gms.att.net/" target="_blank">
m24.ns.els-gms.att.net</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://ns0.ny.gov/" target="_blank">
ns0.ny.gov</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://ns1.ny.gov/" target="_blank">
ns1.ny.gov</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://m23.ns.els-gms.att.net/" target="_blank">
m23.ns.els-gms.att.net</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://ns1.albany.edu/" target="_blank">
ns1.albany.edu</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://cbru.br.ns.els-gms.att.net/" target="_blank">
cbru.br.ns.els-gms.att.net</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://ns2.ny.gov/" target="_blank">
ns2.ny.gov</a>.<br>
<a href="http://wadsworth.org/" target="_blank">wadsworth.org</a>. 86400 IN NS <a href="http://beacon.health.state.ny.us/" target="_blank">
beacon.health.state.ny.us</a>.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">So if the world already knows where you are, the only way to change its point of view is to change the delegation in the parent - .org in your case.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Many people have wished it could over the years, me included, and hence was born the quest for a record type that does allow you to do this, which might have been called, for example, ALIAS. However, there is (still) no standardised ALIAS
function, by that name or any other. What some commercial DNS providers have done is to fudge an alias-like function, so it appears that you have redirected your whole zone somewhere else.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">CNAME/DNAME are very old now. More recently, a couple of other RRTYPEs - SVCB and HTTPS - have been standardised (and are supported by BIND) that do allow you to alias the apex (the zone itself) *but* not for any query, only for queries
matching those RRTPEs. Thus clients need to be SVCB/HTTPS-aware and ask the right question. So they are not a magic replacement for CNAME.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Why do these people want you to alias your entire zone to them anyway?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I hope that helps.</p>
</div>
<div>
<p class="MsoNormal">Christmas cheers, Greg.</p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Tue, 24 Dec 2024 at 14:39, Cuttler, Brian R (HEALTH) via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> wrote:</p>
</div>
<blockquote style="border:none; border-left:solid #CCCCCC 1.0pt; padding:0in 0in 0in 6.0pt; margin-left:4.8pt; margin-right:0in">
<div>
<div>
<div>
<p class="MsoNormal" style=""> </p>
<p class="MsoNormal" style="">Hello bind users.</p>
<p class="MsoNormal" style=""> </p>
<p class="MsoNormal" style="">We are running bind 9.14.28 on Ubuntu and have an offsite provider for our DNS services.</p>
<p class="MsoNormal" style="">The cname we create for our webserver <a href="http://www.wadsworth.org/" target="_blank">
www.wadsworth.org</a> is working well.<br>
However, I’ve been asked if we can point the apex record at the external webserver.</p>
<p class="MsoNormal" style=""> </p>
<p class="MsoNormal" style="">If I’m understanding the docs I’ve looked at, there are ways if we had external DNS services, rather than the on-prem Bind server, or if bind supported the Alias RR.</p>
<p class="MsoNormal" style="">I know it can, but does not natively, or at least not the document I found which indicates we’d need to modify the source code.</p>
<p class="MsoNormal" style=""> </p>
<p class="MsoNormal" style="">I’m looking for guidance on how to point the named domain name, the apex record at the IP addresses provided by the cname name we are using for our webserver.</p>
<p class="MsoNormal" style=""> </p>
<p class="MsoNormal" style="">Thanks in advance,</p>
<p class="MsoNormal" style="">Brian</p>
<p class="MsoNormal" style=""> </p>
<p class="MsoNormal" style=""><span style="font-size:12.0pt; font-family:"Arial",sans-serif">Brian Cuttler, System and Network Administration</span></p>
<p class="MsoNormal" style=""><span style="font-size:12.0pt; font-family:"Arial",sans-serif">Wadsworth Center, NYS Department of Health</span></p>
<p class="MsoNormal" style=""><span style="font-size:12.0pt; font-family:"Arial",sans-serif">Albany, NY 12201 POB 509</span></p>
<p class="MsoNormal" style=""><a href="mailto:Brian.Cuttler@Health.NY.gov" target="_blank"><span style="font-size:12.0pt; font-family:"Arial",sans-serif; color:#0563C1">Brian.Cuttler@Health.NY.gov</span></a></p>
<p class="MsoNormal" style=""><span style="font-size:12.0pt; font-family:"Arial",sans-serif">518 486-1697</span></p>
<p class="MsoNormal" style=""> </p>
</div>
</div>
<p class="MsoNormal">-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">
https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at
<a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</body>
</html>