DNAME?

Timothe Litt litt at acm.org
Thu Jun 30 19:01:18 UTC 2011 

I have domain example.net in production, and have recently acquired
example.us and example.info.

For whatever reason, I want example.us to simply mirror example.net, which
is dynamically udpdated (and dnssec).  And I want example.us to be zero
maintenance. (Well, OK I know I need separate DNSSEC keys, but I don't want
to mirror every update made in .net to .us)

So, I add a zone to ns1.example.net that looks like:
(In view "internal")
    zone "example.us" {
	auto-dnssec maintain;
	type master; 
	allow-transfer { key "TSIG_GLOBAL_KEY"; }; 
	file "EXAMPLE_US.DB";
	update-policy {
	    grant "TSIG_GLOBAL_KEY" subdomain example.us. ANY ;
	};
     };

$ORIGIN .
$TTL 600        ; 10 minutes
example.us.               IN SOA  ns1.example.net.
examplenetadmin.example.net. (
                                2011063001 ; serial
                                172800     ; refresh (2 days)
                                600        ; retry (10 minutes)
                                2419200    ; expire (4 weeks)
                                600        ; minimum (10 minutes)
                                )
example.us.	IN DNAME example.net.
example.us. IN NS ns1.example.net. 
example.us. IN NS ns2.example.net.

I get SERVFAIL with dig if I ask about, say www.example.us @ns1.example.net
(www.example.net does exist).

I see nothing in the named.log, except the trace 99 /notrace commands
bracketing the dig, and if I turn on querylog:
client <ns1 IP>#33256: view internal: query: www.example.us IN A + (<ns1
IP>).

If I look at the named statistics channel, I see that example.us is being
served, but the zone serial is '-', not '2011063001'.

Questions:
	o Am I confused about DNAME placement - would it have to go in .US?
If so, is this possible?  (I don't mean technically possible - I mean
practically - e.g. thru a registrar such as godaddy, enom, etc).  If not,
what explains the SERVFAIL?
      o Why is '-' reported for the zone serial?
	o I understand that DNAME and MX don't play well together (DNAME is
essentially CNAME, and MX doesn't allow
	  CNAMEs).  I suspect I'd have to live with that - unless there are
wiser heads?
	o Is there a better approach?  (Assume that I'll also want to do the
same thing to example.info...)

Thanks.

---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.

More information about the bind-users mailing list