Synthesized CNAME from NXDOMAIN

Mark Andrews marka at isc.org
Fri Oct 4 00:42:39 UTC 2013 

Use a DNAME record.  That works with DNSSEC.

e.g.
	oldzone.com SOA   .....
	oldzone.com NS    ns1.newzone.com
	oldzone.com NS    ns2.newzone.com
	oldzone.com MX    0 mail.newzone.com
	oldzone.com A	  ...
	oldzone.com AAAA  ...
	oldzone.com DNAME newzone.com

Mark

In message <CAEKtLiR=1jeKEaUw+74TMBVMtKy7HRHgYkaS3_mix59dXNz_=w at mail.gmail.com>
, Casey Deccio writes:
> --===============3720066438239880950==
> Content-Type: multipart/alternative; boundary=90e6ba6e89ce47e69d04e7de3b53
> 
> --90e6ba6e89ce47e69d04e7de3b53
> Content-Type: text/plain; charset=ISO-8859-1
> 
> On Thu, Oct 3, 2013 at 2:54 PM, Paul Wouters <paul at cypherpunks.ca> wrote:
> 
> > You are why we can't have nice things :P
> >
> > We had enough Sitewinders. With DNSSEC on the endnode, your lies won't
> > be believed anway. What you are trying is wrong, bad and broken.
> >
> >
> This might be a fair statement in the right context.  But it was taken out
> of context--because I really didn't provide any.  Not that I need to
> justify my question, but since you brought it up, what I am looking to do
> is decrease the risk of DNS resolution failures resulting from a namespace
> transition by creating a fallback from the old to the new namespace.  For
> some definite period of time after the change, an NXDOMAIN in the old
> namespace would result in a synthesized CNAME pointing to the same name in
> the new namespace.  Anyway, there might not be an easy way to to do it, and
> we might just have to lose our safety net, but I wanted to ask users on the
> list if there's some obscure configuration that might be helpful.
> 
> If it's not already clear from my development of DNSSEC helper tools (e.g.,
> DNSViz), I'm an advocate of secure DNS. :)
> 
> Cheers,
> Casey
> 
> --90e6ba6e89ce47e69d04e7de3b53
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr">On Thu, Oct 3, 2013 at 2:54 PM, Paul Wouters <span dir=3D"=
> ltr"><<a href=3D"mailto:paul at cypherpunks.ca" target=3D"_blank">paul at cyph=
> erpunks.ca</a>></span> wrote:<br><div class=3D"gmail_extra"><div class=
> =3D"gmail_quote">
> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
> x #ccc solid;padding-left:1ex">You are why we can't have nice things :P=
> <br>
> <br></blockquote><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
> ex;border-left:1px #ccc solid;padding-left:1ex">
> We had enough Sitewinders. With DNSSEC on the endnode, your lies won't<=
> br>
> be believed anway. What you are trying is wrong, bad and broken.<br>
> <br></blockquote><br>This might be a fair statement in the right context.=
> =A0 But it was taken out of context--because I really didn't provide an=
> y.=A0 Not that I need to justify my question, but since you brought it up, =
> what I am looking to do is decrease the risk of DNS resolution failures res=
> ulting from a namespace transition by creating a fallback from the old to t=
> he new namespace.=A0 For some definite period of time after the change, an =
> NXDOMAIN in the old namespace would result in a synthesized CNAME pointing =
> to the same name in the new namespace.=A0 Anyway, there might not be an eas=
> y way to to do it, and we might just have to lose our safety net, but I wan=
> ted to ask users on the list if there's some obscure configuration that=
>  might be helpful.<br>
> <br>If it's not already clear from my development of DNSSEC helper tool=
> s (e.g., DNSViz), I'm an advocate of secure DNS. :)<br><br></div><div c=
> lass=3D"gmail_quote">Cheers,<br></div><div class=3D"gmail_quote"><div>Casey=
> <br>
> </div></div></div></div>
> 
> --90e6ba6e89ce47e69d04e7de3b53--
> 
> --===============3720066438239880950==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============3720066438239880950==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list