New to Bind: Need Catch-All for domain parking

Kevin Darcy kcd at daimlerchrysler.com
Wed Nov 23 02:28:29 UTC 2005 

Mark Andrews wrote:

>>MobileNow wrote:
>>
>>    
>>
>>>Hi everybody,
>>>I'm completely new to Bind so any help with this would be
>>>appreciated.
>>>
>>>What I'm wanting to do is set up BIND so that it will respond to any
>>>domain.  What I'm wanting to use this for is so that anyone who
>>>decides to use my nameservers will have a parking page there.  I've
>>>been Googling around for it and I've found a number of places that
>>>say "you have to add an entry for THIS into THAT file" but being new,
>>>I don't know what an entry for that would look like.
>>>
>>>      
>>>
>>Create a fake root zone with one or more wildcard records in it. *BUT*, 
>>big caveat, if you do this, make sure you either a) set 
>>"minimal-responses yes", or b) keep your root NS records constantly in 
>>synch with the public ones. If you give out bogus/stale root NS records, 
>>older nameserver implementations may actually believe them, and you may 
>>get some angry emails/calls from other DNS admins. "minimal-responses" 
>>prevents your nameserver from giving out those NS records for anything 
>>but explicit queries, so it removes the requirement to stay constantly 
>>in synch, but on the other hand, if you're serving any real domains from 
>>the same nameserver instance, it means that the apex NS records of those 
>>zones will be more-or-less invisible -- other nameservers will rely 
>>primarily on the delegation NS records instead -- which could prove 
>>troublesome if you want to readdress your nameservers, migrate to 
>>different nameservers, or whatever. If you serve some real zones and 
>>want to go the "minimal-responses" route, you may want to run a separate 
>>nameserver instance on its own interface or on a separate box 
>>exclusively for this "parking" function, since apparently 
>>"minimal-responses" is only a global option; not settable at the zone 
>>level or even the view level.
>>
>>                                                                         
>>                              - Kevin
>>    
>>
>
>	Even with minimal responses the negative responses will have
>	the wrong ownername for the SOA record.  This will be rejected
>	by caches as being invalid.
>
Hmmm, that's an interesting wrinkle, that didn't occur to me. RFC 2308 
(i.e. you :-) says that the SOA of "the zone" must be returned as a 
negative caching record, where from context we infer that "the zone" 
refers to whatever zone the responding server is authoritative for. In 
this case, the server is authoritative for the root zone, albeit not 
publically known as such. So, according to what letter-of-the-law would 
a cache reject the negative caching record? I mean, does the owner of an 
SOA RR, when it's really *not* an SOA RR -- it's a negative caching 
record masquerading as an SOA RR -- really matter, functionally? It's 
not like there can be multiple negative caching records: if that were 
possible, I could see that it might be necessary to use the owner names 
to differentiate them.

Or is this more of a Best Practice kind of thing, i.e. to reject things 
that look unusual and/or suspicious, in the name of safety and/or security?

                                                                         
                                                         - Kevin

More information about the bind-users mailing list