Best way to handle multiple zones
Ryan McCain
Ryan.McCain at dss.state.la.us
Thu Sep 20 19:32:07 UTC 2007
One more thing (I hope)..
here's my master/dss.louisiana.gov zone file:
$TTL 3600 ; 1 hour
@ IN SOA dssns.dss.state.la.us. rmccain.dss.state.la.
us. (
2007092003 ; serial
1200 ; refresh (20 minutes)
600 ; retry (10 minutes)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
NS dssns.dss.state.la.us.
NS dssns2.dss.state.la.us.
; A 205.172.49.49
MX 10 smtp-ext1
MX 20 smtp-ext2
;dssns A 199.248.209.34
;dssns2 A 199.248.209.35
$INCLUDE /var/lib/named/master/shared.zone
---
When I do a DNS report on dnsstuff.com, the only error I get back is:
Your DNS servers leak stealth information in non-NS requests:
Stealth nameservers are leaked [dssns.dss.state.la.us.]!
Stealth nameservers are leaked [dssns2.dss.state.la.us.]!
This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries.
---
I'm assuming this is because I am using NS records in the dss.state.la.us domain and not the dss.louisiana.gov domain? Is this ok?
>>> On Thu, Sep 20, 2007 at 2:05 PM, in message
<43B39549-0FAC-4412-BFE7-A1F5F1B606CD at menandmice.com>, Chris Buxton
<cbuxton at menandmice.com> wrote:
> That sounds about right. The $ORIGIN in the included file is the same
> as for the starting file (the one with the $INCLUDE statement). So
> the origin value inside the included file varies depending on what
> other file called it.
>
> Chris Buxton
> Men & Mice
>
> On Sep 20, 2007, at 10:42 AM, Ryan McCain wrote:
>
>> After pounding my head on the desk a few times and with the
>> assistance of a co-worker who was able to look at this w/o being
>> buried in it for the past few days I think I figured it out.
>>
>> I am looking at this backwards.
>>
>> my named.conf needs to look like this:
>>
>> zone "dss.state.la.us" in {
>> file "master/dss.state.la.us";
>> type master;
>>
>> zone "dss.la.gov" in {
>> file "master/dss.la.gov";
>> type master;
>>
>> zone "dss.louisiana.gov" in {
>> file "master/dss.louisiana.gov";
>> type master;
>>
>> ..each of those zone files will look similar to this:
>>
>> $TTL 3601 ; 1 hour
>>>> @ IN SOA dssns rmccain.dss.state.la.us. (
>>>> 2007092003
>>>> 1200 ; refresh (20 minutes)
>>>> 600 ; retry (10 minutes)
>>>> 1209600 ; expire (2 weeks)
>>>> 3600 ; minimum (1 hour)
>>>> )
>>>> NS dssns
>>>> NS dssns2
>>>> MX 10 smtp-ext1
>>>> MX 20 smtp-ext2
>>>> $INCLUDE include/shared.zone
>>
>> ...and finally the shared.zone points to all of our A, CNAME, etc..
>> records?
>>
>> Please tell me I'm now on the right track.
>>
>>
>>
>>>>> On Thu, Sep 20, 2007 at 12:31 PM, in message <46F2AE5F.
>>>>> 30406 at ISC.org>, Alan
>> Clegg <Alan_Clegg at ISC.org> wrote:
>>> Ryan McCain wrote:
>>>> I started to implement this and got to a point that stopped me.
>>>>
>>>> Lets say my /etc/named.conf looks like this:
>>>>
>>>> zone "dss.state.la.us" in {
>>>> file "include/dss.state.la.us";
>>>> type master;
>>>> };
>>>>
>>>> ... and my include/dss.state.la.us looks like this:
>>>>
>>>>
>>>> $TTL 3601 ; 1 hour
>>>> @ IN SOA dssns rmccain.dss.state.la.us. (
>>>> 2007092003
>>>> 1200 ; refresh (20 minutes)
>>>> 600 ; retry (10 minutes)
>>>> 1209600 ; expire (2 weeks)
>>>> 3600 ; minimum (1 hour)
>>>> )
>>>> NS dssns
>>>> NS dssns2
>>>> MX 10 smtp-ext1
>>>> MX 20 smtp-ext2
>>>> $INCLUDE include/shared.zone
>>>>
>>>> How will BIND know that the DNS records in include/shared.zone
>>>> should
>>> resolve to dss.state.la.us, dss.louisiana.gov and dss.la.gov?
>>>
>>> Each different zone "..." in {}; changes the @ to the given "..."
>>>
>>> AlanC
>>
>>
More information about the bind-users
mailing list