domain keys and name-checking

Barry Margolin barmar at alum.mit.edu
Sat Oct 18 14:48:01 UTC 2008 

In article <gdcj3a$977$1 at sf1.isc.org>,
 "aklist" <aklist_bind at enigmedia.com> wrote:

> >>
> >> do I need to just make the MX record (right before the domain keys 
> >> record):
> >>
> >> domain.com.        MX      10 mail
> >>
> >> or do I also have to prepend "domain.com" to the A record that  follows 
> >> the domain keys record?
> >>
> >
> > You need to move the domainkey record to after the A record.  That's 
> > supposed to be a continuation of all the records for the zone name.   Do 
> > you understand that indenting a line means it inherits the name  from the 
> > previous line?
> >
> I do now <g>...I always did it without thinking about why it worked, because 
> it worked!

Maybe it's time for you to read the "DNS & BIND" book and learn how all 
this stuff works.

> 
> The question for me now, how do I delegate a subzone in this domain without 
> named-checkzone grumbling that it's "ignoring out-of-zone data"? I have:
> 
> [last A record in zone]
> www     A       aaa.bbb.ccc.41
> ;
> server._domainkey.domain.com. IN TXT "k=rsa; p=[long string]"
> ;
> $ORIGIN sub.domain.com.
> server      A       aaa.bbb.ccc.42
> server      A       aaa.bbb.ddd.12
> server      A       aaa.bbb.ddd.13
> server      A       aaa.bbb.ddd.14
> server      A       aaa.bbb.ddd.15
>         MX      10 server

Is that supposed to be an MX record for sub.domain.com?  The way you 
have it written, it's the MX record for server.sub.domain.com.  If you 
want it to belong to the subdomain, it should be:

@ MX 10 server

Remember what you learned above about indented lines!  Note also that 
this means you don't need to repeat "server" on each line, you can just 
indent all the continuations.

> ;
> 
> but I'm still getting the error above for all the subzone A records? 

Those records all belong in the zone file for sub.domain.com, not 
domain.com.  That's what "delegating a subzone" means -- the subdomain 
data is all in its own files on the servers that you've delegated to 
(the ones named in the NS records).

If you're using all the same servers for both domain.com and 
sub.domain.com, you don't need to delegate at all.  Get rid of the NS 
records for sub.domain.com, the "zone" statement in your named.conf, and 
then you can put these records in the

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list