DNAME?
Timothe Litt
litt at acm.org
Sat Jul 2 16:49:38 UTC 2011
Agree that getting DNAME into the TLDs and served is a political issue
rather than a technical one. However, that isn't much consolation;
political issues are less tractable than technical ones :-( As a very small
player, dealing with retail registrars like godaddy, mydomain, and the like,
my leverage is zero. (I was pretty happy with the days when an e-mail, or
just a phone call to Jon or Joyce would get a change made. But those days
are gone.)
I found a draft of BNAME - while it seems workable, it's another solution
that would hit name servers, resolvers and take time to deploy -- and
require registants to get their registrars to put a special record into the
TLD.
I think my suggestion to do the work for aliasing in the name server is more
practical than BNAME. The TLD would delegate in the familiar way to a
server; the server just has to fetch/translate the data from another zone
rather than a file. And no impact on resolvers. No new record types, and
the politics are limited to the domain getting the benefit.
Everyone would see the domain normally (as today); only the authoritative
server for the aliased domain would know that there's anything special about
it, and that server would do the extra work. Since it's responsible for the
domain getting the benefit, it seems fair for it to do the work. And since
named as a forwarder/resolver would have to know how to track down BNAMEs
under that proposal, asking named to track down aliases on the authoritative
side seems like no more (and probably less) work.
So, if I wanted to solve the problem that BNAME is trying to address (and my
orignal problem), I'd pursue a server solution rather than BNAME.
However, in the meantime it looks like I'll need to come up with some
solution on the back end to keep the aliased zones in sync. Maybe just
AXFER the real zones periodically, run sed over them and write / sign
traditional zone files. Yuck; another kludge that will not-quite-properly
paper over a problem.
---------------------------------------------------------
This communication may not represent my employer's views,
if any, on the matters discussed.
-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Friday, July 01, 2011 21:58
To: Timothe Litt
Cc: 'Jon F.'; bind-users at isc.org
Subject: Re: DNAME?
When DNAME was being developed the working group had to make a decision
about whether DNAME should redirect the node it was at or just the names
below it. The decision was made to do the latter because it didn't require
TLD operators to know about DNAME at the cost of a little more work to keep
the apex records in sync.
In hindsight we should have done both as there are use cases for both.
Getting other types added to TLDs isn't a technical issue, its a political
issue. There are TLDs that accept MX, A, AAAA and I believe DNAME today
instead of NS records at what would be the delegation point. It's just as
easy to serve these records as it is to serve a delegation.
Mark
In message <2FA4ED65DAC044849AA3F57FBCFE2CA5 at sb.litts.net>, "Timothe Litt"
writ
es:
> This is a multi-part message in MIME format.
>
> --===============7538508973042255473==
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_000C_01CC37F1.C5C06C70"
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_000C_01CC37F1.C5C06C70
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> Yes, the example.us zone loads. As I mentioned, no errors in
> named.log, and the statistics webserver (in named) shows example.us as
> active, albeit with '-' for the serial number instead of the number in the
zone file.
>
> How did you get a DNAME into .com?
>
> I did make example.us a zone - it is one, isn't it? If the DNAME has
> to go in .us, I don't see making this scheme work. As a practical
> matter, registrars will put NS records into the TLDs, and some (with
> encouragement) are starting to accept DNSSEC records for the TLDs).
> But I've yet to see one that provides a means for a registrant to have a
DNAME inserted...
> Unless I'm missing something. Did you actually manage to do this, or
> is your setup working in third+-level domains?
>
> I was hoping/expecting that since my server is the authoritiative
> server for example.us, the DNAME could go in the example.us zone. I
> expected that when, as the authoritative server, it was asked for
> foo.example.us, it would respond with foo.example.net. But the RFC
> wasn't clear, which is why I asked.
>
> thanks.
>
> ---------------------------------------------------------
> This communication may not represent my employer's views, if any, on
> the matters discussed.
>
>
>
>
> _____
>
> From: Jon F. [mailto:pikel.m95 at gmail.com]
> Sent: Thursday, June 30, 2011 16:11
> To: Timothe Litt
> Cc: bind-users at lists.isc.org
> Subject: Re: DNAME?
>
>
> I have a similar set up to that and it works. Have you checked the
> logs to make sure the zone properly loaded? I'm assuming the zone data
> you posted below is from the example.us zone but your first question
> makes it sound like you put it in a seperate zone. That would explain
> the SERVFAIL if the zone data never loaded but the server was
> authoritative. It does need to be in the .us.
>
>
> ;; ANSWER SECTION:
> example.com. 60 IN DNAME example.net.
> test.example.com. 60 IN CNAME test.example.net.
> test.example.net. 60 IN A 127.0.0.1
>
>
>
> And that's with zone data like this:
> example.com. IN NS ns1.example.net.
> example.com. IN NS ns2.example.net.
> example.com. IN A 10.0.0.1
> example.com. IN DNAME example.net.
>
>
> Truthfully I haven't looked at DNAME's in a long time so I'm unsure
> how to do it fully for a domain without adding an A record as well.
> But what your doing works, it's just not very pretty. Someone may have a
better way.
>
>
>
>
> On Thu, Jun 30, 2011 at 2:01 PM, Timothe Litt <litt at acm.org> wrote:
>
>
> I have domain example.net in production, and have recently acquired
> example.us and example.info.
>
> For whatever reason, I want example.us to simply mirror example.net,
> which is dynamically udpdated (and dnssec). And I want example.us to
> be zero maintenance. (Well, OK I know I need separate DNSSEC keys, but
> I don't want to mirror every update made in .net to .us)
>
> So, I add a zone to ns1.example.net that looks like:
> (In view "internal")
> zone "example.us" {
> auto-dnssec maintain;
> type master;
> allow-transfer { key "TSIG_GLOBAL_KEY"; };
> file "EXAMPLE_US.DB";
> update-policy {
> grant "TSIG_GLOBAL_KEY" subdomain example.us. ANY ;
> };
> };
>
> $ORIGIN .
> $TTL 600 ; 10 minutes
> example.us. IN SOA ns1.example.net.
> examplenetadmin.example.net. (
> 2011063001 ; serial
> 172800 ; refresh (2 days)
> 600 ; retry (10 minutes)
> 2419200 ; expire (4 weeks)
> 600 ; minimum (10 minutes)
> )
> example.us. IN DNAME example.net.
> example.us. IN NS ns1.example.net.
> example.us. IN NS ns2.example.net.
>
> I get SERVFAIL with dig if I ask about, say www.example.us
> @ns1.example.net (www.example.net does exist).
>
> I see nothing in the named.log, except the trace 99 /notrace commands
> bracketing the dig, and if I turn on querylog:
> client <ns1 IP>#33256: view internal: query: www.example.us IN A +
> (<ns1
> IP>).
>
> If I look at the named statistics channel, I see that example.us is
> being served, but the zone serial is '-', not '2011063001'.
>
> Questions:
> o Am I confused about DNAME placement - would it have to go in .US?
> If so, is this possible? (I don't mean technically possible - I mean
> practically - e.g. thru a registrar such as godaddy, enom, etc). If
> not, what explains the SERVFAIL?
> o Why is '-' reported for the zone serial?
> o I understand that DNAME and MX don't play well together
> (DNAME is essentially CNAME, and MX doesn't allow
> CNAMEs). I suspect I'd have to live with that - unless there
> are wiser heads?
> o Is there a better approach? (Assume that I'll also want to
> do the same thing to example.info...)
>
> Thanks.
>
> ---------------------------------------------------------
> This communication may not represent my employer's views, if any, on
> the matters discussed.
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
>
> --
> Jonathan French
> pikel.m95 at gmail.com
>
>
> ------=_NextPart_000_000C_01CC37F1.C5C06C70
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD> <META content=3D"text/html; charset=3Dus-ascii" =
> http-equiv=3DContent-Type> <META name=3DGENERATOR content=3D"MSHTML
> 8.00.6001.19088"></HEAD> <BODY> <DIV dir=3Dltr align=3Dleft><FONT
> color=3D#0000ff size=3D2 = face=3DArial><SPAN=20
> class=3D480580717-01072011>Yes, the example.us zone loads. As I
> = mentioned,=20 no errors in named.log, and the statistics webserver
> (in named) shows = example.us=20 as active, albeit with '-' for the
> serial number instead of the number = in the=20 zone
> file.</SPAN></FONT></DIV> <DIV dir=3Dltr align=3Dleft><FONT
> color=3D#0000ff size=3D2 = face=3DArial><SPAN=20
> class=3D480580717-01072011></SPAN></FONT> </DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011>How did you get a
> DNA=
> ME int<SPAN=20
> class=3D480580717-01072011>o .com?</SPAN> <SPAN=20
> class=3D480580717-01072011></SPAN><BR></SPAN></FONT></DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20 class=3D480580717-01072011>I did make example.us
> a zone - it is one, = isn't=20 it? If the DNAME has to go in
> .us, I don't see making this scheme=20 work. As a practical
> matter, registrars will put NS records into = the TLDs,=20 and some
> (with encouragement) are starting to accept DNSSEC records for =
> the=20 TLDs). But I've yet to see one that provides a means for
> a = registrant to=20 have a DNAME inserted... Unless
> I'm missing = something. =20 Did you actually manage to do this,
> or is your setup working in =
> third+-level=20
> domains?</SPAN></FONT></DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20
> class=3D480580717-01072011></SPAN></FONT> </DIV>
> <DIV dir=3Dltr align=3Dleft><FONT color=3D#0000ff size=3D2 =
> face=3DArial><SPAN=20 class=3D480580717-01072011>I was
> hoping/expecting that since my server = is the=20 authoritiative
> server for example.us, the DNAME could go in the = example.us=20
> zone. I expected that when, as the authoritative server, it was
> = asked for=20 foo.example.us, it would respond with
> foo.example.net. = </SPAN></FONT><FONT=20 color=3D#0000ff
> size=3D2 face=3DArial><SPAN = class=3D480580717-01072011>But the
> RFC=20 wasn't clear, which is why I asked.</SPAN></FONT></DIV>
> <DIV><FONT color=3D#0000ff size=3D2 face=3DArial></FONT> </DIV>
> <DIV><SPAN class=3D480580717-01072011><FONT color=3D#0000ff
> size=3D2=20
> face=3DArial>thanks.</FONT></SPAN></DIV><!-- Converted from text/plain
> = format --> <P><FONT=20
> size=3D2>---------------------------------------------------------<BR>
> Thi=
> s=20
> communication may not represent my employer's views,<BR>if any, on the
> = matters=20 discussed.<BR> </FONT> </P> <DIV><FONT
> color=3D#0000ff size=3D2 face=3DArial></FONT> </DIV><BR>
> <DIV dir=3Dltr lang=3Den-us class=3DOutlookMessageHeader align=3Dleft>
> <HR tabIndex=3D-1> <FONT size=3D2 face=3DTahoma><B>From:</B> Jon F. =
> [mailto:pikel.m95 at gmail.com]=20 <BR><B>Sent:</B> Thursday, June 30,
> 2011 16:11<BR><B>To:</B> Timothe=20 Litt<BR><B>Cc:</B>
> bind-users at lists.isc.org<BR><B>Subject:</B> Re:=20
> DNAME?<BR></FONT><BR></DIV> <DIV></DIV>I have a similar set up to that
> and it works. Have you = checked the=20 logs to make sure the zone
> properly loaded? I'm assuming the zone data = you=20 posted below is
> from the <A href=3D"http://example.us">example.us</A> = zone but=20
> your first question makes it sound like you put it in a seperate zone.
> = That=20 would explain the SERVFAIL if the zone data never loaded but
> the server = was=20 authoritative. It does need to be in the
> .us.<BR><BR><BR>;; ANSWER=20 SECTION:<BR><A=20
> href=3D"http://example.com">example.com</A>. &n
> bsp=
> ; =20
> 60 IN =20
> DNAME <A
> href=3D"http://example.net">example.net</A>.<BR><A=20
> href=3D"http://test.example.com">test.example.com</A>. &nbs
> p;&=
> nbsp;=20
> 60 IN =20
> CNAME <A =
> href=3D"http://test.example.net">test.example.net</A>.<BR><A=20
> href=3D"http://test.example.net">test.example.net</A>. &nbs
> p;&=
> nbsp; =20
> 60 IN =20
> A 127.0.0.1<BR><BR><BR><BR>And =
> that's with=20 zone data like this:<BR><A =
> href=3D"http://example.com">example.com</A>. IN=20 NS <A
> href=3D"http://ns1.example.net">ns1.example.net</A>.<BR><A=20
> href=3D"http://example.com">example.com</A>. IN NS <A=20
> href=3D"http://ns2.example.net">ns2.example.net</A>.<BR><A=20
> href=3D"http://example.com">example.com</A>. IN A
> 10.0.0.1<BR><A=20 href=3D"http://example.com">example.com</A>. IN
> DNAME <A=20
> href=3D"http://example.net">example.net</A>.<BR><BR><BR>Truthfully I =
> haven't=20 looked at DNAME's in a long time so I'm unsure how to do it
> fully for a = domain=20 without adding an A record as well. But what
> your doing works, it's just = not=20 very pretty. Someone may have a
> better way.<BR><BR><BR><BR> <DIV class=3Dgmail_quote>On Thu, Jun 30,
> 2011 at 2:01 PM, Timothe Litt = <SPAN=20 dir=3Dltr><<A =
> href=3D"mailto:litt at acm.org">litt at acm.org</A>></SPAN> wrote:<BR>
> <BLOCKQUOTE=20
> style=3D"BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; =
> PADDING-LEFT: 1ex"=20
> class=3Dgmail_quote>I have domain <A href=3D"http://example.net"=20
> target=3D_blank>example.net</A> in production, and have recently =
> acquired<BR><A=20
> href=3D"http://example.us" target=3D_blank>example.us</A> and <A=20
> href=3D"http://example.info" =
> target=3D_blank>example.info</A>.<BR><BR>For whatever=20
> reason, I want <A href=3D"http://example.us" =
> target=3D_blank>example.us</A> to=20
> simply mirror <A href=3D"http://example.net" =
> target=3D_blank>example.net</A>,=20
> which<BR>is dynamically udpdated (and dnssec). And I want <A=20
> href=3D"http://example.us" target=3D_blank>example.us</A> to be=20
> zero<BR>maintenance. (Well, OK I know I need separate DNSSEC keys,
> but = I don't=20
> want<BR>to mirror every update made in .net to .us)<BR><BR>So, I add
> a = zone to=20
> <A href=3D"http://ns1.example.net"
> target=3D_blank>ns1.example.net</A> = that looks=20
> like:<BR>(In view "internal")<BR> zone "<A=20
> href=3D"http://example.us" target=3D_blank>example.us</A>"
> {<BR> = =20
> auto-dnssec maintain;<BR> type=20
> master;<BR> allow-transfer { key =
> "TSIG_GLOBAL_KEY";=20
> };<BR> file "EXAMPLE_US.DB";<BR> =
> =20
> update-policy {<BR> =
> grant=20
> "TSIG_GLOBAL_KEY" subdomain <A href=3D"http://example.us"=20
> target=3D_blank>example.us</A>. ANY ;<BR> =
> };<BR> =20
> };<BR><BR>$ORIGIN .<BR>$TTL 600 ;
> 10 =
>
> minutes<BR><A href=3D"http://example.us" =
> target=3D_blank>example.us</A>. =20
> IN SOA <A=20
> href=3D"http://ns1.example.net" =
> target=3D_blank>ns1.example.net</A>.<BR><A=20
> href=3D"http://examplenetadmin.example.net"=20
> target=3D_blank>examplenetadmin.example.net</A>. (<BR>
> = =20
>
> = =20
> 2011063001 ; serial<BR>
> = =20
> =
> 172800=20
> ; refresh (2 days)<BR>
> = =20
> =
> 600=20
> ; retry (10 minutes)<BR> =
> =20
>
> = =20
> 2419200 ; expire (4 weeks)<BR>
> = =20
>
> = =20
> 600 ; minimum (10
> minutes)<BR> = =20
>
> = =20
> )<BR><A href=3D"http://example.us"=20
> target=3D_blank>example.us</A>. IN DNAME <A=20
> href=3D"http://example.net" target=3D_blank>example.net</A>.<BR><A=20
> href=3D"http://example.us" target=3D_blank>example.us</A>. IN NS <A=20
> href=3D"http://ns1.example.net" =
> target=3D_blank>ns1.example.net</A>.<BR><A=20
> href=3D"http://example.us" target=3D_blank>example.us</A>. IN NS <A=20
> href=3D"http://ns2.example.net" =
> target=3D_blank>ns2.example.net</A>.<BR><BR>I get=20
> SERVFAIL with dig if I ask about, say <A =
> href=3D"http://www.example.us"=20
> target=3D_blank>www.example.us</A> @<A
> href=3D"http://ns1.example.net" =
>
> target=3D_blank>ns1.example.net</A><BR>(<A =
> href=3D"http://www.example.net"=20
> target=3D_blank>www.example.net</A> does exist).<BR><BR>I see
> nothing = in the=20
> named.log, except the trace 99 /notrace commands<BR>bracketing the =
> dig, and if=20
> I turn on querylog:<BR>client <ns1 IP>#33256: view internal: =
> query: <A=20
> href=3D"http://www.example.us" target=3D_blank>www.example.us</A> IN
> A =
> +=20
> (<ns1<BR>IP>).<BR><BR>If I look at the named statistics
> channel, = I see=20
> that <A href=3D"http://example.us" target=3D_blank>example.us</A> is=20
> being<BR>served, but the zone serial is '-', not=20
> '2011063001'.<BR><BR>Questions:<BR> o Am I
> = confused=20
> about DNAME placement - would it have to go in .US?<BR>If so, is this=20
> possible? (I don't mean technically possible - I =
> mean<BR>practically -=20
> e.g. thru a registrar such as godaddy, enom, etc). If =
> not,<BR>what=20
> explains the SERVFAIL?<BR> o Why is '-' reported
> = for the=20
> zone serial?<BR> o I understand that DNAME
> = and MX=20
> don't play well together (DNAME is<BR>essentially CNAME, and MX =
> doesn't=20
> allow<BR> CNAMEs). I suspect
> = I'd have=20
> to live with that - unless there are<BR>wiser heads?<BR>
> = =20
> o Is there a better approach? (Assume that I'll also
> want = to do=20
> the<BR>same thing to=20
> =
> example.info...)<BR><BR>Thanks.<BR><BR>-------------------------------
> ---=
> -----------------------<BR>This=20
> communication may not represent my employer's views,<BR>if any, on
> the = matters=20
> =
> discussed.<BR><BR><BR>_______________________________________________<
> BR>=
> Please=20
> visit <A href=3D"https://lists.isc.org/mailman/listinfo/bind-users"=20
>
> target=3D_blank>https://lists.isc.org/mailman/listinfo/bind-users</A> =
to=20
> unsubscribe from this list<BR><BR>bind-users mailing list<BR><A=20
> =
> href=3D"mailto:bind-users at lists.isc.org">bind-users at lists.isc.org</A><
> BR>=
> <A=20
> href=3D"https://lists.isc.org/mailman/listinfo/bind-users"=20
> =
> target=3D_blank>https://lists.isc.org/mailman/listinfo/bind-users</A><
> BR>=
> </BLOCKQUOTE></DIV><BR><BR=20
> clear=3Dall><BR>-- <BR>Jonathan French <DIV><A
> href=3D"mailto:pikel.m95 at gmail.com"=20
> target=3D_blank>pikel.m95 at gmail.com</A></DIV><BR></BODY></HTML>
>
> ------=_NextPart_000_000C_01CC37F1.C5C06C70--
>
>
> --===============7538508973042255473==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============7538508973042255473==--
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list