named-checkzone with multiple $ORIGIN
Mark Elkins
mje at posix.co.za
Mon Jun 5 13:49:39 UTC 2017
Most certainly - Yes.
You have a single zone here, thus only:
named-checkzone example.com <http://example.com> example.com.zone
...should work.
Wait till you play with a reverse IPv6 zone - where I personally use
many $ORIGIN statements - saves hours of typing and makes reading the
Zones so much easier.
On 05/06/2017 15:40, Bernard Fay wrote:
> I understand what $ORIGIN is doing by reducing the typing and making
> it easier to maintain the zone files.
>
> To Tony, should I understand while using named-checkzone I need to
> enter _only_ the top domain and named-checkzone will understand the
> subdomains defined by the multiple $ORIGIN in the zone file?
>
> Thanks,
> Bernard
>
>
> On Mon, Jun 5, 2017 at 9:18 AM, Tony Finch <dot at dotat.at
> <mailto:dot at dotat.at>> wrote:
>
> Bernard Fay <bernard.fay at gmail.com <mailto:bernard.fay at gmail.com>>
> wrote:
> >
> > I took control of a DNS based on Bind 9.9. One of the zone
> files have
> > multiple $ORIGIN for example:
>
> The key thing to understand is that $ORIGIN just controls how
> unqualified
> domain names are expanded into fully-qualified domain names. In
> particular, $ORIGIN is completely independent of zone boundaries.
>
> So in the master file you sketched out,
>
> > $ORIGIN example.com <http://example.com>
> > ...
> > $ORIGIN sub1.example.com <http://sub1.example.com>
> > ...
> > $ORIGIN sub2.example.com <http://sub2.example.com>
> > ...
> > $ORIGIN sub3.example.com <http://sub3.example.com>
> > ...
>
> The person who wrote the file is using $ORIGIN in order to abbreviate
> unqualified names in subdomains, but the subdomains are all part
> of the
> same zone.
>
> The other thing to be aware of is that it is possible to write a
> zone file
> without any fuly-qualified names, which is why you have to specify the
> zone name when loading the file. (This feature is useful for empty
> zones,
> for example, but it's usually not a good idea for normal zones.)
> The zone
> name is used to set the default $ORIGIN and for the zone sanity
> checks.
>
> So, this works...
>
> > While checking the zone file with:
> > named-checkzone example.com <http://example.com> example.com.zone
> > named-checkzone returns ok for the first $ORIGIN.
>
> ...because the zone name you specified on the command line matches the
> contents of the master file.
>
> However,
>
> > named-checkzone sub1.example.com <http://sub1.example.com>
> example.com.zone
> > named-checkzone sub2.example.com <http://sub2.example.com>
> example.com.zone
> > named-checkzone sub3.example.com <http://sub3.example.com>
> example.com.zone
> > named-checkzone reports many "ignoring out-of-zone data
> (....example.com <http://example.com>)"
>
> this doesn't make sense. The master file is one single whole complete
> zone. The subdomains are not separate zones, and you can't load or
> check
> part of the file.
>
> So the error message is saying that the SOA record and the apex NS
> records
> at example.com <http://example.com> and loads of other records are
> not subdomains of the zone
> name that you gave on the commamnd line. I usually encounter this
> error
> when I have accidentally got my zone name and master file name muddled
> up, and once you get used to the error message it's a useful
> consistency
> check.
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at <mailto:dot at dotat.at>>
> http://dotat.at/ - I xn--zr8h punycode
> Fitzroy: Southwesterly, veering northwesterly, 6 to gale 8,
> decreasing 5 later
> in southwest. Moderate or rough. Rain at first. Moderate or good.
>
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170605/cce84341/attachment.html>
More information about the bind-users
mailing list