dkim cname records replication

Vidal Garza vgarza at bloughtech.com
Tue May 23 17:17:43 UTC 2017 

Thanks Mark for your comments.

I know the underscore works because Its working on the Master. The problem is in the slave, for some reason, in the replication process in the slave doesn't have the undercores.

Thanks in advance!.

-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org] 
Sent: Monday, May 22, 2017 10:11 PM
To: McDonald, Daniel (Dan) <Dan.McDonald at austinenergy.com>
Cc: bind-users at lists.isc.org <bind-users at isc.org>; Vidal Garza <vgarza at bloughtech.com>
Subject: Re: dkim cname records replication


In message <EDD70AF63FE759CB.AD5B12F2-C3B8-4665-9A5B-0FEF7934742B at mail.outlook.com>, "McDonald, Daniel (Dan)" writes:
> In this case, Microsoft names the records 
> selector1._domainkeys.example.com and selector2._domainkeys.example.com.
> The poster said he was running bind 9.9.5, which to my knowledge 
> doesn't support leading underscores without check-names ignore.

Named DOES support underscore.  It stops you using underscore in HOSTNAME contexts which definitely don't apply to DKIM records.

* The owner name of a A record.  This is what bites with AD as
  there is a A record at gc._msdcs.<forestname>.  An exception has
  been added for this prefix (gc._msdcs) recently.
* The owner name of a AAAA record.
* The names of nameservers (NS rdata).
* The owner names of MX records.
* The names of mail exchangers (MX rdata).

DKIM uses underscores so that the owner names of the records it uses do not clash with the syntax of valid hostnames.  DKIM does no use A, AAAA or MX records at these names.  This is also why SRV uses records with underscore prefixes.

Mark

> Get Outlook for iOS<https://aka.ms/o0ukef>
>
>
>
> On Mon, May 22, 2017 at 8:45 PM -0500, "Mark Andrews"
> <marka at isc.org<mailto:marka at isc.org>> wrote:
>
>
>
> In message , "McDonald, Daniel (Dan)" writes:
> > You need to add check-names ignore;  to the zone definition when 
> > dealing with active directory.  That ignores the invalid underscore character.
>
> DKIM is not active directory.  Named can serve DKIM records without 
> adding "check-names ignore;" to named.conf.
>
> The latest versions of named don't need "check-names ignore;" to serve 
> AD zones with gc._msdcs. (BIND 9.9.10, 9.10.5, 9.11.1).
>
> It also doesn't help that Microsoft confuses "Host Name" with "Owner 
> Name" / "Record Name" / "Domain Name" in the documentation referenced 
> below.  Host name has a specific meaning and the documentation 
> referenced there is just plain wrong in its use of "Host Name".
>
> Mark
>
> > From: bind-users  on behalf of Vidal Garza
> > Date: Monday, May 22, 2017 at 10:31
> > To: Bind Users
> > Subject: dkim cname records replication
> >
> > Hello List,
> >
> > I have this question about replication.
> >
> > I have a replication between BIND 9.9.5-3.
> > We try to make dkim work with Microsoft office 365. In the 
> > documentation they said that it should be a CNAME record with the 
> > sectors and it works in the master. The problem is in the slave, 
> > with the name and the underscore character.
> >
> > I wonder if bind support the underscore character? Or if someone has
> link
> > that help me.
> >
> > Reference:
> > https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).as
> > px
> >
> > Thanks in advance!
> >
> >
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list