Re: bind output in /var/adm/debug
-----BEGIN PGP SIGNED MESSAGE-----
Douglas,
RFC 1912 comments about this:
Don't use CNAMEs in combination with RRs which point to other names
like MX, CNAME, PTR and NS. (PTR is an exception if you want to
implement classless in-addr delegation.) For example, this is
strongly discouraged:
podunk.xx. IN MX mailhost
mailhost IN CNAME mary
mary IN A 1.2.3.4
[RFC 1034] in section 3.6.2 says this should not be done, and [RFC
974] explicitly states that MX records shall not point to an alias
defined by a CNAME. This results in unnecessary indirection in
accessing the data, and DNS resolvers and servers need to work more
to get the answer. If you really want to do this, you can
accomplish
the same thing by using a preprocessor such as m4 on your host
files.
Also, having chained records such as CNAMEs pointing to CNAMEs may
make administration issues easier, but is known to tickle bugs in
some resolvers that fail to check loops correctly. As a result some
hosts may not be able to resolve such names.
Having NS records pointing to a CNAME is bad and may conflict badly
with current BIND servers. In fact, current BIND implementations
will ignore such records, possibly leading to a lame delegation.
There is a certain amount of security checking done in BIND to
prevent spoofing DNS NS records. Also, older BIND servers
reportedly
will get caught in an infinite query loop trying to figure out the
address for the aliased nameserver, causing a continuous stream of
DNS requests to be sent.
The relevant RFCs are:
0974 Mail routing and the domain system. C. Partridge. Jan-01-1986.
1033 Domain administrators operations guide. M. Lottor. Nov-01-1987.
1034 Domain names - concepts and facilities. P.V. Mockapetris.
1912 Common DNS Operational and Configuration Errors. D. Barr.
Tim
On May 27, 3:30, Douglas L Stewart wrote:
> Subject: bind output in /var/adm/debug
> I'm seeing a lot of warnings in /var/adm/debug because NS and MX
records
> are pointing to CNAME's. Is this not allowed? If it's not, could
someone
> point me to a reference that says that it's not, so I can point it
out to
> the ISP that's got things set up this way.
>
> -douglas
>
>
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe"
to
> debian-user-request@lists.debian.org .
> Trouble? e-mail to templin@bucknell.edu .
>-- End of excerpt from Douglas L Stewart
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBM40wVPzKFjUEAi7RAQGwwwP/SpReyxIKiqvtArG8kPMRHDOL2KdiHGu3
i8yTXEmXWS9Jd1C74jr3oabyTbryzPWYBkodF7Osmw9/xFBpKlSEN8Pja5/0nu6g
BzjTF6ACjbDWNYIHk9McIPaWFj6/llyW5mMyehxjef/8CM/6TU366rCfqLq7Pij7
MBajwUmEEOY=
=f9G5
-----END PGP SIGNATURE-----
--
Tim Frost, Systems Engineer Email: Tim.Frost@nz.eds.com
EDS (NZ) Ltd, Voice: +64 4 495-0504
P.O. Box 3647, Fax: +64 4 495-0473
Wellington, New Zealand.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: