From marco.davids at sidn.nl Fri Aug 1 02:18:37 2008 From: marco.davids at sidn.nl (Marco Davids) Date: Fri, 01 Aug 2008 01:18:37 +0100 Subject: [dns-wg] DNS Lameness statistics and notifications In-Reply-To: <871w19rh9u.fsf@mid.deneb.enyo.de> References: <48919F2E.5010002@ripe.net> <871w19rh9u.fsf@mid.deneb.enyo.de> Message-ID: <4892565D.3050606@sidn.nl> Florian Weimer wrote: > * Sjoerd Oostdijck: > >> We are now ready to start sending out notifications to the maintainers >> of these zones, alerting them to a problem. The e-mail messages will >> point to the DNS Lameness FAQs, which explain the possible problems and >> give some pointers to help solve them. > > Could you delay this a bit? Yet another type of DNS-related > notification doesn't really help right now, I think. > > Or am I overly sensitive? > No, I agree. Please delay. We are in the middle of some sort of a 'Kaminsky awarness campaign', which is difficult enough as it is - for some sysadmins. Thanks. -- Marco Davids SIDN / ICT From dougb at dougbarton.us Fri Aug 1 08:28:19 2008 From: dougb at dougbarton.us (Doug Barton) Date: Thu, 31 Jul 2008 23:28:19 -0700 Subject: [dns-wg] DNS Lameness statistics and notifications In-Reply-To: <871w19rh9u.fsf@mid.deneb.enyo.de> References: <48919F2E.5010002@ripe.net> <871w19rh9u.fsf@mid.deneb.enyo.de> Message-ID: <4892AD03.8050104@dougbarton.us> Florian Weimer wrote: > * Sjoerd Oostdijck: > >> We are now ready to start sending out notifications to the maintainers >> of these zones, alerting them to a problem. The e-mail messages will >> point to the DNS Lameness FAQs, which explain the possible problems and >> give some pointers to help solve them. > > Could you delay this a bit? Yet another type of DNS-related > notification doesn't really help right now, I think. I have a different view which is that in the current climate where attention is being focused on the importance of "good" DNS it may be easier for admins that want to fix this but have had trouble getting permission to allocate the necessary time/resources/etc. to actually be able to tackle this issue. hth, Doug From jim at rfc1035.com Fri Aug 1 11:55:38 2008 From: jim at rfc1035.com (Jim Reid) Date: Fri, 1 Aug 2008 10:55:38 +0100 Subject: [dns-wg] DNS Lameness statistics and notifications In-Reply-To: <871w19rh9u.fsf@mid.deneb.enyo.de> References: <48919F2E.5010002@ripe.net> <871w19rh9u.fsf@mid.deneb.enyo.de> Message-ID: On Jul 31, 2008, at 20:21, Florian Weimer wrote: > Could you delay this a bit? Yet another type of DNS-related > notification doesn't really help right now, I think. I tend to agree. The reference to "sending less than 100 warning emails" is a little unsettling. Someone who's in receipt of these messages is likely to find them annoying. And what if these emails go to an address that can't do anything about the broken name servers? From honneus at cisco.com Fri Aug 8 23:29:17 2008 From: honneus at cisco.com (Bill Honneus (honneus)) Date: Fri, 8 Aug 2008 17:29:17 -0400 Subject: [dns-wg] Subdomain Add Question Message-ID: <72090C0C43FAAE4EA600F612226977D8E8777F@xmb-rtp-213.amer.cisco.com> Hi, I have a domain hosted at a third party site called my.domain.com. In my company's zone file, we have NS records that refer to this third party hosting site, and we have an 'A' record set up that associates the my.domain.com domain to the IP address of a load balancer that balances traffic coming into the site between two web servers, all in a DMZ. We also have an MX record that refers the my.domain.com to a mail server host, also in the DMZ. Finally, we have PTR records that refer back to the load balancer and mail server hosts. All this is set up correctly, everything works, and all DNS checks pass. I need to add a subdomain, call it sub.my.domain.com, and I would like to associate the subdomain to the same load balancer if possible. What is the best way to do this without disrupting the incoming traffic to the primary domain or the flow of incoming SMTP traffic to the mail server? Is it best in this situation to use a CNAME to map the subdomain, or to use a whole new 'A' record? If I create a new 'A' record, I would not want to add a new PTR record for the sub.my.domain.com as the IP address would be the same as the PTR that refers back to my.domain.com. This I believe, would cause DNS checks on my mail server to fail, since there would be two hostnames associated with the same IP address. Your help is appreciated! Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: From anandb at ripe.net Sat Aug 9 12:32:13 2008 From: anandb at ripe.net (Anand Buddhdev) Date: Sat, 9 Aug 2008 12:32:13 +0200 Subject: [dns-wg] Subdomain Add Question In-Reply-To: <72090C0C43FAAE4EA600F612226977D8E8777F@xmb-rtp-213.amer.cisco.com> References: <72090C0C43FAAE4EA600F612226977D8E8777F@xmb-rtp-213.amer.cisco.com> Message-ID: <200808091232.14097.anandb@ripe.net> On Friday 08 August 2008 23:29:17 Bill Honneus (honneus) wrote: Hi Bill, > I have a domain hosted at a third party site called my.domain.com. > > In my company's zone file, we have NS records that refer to this third > party hosting site, and we have an 'A' record set up that associates the > my.domain.com domain to the IP address of a load balancer that balances > traffic coming into the site between two web servers, all in a DMZ. We > also have an MX record that refers the my.domain.com to a mail server > host, also in the DMZ. Finally, we have PTR records that refer back to > the load balancer and mail server hosts. > All this is set up correctly, everything works, and all DNS checks pass. > > I need to add a subdomain, call it sub.my.domain.com, and I would like > to associate the subdomain to the same load balancer if possible. What > is the best way to do this without disrupting the incoming traffic to > the primary domain or > the flow of incoming SMTP traffic to the mail server? Is it best in > this situation to use a CNAME to map the subdomain, or to use a whole > new 'A' record? If I create a new 'A' record, I would not want to add a > new PTR record for the sub.my.domain.com as the IP address would be the > same as the PTR that refers back to my.domain.com. This I > believe, would cause DNS checks on my mail server to fail, since there > would be two hostnames associated with the same IP address. You have 2 options: 1. You can add a CNAME for sub.my.domain.com to point to my.domain.com. This will cause resolvers which are looking for A or MX records for sub.my.domain.com to restart their queries with my.domain.com. This is the simplest solution. However, I am personally not in favour of CNAMEs; some DNS administrators have been known to create chains of CNAMEs, causing resolvers to do a lot of extra work (RFC 1034 even discourages CNAME chains). Some resolvers will give up after 4 levels of indirection. 2. Alternatively, you can add an A record for sub.my.domain.com to point to the same address as my.domain.com. You do NOT have to create a corresponding PTR record, because you already have a PTR record for that address. Having said that, if you do create a second PTR record for that address, then a resolver will indeed get back two names. This isn't illegal, and won't cause any breakage that I know of, but it doesn't make sense. If you're following this second option, you'll also have to create an MX record for sub.my.domain.com to point to the name of the mail server that will handle mail for that sub domain. In summary, the CNAME solution is simpler and faster, but causes more work for resolvers. The second option provides an immediate answer to a resolver, but you have to create both A and MX records. Choose whichever method you prefer. -- Anand Buddhdev DNS Services Manager, RIPE NCC