headers
Alex Thurlow | 4 Nov 2004 01:09

Re: Wildcard behavior


Sebastiaan van Erk wrote:
> Alex Thurlow wrote:
> 
> 
>>The problem is that an SPF checker will not look up the TXT record for 
>>sebster.com if the mail comes from xxx <at> host.sebster.com.  The ptr in the 
>>record
>>'sebster.com:v=spf1 mx ptr a\072home.sebster.com -all:3600
>>will be of service if the mail comes from xxx <at> sebster.com and the ip it 
>>comes from has reverse DNS of host.sebster.com.  However, if the mail 
>>comes from the ips with reverse DNS of host.sebster.com and the email 
>>address is xxx <at> host.sebster.com, it will fail.  In this case, the SPF 
>>checker will look up the TXT for host.sebster.com and get no result as 
>>there is only a TXTrecord for sebster.com, not host.sebster.com.  That 
>>is why he needs the wildcard record to work.
> 
> 
> This is exactly the problem. First of all, I would like to send mail
> from existing subdomains of sebster.com, and at the same time protect all
> my nonexistent subdomains from forgery. Thus it is actually the case
> that I sometimes send email with the email address sebster <at> eeyore.sebster.com
> which currently fails SPF checks, because the above (wildcard record) 
> only protects nonexisting domains. I want to protect EVERY subdomain,
> in fact, ANYTHING ending in sebster.com, so even the nonexistent
> xxx <at> a.b.c.d.e.f.g.sebster.com.
> 
> What I actually DON'T want, upon consideration, is that any .sebster.com
> can SEND mail. If a client wants to send mail for my domain, they should
> use my mail servers to do that. Thus, I actually do NOT want the ptr
(Continue reading)

Permalink | Reply | 1 comment |
headers
Paul Jarc | 4 Nov 2004 06:45
Picon

Re: Wildcard behavior

Alex Thurlow <alex.thurlow <at> skylist.net> wrote:
> Does someone have a patch to remeday this behavior?

No need for that - it can be done with a data generator/preprocessor.

> I know it's not technically RFC compliant,

There's no interoperability problem here.  How the server's records
are specified by the admin isn't any business of the client's.

paul
Permalink | Reply | 0 comments |
headers
Brian Reichert | 4 Nov 2004 17:51

suggested patch to tinydns-notify

tinydns.org has a reference to a perl program called tinydns-notify.

I'd like to recommend a simple patch.  My goal: on those boxes that
are multihomed, force tinydns-notify use use the same IP address
as tinydns bind address.

Useful for me, at least...

*** tinydns-notify      Thu Nov  4 11:33:02 2004
--- tinydns-notify.orig Thu Nov  4 11:27:58 2004
***************
*** 37,47 ****

  my $res = new Net::DNS::Resolver;

- # Force our source address to be the same as our tinydns bind address.
- open(IP,'../env/IP') || die "$0: can't read ../env/IP: $!\n";
- my $srcaddr = <IP>; chomp $srcaddr;
- $res->srcaddr($srcaddr);
- 
  foreach $s (keys %notify)
  {
    next unless $_ = $notify{$s};
--- 37,42 ----

--

-- 
Brian Reichert				<reichert <at> numachi.com>
37 Crystal Ave. #303			Daytime number: (603) 434-6842
Derry NH 03038-1713 USA			BSD admin/developer at large
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jeremy Jones | 4 Nov 2004 20:39

Multiple domains, one nameserver

I have searched google and the documentation for how to have multiple
domains such as www.domain1.com and www.domain2.com both under the same
nameserver.  If anyone has any insight or a link to some documentation I
would greatly appreciate it.

Jeremy C. Jones
Computer and Telecommunications
Samford University
800 Lakeshore Drive
Birmingham, AL 35229
205.726.2706
Permalink | Reply | 3 comments |
headers
Mirko Steiner | 4 Nov 2004 21:06
Picon

Re: Multiple domains, one nameserver

Jeremy Jones wrote:

>I have searched google and the documentation for how to have multiple
>domains such as www.domain1.com and www.domain2.com both under the same
>nameserver.  If anyone has any insight or a link to some documentation I
>would greatly appreciate it.
>  
>
you just have to take care about, that the responsible nameserver for 
that domains points to one nameserver (you can configure that, by the 
domainhoster where you have buyed the domain).

then you can easily put data into the "data" file for multiple domains 
here are an example from a production system:

.ebn24.biz:217.160.140.39:a:259200
=ebn24.biz:217.160.140.39:86400
 <at> ebn24.biz:217.160.140.39:a:10
+*.ebn24.biz:217.160.140.39:86400

.ebn24.com:217.160.140.39:a:259200
=ebn24.com:217.160.140.39:86400
 <at> ebn24.com:217.160.140.39:a:10
+*.ebn24.com:217.160.140.39:86400

so the nameserver can answer on querys for ebn24.biz and ebn24.com.
Permalink | Reply | 0 comments |
headers
Paul Jarc | 4 Nov 2004 21:39
Picon

Re: Multiple domains, one nameserver

"Jeremy Jones" <jcjones <at> samford.edu> wrote:
> I have searched google and the documentation for how to have multiple
> domains such as www.domain1.com and www.domain2.com both under the same
> nameserver.

<URL:http://cr.yp.to/djbdns/run-server.html>
Everything starting from "Receiving delegations" can be repeated for
additional zones.

paul
Permalink | Reply | 0 comments |
headers
Bennett Todd | 4 Nov 2004 21:51
Picon

On SOA records for superdomains

Like many on this list, I've taken advantage of the trick for CIDR
block delegation in in-addr.arpa of just NS-ing the individual IPs
to another nameserver, which configures itself to be authoritative
for the containing classful block. Works like a champ.

I took away from that the belief that there was no problem with
doing this in general, e.g. just bunging in an SOA for "." and
publishing whatever records I feel like. And I got away with it
until recently.

Turns out there's one case where this can bite you.

If a query is sent to your auth server for a domain label that
exists, but for a record type that doesn't, the SOA (which is the
only thing returned for a "NODATA" as opposed to NXDOMAIN) is
checked, at least by some recursive resolvers, and doesn't produce
the desired NODATA if it's for a superdomain.

In in-addr.arpa this isn't a problem, there's just ptr queries.

But in the normal case, publishing A records in normal domains,
there are some clients popping up that do AAAA queries before A,
and some recursive resolvers between these clients and the internet
sometimes don't take kindly to an SOA for a superdomain of the
delegation they followed to get to your nameserver. Or at least this
is the only explanation we've been able to come up with for observed
behavior. If the obvious fix (bung in SOAs for each delegated name
rather than the superdomain of them all) doesn't make things work,
I'll be back with an update:-).
(Continue reading)

Permalink | Reply | 1 comment |
headers
Bennett Todd | 4 Nov 2004 20:55
Picon

Re: Multiple domains, one nameserver

2004-11-04T19:39:46 Jeremy Jones:
> I have searched google and the documentation for how to have multiple
> domains such as www.domain1.com and www.domain2.com both under the same
> nameserver.  If anyone has any insight or a link to some documentation I
> would greatly appreciate it.

If you're wanting to do it with djbdns, it couldn't be easier; in
the tinydns-data format file "data", include the data for all the
zones, "." records and all. If you're wanting to do it with BIND,
it's a separate problem, slightly more complex, and not on-topic for
this list.

-Bennett
Permalink | Reply | 0 comments |
headers
Paul Jarc | 4 Nov 2004 22:06
Picon

Re: On SOA records for superdomains

Bennett Todd <bet <at> rahul.net> wrote:
> Turns out there's one case where this can bite you.

More than one, though this is less severe when you aren't publishing
records for names that aren't actually delegated to you:
<URL:http://cr.yp.to/djbdns/com-wildcard.html>

paul
Permalink | Reply | 0 comments |
headers
marrandy | 9 Nov 2004 05:35

unable to increase log size

hello.

I have increased the logging from 100000 to 1000000 in the 
/service/dnscache/log/run file.

I have done svc -t dnscache, svc -a dnscache and svc -h dnscache but the log 
size never increases.

Why isn't the log/run file being re-read ?

cd /service/dnscache

ls -al
total 32
drwxr-sr-t    6 root     root         4096 Nov  8 17:02 .
drwxr-xr-x   59 root     root         4096 Nov  8 16:53 ..
drwxr-sr-x    2 root     root         4096 Sep 22 13:57 env
drwxr-sr-x    4 root     root         4096 Nov  8 17:02 log
drwxr-sr-x    4 root     root         4096 Sep 27 13:18 root
-rwxr-xr-x    1 root     root          142 Sep 22 13:57 run
-rw-------    1 root     root          128 Sep 22 13:57 seed
drwx--S---    2 root     root         4096 Nov  8 17:21 supervise

cd log

ls -al
total 20
drwxr-sr-x    4 root     root         4096 Nov  8 17:02 .
drwxr-sr-t    6 root     root         4096 Nov  8 17:02 ..
drwxr-sr-x    2 Gdnslog  Gdnslog      4096 Nov  8 17:25 main
(Continue reading)

Permalink | Reply | 1 comment |

Gmane