Re: CNAME and other data

This is a discussion on Re: CNAME and other data within the Bind Users forums, part of the DNS and Related Forums category; > -----BEGIN PGP SIGNED MESSAGE----- > > > >>>>> "Mark" == Mark Andrews <Mark_Andrews@...


Go Back   Usenet Forums > DNS and Related Forums > Bind Users

Reload this Page Re: CNAME and other data

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 01-31-2005
Mark Andrews
 
Posts: n/a
Default Re: CNAME and other data

> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "Mark" == Mark Andrews <Mark_Andrews@isc.org> writes:
> >> There are *no* duplicates that I can find. (It would be nice if
> >> named would log what the conflict is)
>
> Mark> You are trying to load a DNSSEC zone (with a CNAME) on a
> Mark> DNSSECbis server.
>
> Yes, agreed. i said that :-)
> I would ask that maybe 9.2.x might be more clear about the reason for
> the failure to load.

Well the only thing missing was the name with the offending
data which is easily found by transfering the zone and running
named-checkzone on it.

dig sandelman.ca @205.150.200.254 > tmp
named-checkzone sandelman.ca tmp

In general "CNAME and other data" error should be picked up on the
master. DNSSECbis is special as it relaxed the rules.

I suppose we could explictly check for RRSIG/NSEC in 9.2 issue a
warning.

> I would also ask that perhaps 9.3.x be tolerant of NXT/SIG being
> present. I really think this is important.

I double checked. It should load a DNSSEC zone. It won't generate
the proofs however.

> If we want DNSSEC to be incrementally deployable, then making it hard
> for people to upgrade to 9.3 is a bad idea. Making it confusing to
> some ISP why their 9.2 fails to load a zone suddendly is also bad.

Incremental deployment would require that proofs be generated and
validated for both DNSSEC and DNSSECbis. BIND 9.3 does not do this.

> - --
> ] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls
> [
> ] mcr @ xelerance.com Now doing IPsec training, see |net architec
> t[
> ] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device drive
> r[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy");
> [
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Finger me for keys
>
> iQCVAwUBQf1HaYqHRg3pndX9AQHnCwP/S+WfTPGxbivY6tfWN0yej6lKBEwtsh/+
> SlX9sSjRsCsir8yZQm9GY3PWWYWYO/IbZ7KBgRKmlLdcRnv2ybGDVycaSnXBMHTK
> hqz0gDk2djtELvIfIJhVCJcitXZSzptusyR/t9mlMlHQqcgDcN+uAoeXtVhC9ADY
> +cf3Yzod2sc=
> =VGPM
> -----END PGP SIGNATURE-----
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org

Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:19 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0