From: Kenneth P. <sh...@we...> - 2001-09-11 06:19:42
|
On Sun, 09 Sep 2001 17:33:18 -0700, Bruce Selzler wrote: >BTW, you made a reference earlier to the use of the "@" sign in the zone >records. I've noticed that a lot of people find this odd. I found the use >of that in "The Complete Linux Reference" by Richard Peterson published by >Osborne. Actually, it's quite common. The "@" is shorthand that refers to the name used for the domain in named.conf. It's primarily used when one is hosting several domains that have some identical pieces, such as the SOA values and the list of name servers. Each domain would have its own zone file with the list of unique values, and at the top each file includes a common file that uses the @ syntax to declare the common SOA, NS, and MX records. Makes being a hosting provider a lot easier. Unfortunately, when you posted your zone files, you didn't post your named.conf, so we can't see what the value of @ is for the two cases. That has a big effect on how to interpret the contents of the files. >And the reverse mapping file; > [...] >9.0.254.216 IN PTR NS1.SPEAKEASY.NET. >22.41.231.216 IN PTR NS1.SPEAKEASY.NET. >27 IN PTR ns.sezonline.com. This looks quite wrong, no matter what @ is. Since there's no $ORIGIN statement (more shorthand to automatically suffix following records keys with), the values on the left side here are treated as raw key names. Nothing will ever ask for the 3 keys you have here. Reverse records will always look like this: dd.cc.bb.aa.in-addr.arpa. 3600 IN PTR some.company.com. This may look more like your example with an $ORIGIN statement: $ORIGIN cc.bb.aa.in-addr.arpa. dd 3600 IN PTR some.company.com. The two forms generate exactly the same database in memory. $ORIGIN just makes it easier to type a whole bunch of records with similar keys that differ only in the left-most component. The client will construct a query by reversing the address and suffixing in-addr.arpa, and then ask for that. You don't want to declare yourself authoritative for all of in-addr.arpa, or no reverse query will ever escape your LAN to get to other's reverse domains. On Mon, 10 Sep 2001 04:21:20 +0000, Rodolfo J. Paiz wrote: >Bow down and worship "DNS & BIND" published by O'Reilly, also known as the >"bat book" due to O'Reilly's habit of putting a different species on each >cover. I concur! A new version of the book is out that covers BIND 9, and includes a chapter on BIND security. You really don't want to run BIND until you've read this book. You can then monitor comp.protocols.dns.bind (mirrored to the ISC bind-users mailing list), where one of the book's authors regularly posts. There's a HUGE amount of BIND expertise on that mailing list, including DNS admins from Chrysler and AOL. Ken mailto:sh...@we... http://www.sewingwitch.com/ken/ [If answering a mailing list posting, please don't cc me your reply. I'll take my answer on the list.] |