Re: Sezonline Zone Files

[Kenneth P. <sh...@we...>]

On Sun, 09 Sep 2001 17:33:18 -0700, Bruce Selzler wrote:

>BTW, you made a reference earlier to the use of the "@" sign in the zone
>records.  I've noticed that a lot of people find this odd.  I found the use
>of that in "The Complete Linux Reference" by Richard Peterson published by
>Osborne.

Actually, it's quite common. The "@" is shorthand that refers to the
name used for the domain in named.conf. It's primarily used when one is
hosting several domains that have some identical pieces, such as the
SOA values and the list of name servers. Each domain would have its own
zone file with the list of unique values, and at the top each file
includes a common file that uses the @ syntax to declare the common
SOA, NS, and MX records. Makes being a hosting provider a lot easier.

Unfortunately, when you posted your zone files, you didn't post your
named.conf, so we can't see what the value of @ is for the two cases.
That has a big effect on how to interpret the contents of the files.

>And the reverse mapping file;
> [...]
>9.0.254.216    IN    PTR    NS1.SPEAKEASY.NET.
>22.41.231.216    IN    PTR    NS1.SPEAKEASY.NET.
>27    IN    PTR    ns.sezonline.com.

This looks quite wrong, no matter what @ is. Since there's no $ORIGIN
statement (more shorthand to automatically suffix following records
keys with), the values on the left side here are treated as raw key
names. Nothing will ever ask for the 3 keys you have here.

Reverse records will always look like this:

dd.cc.bb.aa.in-addr.arpa. 3600 IN PTR some.company.com.

This may look more like your example with an $ORIGIN statement:

$ORIGIN cc.bb.aa.in-addr.arpa.
dd 3600 IN PTR some.company.com.

The two forms generate exactly the same database in memory. $ORIGIN
just makes it easier to type a whole bunch of records with similar keys
that differ only in the left-most component.

The client will construct a query by reversing the address and
suffixing in-addr.arpa, and then ask for that.

You don't want to declare yourself authoritative for all of
in-addr.arpa, or no reverse query will ever escape your LAN to get to
other's reverse domains.

On Mon, 10 Sep 2001 04:21:20 +0000, Rodolfo J. Paiz wrote:

>Bow down and worship "DNS & BIND" published by O'Reilly, also known as the 
>"bat book" due to O'Reilly's habit of putting a different species on each 
>cover.

I concur! A new version of the book is out that covers BIND 9, and
includes a chapter on BIND security. You really don't want to run BIND
until you've read this book.

You can then monitor comp.protocols.dns.bind (mirrored to the ISC
bind-users mailing list), where one of the book's authors regularly
posts. There's a HUGE amount of BIND expertise on that mailing list,
including DNS admins from Chrysler and AOL.

Ken
mailto:sh...@we...
http://www.sewingwitch.com/ken/
[If answering a mailing list posting, please don't cc me your reply. I'll take my answer on the list.]