Hi All! Sorry за чайниковский вопрос... делаем раз -- mci@usr:~$ dig @ns.ripe.net 18.5.195.in-addr.arpa ns ; <<>> DiG 9.2.1 <<>> @ns.ripe.net 18.5.195.in-addr.arpa ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20035 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;18.5.195.in-addr.arpa. IN NS ;; AUTHORITY SECTION: 18.5.195.in-addr.arpa. 432000 IN NS ns.ukrtel.net. 18.5.195.in-addr.arpa. 432000 IN NS ns.dc.ukrtel.net. ;; Query time: 561 msec ;; SERVER: 193.0.0.193#53(ns.ripe.net) ;; WHEN: Thu Mar 13 13:20:20 2003 ;; MSG SIZE rcvd: 86 и два ... mci@usr:~$ dig ns.ukrtel.net any ; <<>> DiG 9.2.1 <<>> ns.ukrtel.net any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26601 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;ns.ukrtel.net. IN ANY ;; ANSWER SECTION: ns.ukrtel.net. 50925 IN CNAME expert.ukrtel.net. ;; AUTHORITY SECTION: ukrtel.net. 18098 IN NS expert.ukrtel.net. ukrtel.net. 18098 IN NS ns2.eu.concert.net. ukrtel.net. 18098 IN NS ns.cw.net. ;; ADDITIONAL SECTION: expert.ukrtel.net. 11427 IN A 195.5.6.10 ns2.eu.concert.net. 104499 IN A 195.99.65.212 ns.cw.net. 60986 IN A 204.70.128.1 ;; Query time: 7 msec ;; SERVER: 192.168.0.1#53(192.168.0.1) ;; WHEN: Thu Mar 13 13:21:31 2003 ;; MSG SIZE rcvd: 163 Я торможу ? Или NS на CNAME работать не должно ? (RFC1912) Из-за этого реверсы не работают у ukrtel... CU! -- //ShaD0w =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
On Thursday 13 March 2003 13:22, Michail Litvak wrote:
Я торможу ? Или NS на CNAME работать не должно ? (RFC1912) Из-за этого реверсы не работают у ukrtel...
а где в этом rfc написано что должно? Don't use CNAMEs in combination with RRs which point to other names like MX, CNAME, PTR and NS. -- wbr, slava [vovk-uanic] =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
Hello Slava Vovk! Thu, Mar 13, 2003 at 01:34:43PM +0200, vovk wrote about "[uanog] Re: reverse DNS and CNAME": SV> On Thursday 13 March 2003 13:22, Michail Litvak wrote:
Я торможу ? Или NS на CNAME работать не должно ? (RFC1912) Из-за этого реверсы не работают у ukrtel... SV> SV> а где в этом rfc написано что должно? SV> SV> Don't use CNAMEs in combination with RRs which point to other names SV> like MX, CNAME, PTR and NS.
раздел 2.4 последний абзац: Having NS records pointing to a CNAME is bad and may conflict badly with current BIND servers. In fact, current BIND implementations will ignore such records, possibly leading to a lame delegation. There is a certain amount of security checking done in BIND to prevent spoofing DNS NS records. Also, older BIND servers reportedly will get caught in an infinite query loop trying to figure out the address for the aliased nameserver, causing a continuous stream of DNS requests to be sent. CU! -- //ShaD0w =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
On Thursday 13 March 2003 13:36, Michail Litvak wrote:
SV> On Thursday 13 March 2003 13:22, Michail Litvak wrote:
Я торможу ? Или NS на CNAME работать не должно ? (RFC1912) Из-за этого реверсы не работают у ukrtel...
SV> SV> а где в этом rfc написано что должно? SV> SV> Don't use CNAMEs in combination with RRs which point to other names SV> like MX, CNAME, PTR and NS.
раздел 2.4 последний абзац:
Having NS records pointing to a CNAME is bad and may conflict badly with current BIND servers. In fact, current BIND implementations will ignore such records, possibly leading to a lame delegation. There is a certain amount of security checking done in BIND to prevent spoofing DNS NS records. Also, older BIND servers reportedly will get caught in an infinite query loop trying to figure out the address for the aliased nameserver, causing a continuous stream of DNS requests to be sent.
CU!
ну так написано же что синейм это плохо. :) и в RFC1034 написано Domain names in RRs which point at another name should always point at the primary name and not the alias и бинд восьмой от них дуреет named[98]: ns_forw: query(1.18.5.195.in-addr.arpa) All p ossible A RR's lame named[98]: ns_forw: query(1.18.5.195.in-addr.arpa) NS po ints to CNAME (ns.dc.ukrtel.net:) learnt (CNAME=195.5.6.10:NS=192.93.0.4) -- wbr, slava [vovk-uanic] =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
Hello Slava Vovk! Thu, Mar 13, 2003 at 01:49:50PM +0200, vovk wrote about "[uanog] Re: reverse DNS and CNAME": SV> ну так написано же что синейм это плохо. :) и в RFC1034 написано SV> Domain names in RRs which point at another name should always point at SV> the primary name and not the alias SV> SV> и бинд восьмой от них дуреет SV> named[98]: ns_forw: query(1.18.5.195.in-addr.arpa) All p SV> ossible A RR's lame SV> named[98]: ns_forw: query(1.18.5.195.in-addr.arpa) NS po SV> ints to CNAME (ns.dc.ukrtel.net:) learnt (CNAME=195.5.6.10:NS=192.93.0.4) Так ото-ж.... Что укртелекомовцы RFC прочитать не могут что ли :-\ CU! -- //ShaD0w =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
Hi Michail,
Sorry за чайниковский вопрос...
[...]
18.5.195.in-addr.arpa. 432000 IN NS ns.ukrtel.net. 18.5.195.in-addr.arpa. 432000 IN NS ns.dc.ukrtel.net.
Оба через СNAME и, как я понимаю, причина их неработы только в BIND: Having NS records pointing to a CNAME is bad and may conflict badly with current BIND servers. In fact, current BIND implementations will ignore such records, possibly leading to a lame delegation. There is a certain amount of security checking done in BIND to prevent spoofing DNS NS records. Also, older BIND servers reportedly will get caught in an infinite query loop trying to figure out the address for the aliased nameserver, causing a continuous stream of DNS requests to be sent. ftp://ftp.ripe.net/rfc/rfc1912.txt Потому что по идее должно бы работать, но BIND такого не ест. -- Michael Конец телу венец. =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message
participants (3)
-
Michael Petuschak -
Michail Litvak -
Slava Vovk