Say I have these two records defined:
*.example.com CNAME <some name>
foo.example.com TXT <some text>
What is expected to happen if I run a DNS query like this?
dig TXT foo.example.com
I would expect to get the TXT record defined above in the answer section, since it's more explicitly defined. But, what I get from my DNS provider is the CNAME defined for the wildcard.
I've raised this issue with them, and they say they are following the correct behaviour. This is the explanation they gave me:
Refer section 2.4 in RFC1912 about "Common DNS errors". http://www.rfc-editor.org/rfc/rfc1912.txt "A CNAME record is not allowed to coexist with any other data. In other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you can't also have an MX record for suzy.podunk.edu, or an A record, or even a TXT record."
Basically, this means that, if you add a CNAME record for *.example.com, it will always take priority over any other record, even if those records are added for a specific subdomain, they're still ignored. There is nothing we can do in this case. It's how DNS is supposed to work, according to the DNS-standard.
Is this correct? Does the section in the referred RFC cover the case of a wildcard? Can anyone give me an authoritative answer and provide a link to the source?
Wikipedia page on DNS wildcard is pretty clear with examples (see the one about host1.example).
In short, a wildcard is only used if the "direct" full name is not found.
You can find all the explanations in section 4.3.2 of https://www.rfc-editor.org/rfc/rfc1034 and specifically point 3.a and point 3.c:
a. If the whole of QNAME is matched, we have found the
node.
If the data at the node is a CNAME, and QTYPE doesn't
match CNAME, copy the CNAME RR into the answer section
of the response, change QNAME to the canonical name in
the CNAME RR, and go back to step 1.
Otherwise, copy all RRs which match QTYPE into the
answer section and go to step 6.
[..]
c. If at some label, a match is impossible (i.e., the
corresponding label does not exist), look to see if a
the "*" label exists.
See how it specifically first searches for the full name, with extra condition if it is a CNAME, but this is not your case if you query for a TXT.
In your case if you query for the TXT record specifically, then that should be returned, irrespective of any wildcard.
In fact the TXT on foo.example.com will hide any other type, a CNAME request on it, should not return the value in the wildcard but instead stop with NOERROR NODATA meaning that the name exists, just not for this type.
This is exactly the host1.example case in the above Wikipedia page.
It is very easy to try in fact.
With this zonefile:
$TTL 1
# IN SOA localhost. root.localhost. (1 604800 86400 419200 604800)
IN NS a.example.org.
IN NS b.example.org.
IN NS c.example.org.
*.example.com. IN CNAME foobar.example.net.
foobar.example.com. IN TXT "I am here."
(the beginning is just boilerplate to have bind really load the zone)
if you do dig #127.0.0.1 foobar.example.com TXT you get as expected:
;; ANSWER SECTION:
foobar.example.com. 1 IN TXT "I am here."
if you query for any other record type on same name, including CNAME you get NOERROR without any CNAME in reply (the wildcard is hidden by the explicit name in zonefile, and you get NOERROR but no data for any other record type than TXT on this name as this is the only record type in the zonefile) and the wildcard works for any other name, like dig #127.0.0.1 not-foobar.example.com TXT gives:
;; ANSWER SECTION:
not-foobar.example.com. 1 IN CNAME foobar.example.net.
The explanations you are given are not the correct ones and do not apply on your use case. The quote would only apply to this kind of (invalid) configuration:
*.example.com. CNAME <some name>
*.example.com. TXT <some text>
but this is not related to the wildcard, the same problem appears with the following configuration that will be rejected by any compliant nameserver:
foobar.example.com. CNAME <some name>
foobar.example.com. TXT <some text>
Related
Is there any convention I missed while parsing SOA record RNAME field?
For example amazon.com SOA rname is: root#amazon.com
But when program parses it there is no # symbol, it is treated like regular domain label.
Question is how would I understand whether I need to put . sign or # sign at the end of label?
For example amazon.com SOA rname is: root#amazon.com
No it is not:
$ dig SOA amazon.com +noall +ans
amazon.com. 14m50s IN SOA dns-external-master.amazon.com. root.amazon.com. (
2010155050 ; serial
180 ; refresh (3 minutes)
60 ; retry (1 minute)
3024000 ; expire (5 weeks)
60 ; minimum (1 minute)
)
The MNAME ("The of the name server that was the
original or primary source of data for this zone.") is dns-external-master.amazon.com. and the RNAME ("A which specifies the mailbox of the
person responsible for this zone.
") is root.example.com (in quotes, definition from RFC 1035 which is canonical on this).
There can never be # in the RNAME (and even less so in the MNAME which should correspond to an hostname). This is because # has a special meaning in DNS, and it predates the global use of email as we know today.
You have the example in RFC 1035 explaining things:
# IN SOA VENERA Action\.domains (
20 ; SERIAL
7200 ; REFRESH
600 ; RETRY
3600000; EXPIRE
60) ; MINIMUM
[..]
Note the use of the \ character in the SOA RR to specify the responsible
person mailbox "Action.domains#E.ISI.EDU".
It is further explained in ยง3.3 of RFC 1034:
For mailboxes, the mapping is slightly more complex. The usual mail
address <local-part>#<mail-domain> is mapped into a domain name by
converting <local-part> into a single label (regardles of dots it
contains), converting <mail-domain> into a domain name using the usual
text format for domain names (dots denote label breaks), and
concatenating the two to form a single domain name. Thus the mailbox
HOSTMASTER#SRI-NIC.ARPA is represented as a domain name by
HOSTMASTER.SRI-NIC.ARPA.
Note that if you do anything around DNS, and specifically any kind of client or server, you MUST absolutely read RFC 1034 and 1035 and multiple times. Yes they are full of holes/ambiguities and things that have changed later.
But they must be gospel to your ears otherwise you will have a lot of DNS problems.
After that, as a modern resource, RFC 8499 should be your bible as it has everything related to DNS terminilogy and pointer to resources.
Over at dmarc.org, it's suggested that IN TXT records of DNS could be written in a special form within the zone file to make them not overflow the lines in your text editor.
The DMARC policy record might look like this when retrieved using a
common command-line tool:
% dig +short TXT _dmarc.example.com.
"v=DMARC1\; p=none\; rua=mailto:dmarc-feedback#example.com"
To publish such a record, the DNS administrator for the Domain Owner
creates an entry like the following in the appropriate zone file
(following the conventional zone file format):
; DMARC record for the domain example.com
_dmarc IN TXT ( "v=DMARC1; p=none; "
"rua=mailto:dmarc-feedback#example.com" )
I've tried following the example in my actual zone file with NSD; however, when I then query the domain, I actually get the results wrapped up on multiple lines, too.
% dig +short TXT _dmarc.example.su
"v=DMARC1\; " "p=reject\; " "rua=mailto:rua-dmarc#example.su"
Is this expected? Is this likely to break some software that's supposed to parse these TXT records to get the DMARC / SPF / DKIM / etc?
The individual components of a TXT record may only contain up to 255 characters each, since they're transmitted on the wire in <length><data ...> format.
Any code that's potentially expecting to take more than 255 characters SHOULD be able to coalesce multiple components into a single character array.
In master file format the braces surrounding the strings indicate that multiple components are to be included in a single TXT record - without them this would have created two separate TXT records, and the relative order of the two records would be undefined and subject to change.
It's hard to tell since it will depend on the final implementation of the DMARC checker. However, even detailed in the DMARC document, a DMARC record is no such big that you could overflow your editor.
In my case, using the last opendmarc package on Ubuntu Trusty (14.04) along with Postfix, made the daemon crash when processing some weird/malformed DMARC DNS records (but not exactly the case you mention).
I would simply add the one-line approach and play it safe, not just because of a possible break of the checker software, but even worse would be getting your mail rejected because policy doesn't seem to be alligned when it actually is!
So I'd just add something like this:
_dmarc.example.su IN TXT "v=DMARC1; p=reject; rua=mailto:rua-dmarc#example.su"
I need to send e-mails from my virtual server, the problem is that the e-mail containing links comes to be considered as junk! But I need to insert links in my e-mails.
So I have installed Postfix, configured it for send e-mails using my SMTP mailbox, then I am trying to configure OpenDkim for signing my e-mails. I have done all the steps correctly except one: adding TXT DNS record!
I have read this guide: https://syslog.tv/2010/01/11/dkim-on-debian-with-postfix/.
We have to add these 2 txt dns records:
_domainkey.DOMAIN.TLD. IN TXT "t=y; o=-;"
SELECTOR._domainkey.DOMAIN.TLD. IN TXT "k=rsa; t=y; p=YOUR_PUBLIC_KEY_HERE"
But I don't understand HOW I can add this records... in my DNS control panel I must specify for each new DNS record at least 3 fields: the type is for sure TXT, ok, but what are the name of the record, and the value of the record?
I have tried to add the first as follow:
Name: _domainkey.mydomain.example.
Type: TXT
Value: t=y; o=-;
But I receive an error message that tells me that it is not possible to add a subdomain? Then I have tried to reverse the fields/value:
Name: t=y; o=-;
Type: TXT
Value: _domainkey.mydomain.example.
But this time I will not see any type of message/error from my control panel, so I don't understand if there is a problem in it or something else?
Can someone help me please?
You can add the dns like this
Name: selector._domainkey
Type: TXT
Value:k=rsa; t=y; p=YOUR_PUBLIC_KEY_HERE
NOTE:the selector means the selector you are used to create opendkim
I use following steps:
Query A records for host, some servers return NS records in authority section, so I extract them from that section, if any.
Query NS records, extract them from answer section.
The problem is with "subdomains" (CNAME), for example:
> dig www.microsoft.com A
;; ANSWER SECTION:
www.microsoft.com. 696 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 119 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 263 IN CNAME lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net. 31 IN A 65.55.12.249
> dig www.microsoft.com NS
;; ANSWER SECTION:
www.microsoft.com. 619 IN CNAME toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 42 IN CNAME g.www.ms.akadns.net.
g.www.ms.akadns.net. 186 IN CNAME lb1.www.ms.akadns.net.
;; AUTHORITY SECTION:
akadns.net. 174 IN SOA internal.akadns.net. hostmaster.akamai.com. 1304057105 90000 90000 90000 180
> dig lb1.www.ms.akadns.net A
;; ANSWER SECTION:
lb1.www.ms.akadns.net. 79 IN A 65.55.12.249
> dig lb1.www.ms.akadns.net NS
;; AUTHORITY SECTION:
akadns.net. 176 IN SOA internal.akadns.net. hostmaster.akamai.com. 1304057402 90000 90000 90000 180
As you can see, there are no NS records returned. How to overcome this problem?
Your algorithm is wrong. Here's the right one.
For each successively shorter superdomain S of the target domain name T, starting with T itself:
Perform an NS lookup on S. If the answer is not a non-empty resource record set, go to step 3. Otherwise you have a set of intermediate domain names D[].
Perform A and AAAA lookups on each name in D[]. This will give you a set of IP addresses. You have your answer. END.
Optionally perform a SOA lookup on S. If the answer is a non-empty resource record set, you are about to cross an administrative boundary having found no non-empty NS resource record set thus far. You may choose, according to exactly what you are trying to find out, to ABEND.
Remember that you have to make queries to your own resolving proxy DNS server, not to the external content DNS servers, so that you get a complete answer rather than a partial one. Also remember that you have to follow CNAME chains when inspecting responses. The response to your dig www.microsoft.com. NS query above, for example, is a CNAME chain leading to an empty NS resource record set for lb1.www.ms.akadns.net..
In a DNS zone file, for the type 'A', what is the difference between the name '*' and the name'#'?
What does each do?
* A myIp
# A myIp
Also if anyone knows a nice tutorial on editing and fine-tuning DNS zone file in general I'd appreciate it.
Thanks!
The # symbol represents the current (fully qualified) zone name, as usually set with $ORIGIN.
The * symbol is the wildcard label - the DNS server will respond to queries for unknown labels with the data from here
The # symbol means that nothing comes before the domain name and * means that anything can come before the domain name.
Refer: http://www.ipprimer.com/dns.cfm