<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.5pt">So PDNS is reporting these CNAMEs as errors/being out of zone<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">root@nspower:~# pdnsutil check-zone icfd3.org<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">Dec 05 09:42:24 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record 'enterpriseenrollment.icdf3.org IN CNAME enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record 'enterpriseregistration.icdf3.org IN CNAME enterpriseregistration.windows.net' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record 'lyncdiscover.icdf3.org IN CNAME webdir.online.lync.com' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record 'selector1._domainkey.icdf3.org IN CNAME selector1-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record 'selector2._domainkey.icdf3.org IN CNAME selector2-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record 'sip.icdf3.org IN CNAME sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record '_sip._tls.icdf3.org IN SRV 100 1 443 sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">[Error] Record '_sipfederationtls._tcp.icdf3.org IN SRV 100 1 5061 sipfed.online.lync.com' in zone 'icfd3.org' is out-of-zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:Consolas">Checked 31 records of 'icfd3.org', 8 errors, 0 warnings.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">So how do I tell PDNS to allow out-of-zone CNAME (and SRV) records?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span lang="DE" style="font-size:12.0pt;color:black">From:
</span></b><span lang="DE" style="font-size:12.0pt;color:black">Pdns-users <pdns-users-bounces@mailman.powerdns.com> on behalf of Markus Ehrlicher via Pdns-users <pdns-users@mailman.powerdns.com><br>
<b>Date: </b>Monday, December 5, 2022 at 3:36 AM<br>
<b>To: </b>'pdns-users@mailman.powerdns.com' <pdns-users@mailman.powerdns.com><br>
<b>Subject: </b>Re: [Pdns-users] CNAME Resoluion<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;color:#1F497D">Hello,</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;color:#1F497D">what does „pdnsutil check-zone icfd3.org“ on the Master say?</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;color:#1F497D">best regards,</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;color:#1F497D">Markus</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt;color:#1F497D"> </span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="DE" style="font-size:11.0pt">Von:</span></b><span lang="DE" style="font-size:11.0pt"> Pdns-users <pdns-users-bounces@mailman.powerdns.com>
<b>Im Auftrag von </b>Tony Annese via Pdns-users<br>
<b>Gesendet:</b> Montag, 5. Dezember 2022 12:20<br>
<b>An:</b> pdns-users@mailman.powerdns.com<br>
<b>Betreff:</b> Re: [Pdns-users] CNAME Resoluion<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="DE" style="font-size:11.0pt"> <o:p></o:p></span></p>
<table class="MsoNormalTable" border="1" cellpadding="0" width="100%" style="width:100.0%;border:solid #FFD966 2.25pt">
<tbody>
<tr>
<td width="125" style="width:93.75pt;border:solid white 2.25pt;background:#0095A6;padding:3.75pt 3.75pt 3.75pt 3.75pt">
<p class="MsoNormal"><b><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:white">Externe E-Mail</span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
</td>
<td style="border:solid white 2.25pt;background:white;padding:3.75pt 0in 3.75pt 0in;min-width: 300px">
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#006362">Vorsicht! Links und Anhänge können Schadcode enthalten oder nachladen. Auffällige E-Mails als Anhang bitte an
<a href="mailto:virencheck@komsa.de"><span style="color:#006362">virencheck@komsa.de</span></a> zur Prüfung weiterleiten.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:12.0pt;font-family:"Times New Roman",serif"><br>
<br>
<br>
</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">Those were wildcard entries for the whole domain icfd3.org.
</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">I’ve removed those and get the same behavior. It also doesn’t explain why barracuda058130353572.icfd3.org does resolve.
</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt"> </span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt">PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. I just added testing.icfd3.org and it was pushed out to the 2 slaves but the CNAME for sip.icfd3.org isn’t even being pushed out to
the slaves.</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Brian Candler <<a href="mailto:b.candler@pobox.com">b.candler@pobox.com</a>><br>
<b>Date: </b>Sunday, December 4, 2022 at 11:20 PM<br>
<b>To: </b>Tony Annese <<a href="mailto:tony.annese@whidbeytel.com">tony.annese@whidbeytel.com</a>>,
<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a> <<a href="mailto:pdns-users@mailman.powerdns.com">pdns-users@mailman.powerdns.com</a>><br>
<b>Subject: </b>Re: [Pdns-users] CNAME Resoluion</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">On 05/12/2022 05:03, Tony Annese via Pdns-users wrote:</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Here is the unobfuscated data.</span><span lang="DE" style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p>Thank you, because that now makes it possible to help you:<span lang="DE"><o:p></o:p></span></p>
<p>$ dig +norec @ns.whidbey.net. sip.icfd3.org. any<br>
...<br>
<br>
;; ANSWER SECTION:<br>
sip.icfd3.org. 3600 IN TXT "v=spf1 mx include:ess.barracudanetworks.com include:spf.protection.outlook.com ~all"<br>
sip.icfd3.org. 3600 IN MX 0 d227914a.ess.barracudanetworks.com.<br>
sip.icfd3.org. 3600 IN MX 10 d227914b.ess.barracudanetworks.com.<span lang="DE"><o:p></o:p></span></p>
<p>You cannot have other resource records alongside a CNAME. That's a requirement of the DNS, not of Powerdns specifically.<span lang="DE"><o:p></o:p></span></p>
<p>You should put A/AAAA records there. Or if you want to avoid the duplication of information, you can look into ALIAS records which do this for you.<span lang="DE"><o:p></o:p></span></p>
</div>
</body>
</html>