[Pdns-users] CNAME Resoluion

Tony Annese tony.annese at whidbeytel.com
Mon Dec 5 17:58:38 UTC 2022


So PDNS is reporting these CNAMEs as errors/being out of zone

root at nspower:~# pdnsutil check-zone icfd3.org
Dec 05 09:42:24 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
[Error] Record 'enterpriseenrollment.icdf3.org IN CNAME enterpriseenrollment.manage.microsoft.com' in zone 'icfd3.org' is out-of-zone.
[Error] Record 'enterpriseregistration.icdf3.org IN CNAME enterpriseregistration.windows.net' in zone 'icfd3.org' is out-of-zone.
[Error] Record 'lyncdiscover.icdf3.org IN CNAME webdir.online.lync.com' in zone 'icfd3.org' is out-of-zone.
[Error] Record 'selector1._domainkey.icdf3.org IN CNAME selector1-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone.
[Error] Record 'selector2._domainkey.icdf3.org IN CNAME selector2-icfd3-org._domainkey.SouthWhidbeyFE.onmicrosoft.com' in zone 'icfd3.org' is out-of-zone.
[Error] Record 'sip.icdf3.org IN CNAME sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone.
[Error] Record '_sip._tls.icdf3.org IN SRV 100 1 443 sipdir.online.lync.com' in zone 'icfd3.org' is out-of-zone.
[Error] Record '_sipfederationtls._tcp.icdf3.org IN SRV 100 1 5061 sipfed.online.lync.com' in zone 'icfd3.org' is out-of-zone.
Checked 31 records of 'icfd3.org', 8 errors, 0 warnings.

So how do I tell PDNS to allow out-of-zone CNAME (and SRV) records?


From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> on behalf of Markus Ehrlicher via Pdns-users <pdns-users at mailman.powerdns.com>
Date: Monday, December 5, 2022 at 3:36 AM
To: 'pdns-users at mailman.powerdns.com' <pdns-users at mailman.powerdns.com>
Subject: Re: [Pdns-users] CNAME Resoluion
Hello,

what does „pdnsutil check-zone icfd3.org“ on the Master say?

best regards,
Markus

Von: Pdns-users <pdns-users-bounces at mailman.powerdns.com> Im Auftrag von Tony Annese via Pdns-users
Gesendet: Montag, 5. Dezember 2022 12:20
An: pdns-users at mailman.powerdns.com
Betreff: Re: [Pdns-users] CNAME Resoluion

Externe E-Mail
Vorsicht! Links und Anhänge können Schadcode enthalten oder nachladen. Auffällige E-Mails als Anhang bitte an virencheck at komsa.de<mailto:virencheck at komsa.de> zur Prüfung weiterleiten.



Those were wildcard entries for the whole domain icfd3.org.

I’ve removed those and get the same behavior. It also doesn’t explain why barracuda058130353572.icfd3.org does resolve.

PDNS is my master server and ns.whidbey.net/ns.whidbey.com are my slaves. I just added testing.icfd3.org and it was pushed out to the 2 slaves but the CNAME for sip.icfd3.org isn’t even being pushed out to the slaves.


From: Brian Candler <b.candler at pobox.com<mailto:b.candler at pobox.com>>
Date: Sunday, December 4, 2022 at 11:20 PM
To: Tony Annese <tony.annese at whidbeytel.com<mailto:tony.annese at whidbeytel.com>>, pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com> <pdns-users at mailman.powerdns.com<mailto:pdns-users at mailman.powerdns.com>>
Subject: Re: [Pdns-users] CNAME Resoluion
On 05/12/2022 05:03, Tony Annese via Pdns-users wrote:
Here is the unobfuscated data.

Thank you, because that now makes it possible to help you:

$ dig +norec @ns.whidbey.net. sip.icfd3.org. any
...

;; ANSWER SECTION:
sip.icfd3.org.        3600    IN    TXT    "v=spf1 mx include:ess.barracudanetworks.com include:spf.protection.outlook.com ~all"
sip.icfd3.org.        3600    IN    MX    0 d227914a.ess.barracudanetworks.com.
sip.icfd3.org.        3600    IN    MX    10 d227914b.ess.barracudanetworks.com.

You cannot have other resource records alongside a CNAME.  That's a requirement of the DNS, not of Powerdns specifically.

You should put A/AAAA records there.  Or if you want to avoid the duplication of information, you can look into ALIAS records which do this for you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20221205/6a3e2920/attachment.htm>


More information about the Pdns-users mailing list