Helpful Information
 
 
Category: DNS
Subdomain delegation

I use dnydns.org for free domain names. They now offer Subdomain delegation. I was wondering is anyone(Freebsd) can offer me some info on setting this up on my end using a bind alternative..



Thanks,


Linux -The Unix defrag

>> I was wondering is anyone(Freebsd) can offer me some info

You will need to provide more info about your authoritative DNS server before I can give you some info. At the very least, I need to know whether you want your slackdaddy.dyndns.org to be delegated to ns1.slackdaddy.dyndns.org or ns1.anotherdomain.com. For the second, it's so-called gluelessness, which is not recommended as mentioned by djb (qmail author).

>> setting this up on my end using a bind alternative

Do you know enough BIND?

Anyway, please read http://cr.yp.to/djbdns/parents.html before you start. And if you run into any problems, feel free to ask here.

My domain is linuxpimp.ath.cx my NS will be ns.linuxpimp.ath.cx I also have another domain (trick.ath.cx) that I want to delegate to ns.linuxpimp.ath.cx.

I think I have a grasp on how to do it with djbdns.

I am a little concerned about the whole gluelessness deal I don't see how I do it the way DJ recommends.


I recommend that all DNS servers be in-bailiwick servers with glue. External DNS servers should be given internal names, with address records copied automatically (preferably by some secure mechanism) from the external names to the internal names

Can you comment on that.

I know enough about bind to know I don't want to use bind.

>> My domain is linuxpimp.ath.cx

Do you really mean ath.cx?

>>I want to delegate to ns.linuxpimp.ath.cx

Currently your linuxpimp.ath.cx is highly misconfigured. Further, without sufficient static IPs, you just can't create ns.linuxpimp.ath.cx. So many static IP do you have? Just 64.216.139.19-20?

>> Can you comment on that

If ath.cx is your domain, you host it yourself, not dyndns.org. You delegate its subdomain like linuxpimp.ath.cx to ns.linuxpimp.ath.cx.

Like I always said, all dynamic DNS services suck. dyndns.org alone already misconfigured their SOA, NS and MX. Their DNS knowledge should never be trusted in the first place.

1) At root servers (if you do a whois on dyndns.org):

Domain servers in listed order:

NS.DYNDNS.ORG 66.37.218.205
NS2.DYNDNS.ORG 216.7.11.147
NS3.DYNDNS.ORG 64.71.191.26
NS4.DYNDNS.ORG 212.100.224.171
NS5.DYNDNS.ORG 66.37.218.206


2) Their NS record for dyndns.org:

authority: dyndns.org 86400 NS ns1.dyndns.org
authority: dyndns.org 86400 NS ns2.dyndns.org
authority: dyndns.org 86400 NS ns3.dyndns.org
authority: dyndns.org 86400 NS ns4.dyndns.org
authority: dyndns.org 86400 NS ns5.dyndns.org

3) Check the ones in bold in (1) and (2), they DON'T MATCH. They configure one of their NSs to be ns1.dnydns.org, however, it CANNOT be traced from root servers. It's very bad as a popular dynamic DNS host when they misconfigured their DNS on their own domain. The fix for them is to change ns to ns1 or ns1 to ns for their NS record, so root servers agree with. Currently there is 1/6 chance you can't reach a xxx.dyndns.org site because of such misconfiguration.
Like I said, whoever runs BIND must not have a clue about DNS. They are running BIND 9.2.

4) Their MX:

50 mail2.dyndns.org
20 mail.dyndns.org

Both of their reverse DNS don't match.
mail.dyndns.org claims itself to be quartz.bos.dyndns.org while mail2.dyndns.org claims itself to be emerald.ith.dyndns.org. They should have used:

50 emerald.ith.dyndns.org
20 quartz.bos.dyndns.org

in the first place.

>> I know enough about bind to know I don't want to use bind

Great!! You've made the right choice. Before doing any delegation, I suggest you to start running your own authoritative DNS server for ath.cx. Make sure it's properly configured, then move on to subdomain delegation. dyndns.org sucks, ditch them now.
BTW, you should switch ISP to SpeakEasy.net if you really want to play this DNS stuff, swbell.net sucks. You will never get a matching reverse DNS with swbell.net. Reverse DNS is not required for end-users. If you are planning to run authoritative DNS servers and host for others, you're urged to have a working reverse DNS.

AMEN BROTHER--dyndns.org is a joke. if you setup some dynamic hosts make sure you do it with several companies at a time, so that when DYNDNS.ORG dcides to CHANGE THE PROTOCOL out of the blue, you won't have your presence erased! I wonder how hardware guys that were dumb enough to offer dynamic domain name service clients at dyndns.org survived? The best thing I ever did was IMMEDIATELY write two more clients with dyns.net and another service that I cannot remember the name of as soon as dyndns.org screwed me over the first time. Now, those "backups" work FLAWLESSLY and dyndns.org is down again (or else I can't make a client work because they changed something again.)










privacy (GDPR)