CNAME restrictions

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CNAME restrictions

Leroy Tennison
I have a situation where, due to the system's location (IP subnet), its DNS name is <webserver>.<internal subdomain>.datavoiceint.com.  We have a certificate for *.datavoiceint.com which we prefer to use instead of having to acquire a certificate for <internal subdomain>.datavoiceint.com since this is a one-off internal-only web server.  Our (ISC) DNS servers (version 9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both domains.  I thought a solution would be to use a CNAME but, when I attempt this (via nsupdate with the update key which works for A and PTR adds and deletes) I get (on "send"):

 TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTIMP

What I tried (on both <internal subdomain>.datavoiceint.com. and datavoiceint.com.) was:

update add <webserver>.datavoiceint.com. 86400 IN CNAME <webserver>.<internal subdomain>.datavoiceint.com.

Apparently I'm mis-understanding CNAME usage, if I actually can use a CNAME record what should the format be (or do I need to configure bind differently to use it since part of the reply is NOTIMP)?  If that's not possible due to CNAME restrictions are there any alternatives?

Thanks for your help.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: [hidden email]
P:


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com
 

This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify us.

 

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: CNAME restrictions

Matus UHLAR - fantomas
On 04.08.20 17:29, Leroy Tennison wrote:
>I have a situation where, due to the system's location (IP subnet), its DNS
> name is <webserver>.<internal subdomain>.datavoiceint.com.  We have a
> certificate for *.datavoiceint.com which we prefer to use

wildcard in certificates only covers one level of subdomains, so
*.datavoiceint.com will cover <internal subdomain>.datavoiceint.com but not
anything under it.

you will have to strip the  <webserver> part or get other certificate.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: CNAME restrictions

Reindl Harald


Am 04.08.20 um 19:34 schrieb Matus UHLAR - fantomas:

> On 04.08.20 17:29, Leroy Tennison wrote:
>> I have a situation where, due to the system's location (IP subnet),
>> its DNS
>> name is <webserver>.<internal subdomain>.datavoiceint.com.  We have a
>> certificate for *.datavoiceint.com which we prefer to use
>
> wildcard in certificates only covers one level of subdomains, so
> *.datavoiceint.com will cover <internal subdomain>.datavoiceint.com but not
> anything under it.
>
> you will have to strip the  <webserver> part or get other certificate

proper wildcard certifiocates are looking like this

X509v3 Subject Alternative Name: DNS:*.buildserver.thelounge.net
DNS:*.thelounge.net
DNS:thelounge.net

in other words: you have "*.domain.tld" and "domain.tld" in your SAN
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: CNAME restrictions

Kevin Darcy
In reply to this post by Leroy Tennison
[ Classification Level: GENERAL BUSINESS ]

Offhand, it looks like the server side is configured to only allow authenticated updates, but you're sending an unauthenticated one.

A more nuanced issue might be if the ID you're running the nsupdate as, can't read the key files, so even though you may have intended the update to be signed, it actually wasn't.

Did you try adding a -d to the nsupdate command? If so, does the debug output give any clues?

                                                                         - Kevin

On Tue, Aug 4, 2020 at 1:30 PM Leroy Tennison <[hidden email]> wrote:
I have a situation where, due to the system's location (IP subnet), its DNS name is <webserver>.<internal subdomain>.datavoiceint.com.  We have a certificate for *.datavoiceint.com which we prefer to use instead of having to acquire a certificate for <internal subdomain>.datavoiceint.com since this is a one-off internal-only web server.  Our (ISC) DNS servers (version 9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both domains.  I thought a solution would be to use a CNAME but, when I attempt this (via nsupdate with the update key which works for A and PTR adds and deletes) I get (on "send"):

 TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTIMP

What I tried (on both <internal subdomain>.datavoiceint.com. and datavoiceint.com.) was:

update add <webserver>.datavoiceint.com. 86400 IN CNAME <webserver>.<internal subdomain>.datavoiceint.com.

Apparently I'm mis-understanding CNAME usage, if I actually can use a CNAME record what should the format be (or do I need to configure bind differently to use it since part of the reply is NOTIMP)?  If that's not possible due to CNAME restrictions are there any alternatives?

Thanks for your help.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: [hidden email]
P:


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com
 

This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify us.

 

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

noname (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CNAME restrictions

Leroy Tennison
Thank you, -d surfaced the issue - now to decide what to do about it...


From: bind-users <[hidden email]> on behalf of Kevin Darcy <[hidden email]>
Sent: Tuesday, August 4, 2020 3:28 PM
To: [hidden email] <[hidden email]>
Subject: [EXTERNAL] Re: CNAME restrictions
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

[ Classification Level: GENERAL BUSINESS ]

Offhand, it looks like the server side is configured to only allow authenticated updates, but you're sending an unauthenticated one.

A more nuanced issue might be if the ID you're running the nsupdate as, can't read the key files, so even though you may have intended the update to be signed, it actually wasn't.

Did you try adding a -d to the nsupdate command? If so, does the debug output give any clues?

                                                                         - Kevin

On Tue, Aug 4, 2020 at 1:30 PM Leroy Tennison <[hidden email]> wrote:
I have a situation where, due to the system's location (IP subnet), its DNS name is <webserver>.<internal subdomain>.datavoiceint.com.  We have a certificate for *.datavoiceint.com which we prefer to use instead of having to acquire a certificate for <internal subdomain>.datavoiceint.com since this is a one-off internal-only web server.  Our (ISC) DNS servers (version 9.10.3-P4-Ubuntu that comes with Ubuntu 16.04) serve both domains.  I thought a solution would be to use a CNAME but, when I attempt this (via nsupdate with the update key which works for A and PTR adds and deletes) I get (on "send"):

 TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTIMP

What I tried (on both <internal subdomain>.datavoiceint.com. and datavoiceint.com.) was:

update add <webserver>.datavoiceint.com. 86400 IN CNAME <webserver>.<internal subdomain>.datavoiceint.com.

Apparently I'm mis-understanding CNAME usage, if I actually can use a CNAME record what should the format be (or do I need to configure bind differently to use it since part of the reply is NOTIMP)?  If that's not possible due to CNAME restrictions are there any alternatives?

Thanks for your help.

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: [hidden email]
P:


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com
 

This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify us.

 

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

 

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

Harriscomputer

Leroy Tennison
Network Information/Cyber Security Specialist
E: [hidden email]
P:


2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com
 

This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc.

If you prefer not to be contacted by Harris Operating Group please notify us.

 

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users