Discussion:
[Dnsmasq-discuss] mixing synth-domain and auth-domain does not appear to work for me.
David Beveridge
2014-04-02 10:46:55 UTC
Permalink
So I have a few static hosts defined in /etc/hosts and I want to
serve authoritative records for them.
I also have some machines which get address via dhcp and slaac which I want
to publish using synth-domain.

Each option works alone, but when I mix the options
eg
auth-zone=thekelleys.org.uk,192.168.0.0/24
synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-

with synth-domain only
# dig internal-192-168-0-56.thekelleys.org.uk @223.27.66.79
;; ANSWER SECTION:
internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56

with both defined, no answer is returned.
eg
***@ns1 /etc/dnsmasq.d # dig internal-192-168-0-56.thekelleys.org.uk @
223.27.66.79

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>>
internal-192-168-0-56.thekelleys.org.uk @223.27.66.79
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 768
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;internal-192-168-0-56.thekelleys.org.uk. IN A

;; Query time: 0 msec
;; SERVER: 223.27.66.79#53(223.27.66.79)
;; WHEN: Wed Apr 2 21:30:13 2014
;; MSG SIZE rcvd: 57


The behaviour is the same for Ipv6.

regards,
dave.

PS: any reason why synth-domain is limited to /64 for IPv6?
Simon Kelley
2014-04-02 20:24:25 UTC
Permalink
Post by David Beveridge
So I have a few static hosts defined in /etc/hosts and I want to
serve authoritative records for them.
I also have some machines which get address via dhcp and slaac which I want
to publish using synth-domain.
Each option works alone, but when I mix the options
eg
auth-zone=thekelleys.org.uk,192.168.0.0/24
synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-
with synth-domain only
internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56
with both defined, no answer is returned.
eg
223.27.66.79
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>>
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 768
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;internal-192-168-0-56.thekelleys.org.uk. IN A
;; Query time: 0 msec
;; SERVER: 223.27.66.79#53(223.27.66.79)
;; WHEN: Wed Apr 2 21:30:13 2014
;; MSG SIZE rcvd: 57
The behaviour is the same for Ipv6.
This is, I think, just an oversight. synth-domain certainly generates
"Locally defined DNS records" which is what the auth-zone is specified
to contain.
Post by David Beveridge
regards,
dave.
PS: any reason why synth-domain is limited to /64 for IPv6?
Prefix length has to be greater than or equal to 64, is that what you
mean? It's about implementation convenience. C doesn't provide a
integer data type larger than 64 bits for doing masking. of the
address-part.

Cheers,

Simon.
Post by David Beveridge
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2014-04-02 20:38:20 UTC
Permalink
Post by Simon Kelley
This is, I think, just an oversight. synth-domain certainly generates
"Locally defined DNS records" which is what the auth-zone is specified
to contain.
Actually, there is a reason. It doesn't in general make sense to include
the records created by synth-domain in a zone transfer, since there are
likely to be a lot of them. They could be included in answers for the
auth-zone, at the expense of the additional complication that the zone
answered by dnsmasq becomes no longer exactly the zone that's transfered
to a secondary (since the synth-domain answers can't be included in the
transfer).


Simon.
David Beveridge
2014-04-03 07:35:32 UTC
Permalink
Post by Simon Kelley
Post by Simon Kelley
This is, I think, just an oversight. synth-domain certainly generates
"Locally defined DNS records" which is what the auth-zone is specified
to contain.
Actually, there is a reason. It doesn't in general make sense to include
the records created by synth-domain in a zone transfer, since there are
likely to be a lot of them. They could be included in answers for the
auth-zone, at the expense of the additional complication that the zone
answered by dnsmasq becomes no longer exactly the zone that's transfered
to a secondary (since the synth-domain answers can't be included in the
transfer).
I agree, you definitely would not want to zone transfer the entire synth zone
just the records from the auth zone. Actually, once you introduce synth
records to a zone, transferring it is not practical at all.

I think I have misunderstood what auth-zone does.
It seems it is not required in this situation.

I just tested and discovered that:- If I remove the auth-zone statement from
the config file the synth-zone will still serve records it finds in /etc/hosts.
In this way I can still have a mixed zone with manually created records and
synthesized records in the same zone.

The synth-domain kind of implies that the zone is authorative,
so no need for the auth-zone statement as well.

dave
Simon Kelley
2014-04-03 20:40:54 UTC
Permalink
Post by David Beveridge
Post by Simon Kelley
Post by Simon Kelley
This is, I think, just an oversight. synth-domain certainly generates
"Locally defined DNS records" which is what the auth-zone is specified
to contain.
Actually, there is a reason. It doesn't in general make sense to include
the records created by synth-domain in a zone transfer, since there are
likely to be a lot of them. They could be included in answers for the
auth-zone, at the expense of the additional complication that the zone
answered by dnsmasq becomes no longer exactly the zone that's transfered
to a secondary (since the synth-domain answers can't be included in the
transfer).
I agree, you definitely would not want to zone transfer the entire synth zone
just the records from the auth zone. Actually, once you introduce synth
records to a zone, transferring it is not practical at all.
I think I have misunderstood what auth-zone does.
It seems it is not required in this situation.
I just tested and discovered that:- If I remove the auth-zone statement from
the config file the synth-zone will still serve records it finds in /etc/hosts.
In this way I can still have a mixed zone with manually created records and
synthesized records in the same zone.
The synth-domain kind of implies that the zone is authorative,
so no need for the auth-zone statement as well.
OK. Happy ending :)


Cheers,

Simon.
Post by David Beveridge
dave
David Beveridge
2014-04-03 07:14:28 UTC
Permalink
Post by Simon Kelley
Post by David Beveridge
So I have a few static hosts defined in /etc/hosts and I want to
serve authoritative records for them.
I also have some machines which get address via dhcp and slaac which I want
to publish using synth-domain.
Each option works alone, but when I mix the options
eg
auth-zone=thekelleys.org.uk,192.168.0.0/24
synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-
with synth-domain only
internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56
with both defined, no answer is returned.
The behaviour is the same for Ipv6.
This is, I think, just an oversight. synth-domain certainly generates
"Locally defined DNS records" which is what the auth-zone is specified
to contain.
So if the auth-domain exists and the lookup fails there it does not try to
do a lookup in synth-domain. I'm not sure how commonly people
might want to do that.
Post by Simon Kelley
Post by David Beveridge
regards,
dave.
PS: any reason why synth-domain is limited to /64 for IPv6?
Prefix length has to be greater than or equal to 64, is that what you
mean? It's about implementation convenience. C doesn't provide a
integer data type larger than 64 bits for doing masking. of the
address-part.
Fair enough. So I have a copy of dnsmasq running on my bind dns server
just to handle the synthetic reverse (which bind can't do), so each /64
needs to be individually configured in dnsmasq. It's good to know why.

I can't just get lazy and synth a whole /48 or /32.
Probably out of scope for what dnsmasq is designed for anyway.

dave
Post by Simon Kelley
Cheers,
Simon.
Simon Kelley
2014-04-03 20:43:02 UTC
Permalink
Post by David Beveridge
Post by Simon Kelley
Prefix length has to be greater than or equal to 64, is that what you
mean? It's about implementation convenience. C doesn't provide a
integer data type larger than 64 bits for doing masking. of the
address-part.
Fair enough. So I have a copy of dnsmasq running on my bind dns server
just to handle the synthetic reverse (which bind can't do), so each /64
needs to be individually configured in dnsmasq. It's good to know why.
I can't just get lazy and synth a whole /48 or /32.
Probably out of scope for what dnsmasq is designed for anyway.
That's what I told myself when I wrote the code, it's crazy to use
arbitary-precision maths in a DNS daemon. Then a year later I
implemented DNSSEC which uses public-key crypto, based in
arbitrary-precision maths :-)

Cheers,

Simon.
Post by David Beveridge
dave
Post by Simon Kelley
Cheers,
Simon.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Loading...