stub versus forward
Von Alt, William
William.VonAlt at hq.doe.gov
Thu May 2 19:22:09 UTC 2002
Okay all... here is a situation that has been most perplexing today...
Here at DOE HQ, we have the "standard" split DNS config with two private
nameservers (master and slave) and two public nameservers (master and
slave). I have a remote field site that also has a split DNS setup.
We want our public nameservers left completely out of this picture... the
goal is for my internal nameserver (authoritative for doe.gov) domain to
delegate the em.doe.gov domain to his internal nameservers. So on my
internal primary server, I setup a stub zone for em.doe.gov and list the two
remote nameservers as masters. Here is the relevant excerpt from
named.config:
options {
directory "/etc/named";
pid-file "/etc/named.pid";
check-names master warn;
auth-nxdomain no;
query-source address 146.138.1.215 port 53;
transfer-format many-answers;
forwarders {
205.254.144.110;
205.254.143.110;
};
also-notify {
146.138.198.215;
};
};
zone "." {
type hint;
file "cache.named";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0.db";
};
zone "em.doe.gov" {
type stub;
file "db.stub.em.doe.gov";
masters {
132.172.137.102;
132.172.137.146;
};
};
I also have the appropriate delegation and glue information in my doe.gov
zone as follows:
$TTL 3600
@ IN SOA SUKHOI.DOE.GOV. root at sukhoi.doe.gov. (
19990550 ; serial
7200 ; refresh in seconds
3600 ; retry in seconds
604800 ; expire in seconds
43200 ) ; minimum in seconds
;NAMESERVERS
IN NS sukhoi.doe.gov.
IN NS fishbed.doe.gov.
em IN NS ns3.em.doe.gov.
IN NS ns7.em.doe.gov.
ns3.em.doe.gov. IN A 132.172.137.146
ns7.em.doe.gov. IN A 132.172.137.102
sukhoi IN A 146.138.1.215
fishbed IN A 146.138.198.215
After restarting the nameserver on my server, sukhoi, the file
db.stub.em.doe.gov is created and contains the following:
$ORIGIN .
$TTL 86400 ; 1 day
em.doe.gov IN SOA emsun3.em.doe.gov.
David\\\.Carts.em.doe.gov. (
153 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns3.em.doe.gov.
NS ns7.em.doe.gov.
NS emsun3.em.doe.gov.
$ORIGIN em.doe.gov.
emsun3 A 132.172.137.155
ns3 A 132.172.137.146
ns7 A 132.172.137.102
So you can see I clearly got the appropriate stub information (SOA and NS)
about EM's internal nameservers (ns3 and ns7) and stored it in my db file.
Now with my named.conf ready to go, my new stub information, and the
delegation records contained in the doe.gov zone, I good to go, correct?
Well... here is the output from a sample nslookup:
# nslookup
Default Server: sukhoi.doe.gov
Address: 146.138.1.215
> set type=SOA
> em.doe.gov
Server: sukhoi.doe.gov
Address: 146.138.1.215
Non-authoritative answer:
em.doe.gov
origin = ns1.em.doe.gov
mail addr = David.Carts.em.doe.gov
serial = 119
refresh = 10800 (3H)
retry = 3600 (1H)
expire = 604800 (1W)
minimum ttl = 86400 (1D)
Authoritative answers can be found from:
em.doe.gov nameserver = ns1.em.doe.gov
ns1.em.doe.gov internet address = 205.254.144.179
> set type=NS
> em.doe.gov
Server: sukhoi.doe.gov
Address: 146.138.1.215
Non-authoritative answer:
em.doe.gov nameserver = ns1.em.doe.gov
Authoritative answers can be found from:
ns1.em.doe.gov internet address = 205.254.144.179
It's as if the nameserver has completely ignored all of my configurations
and delegations, and worked its way down from the root servers looking for
information on EM, such that it found there external public nameserver, ns1!
What would cause this behavior?? If I remove the em.doe.gov zone from the
named.conf file completely, leaving only my delegation and glue statements
in the doe.gov zone, it shows the same behavior! The only way I have been
able to get the correct information (queries routed to the correct, private
name servers) is to make em.doe.gov a forward zone in named.conf, but I'd
rather not do this... I'd rather just delegate to them and have that be
that. Any reason why even with a stub zone that contains the correct
information about private name servers, I end up returning information about
their public nameserver that is not mentioned anywhere in my private
nameserver's zone files?
As always, any help and/or advice is appreciated!
-William Von Alt
Verizon/US Department of Energy
301.903.2710
More information about the bind-users
mailing list