stub versus forward
Kevin Darcy
kcd at daimlerchrysler.com
Thu May 2 19:58:05 UTC 2002
It would appear that your global forwarders declaration is overriding your stub
information. To fix: put a "forwarders { }" statement into your
"doe.gov" master-zone definition (which you didn't show). Then you shouldn't
need a stub zone at all. BEWARE, however, that this will affect all
subzones/subdomains of doe.gov, so if you're relying on forwarding for any of
those, you'll have to make other arrangements...
- Kevin
"Von Alt, William" wrote:
> Okay all... here is a situation that has been most perplexing today...
>
> Here at DOE HQ, we have the "standard" split DNS config with two private
> nameservers (master and slave) and two public nameservers (master and
> slave). I have a remote field site that also has a split DNS setup.
>
> We want our public nameservers left completely out of this picture... the
> goal is for my internal nameserver (authoritative for doe.gov) domain to
> delegate the em.doe.gov domain to his internal nameservers. So on my
> internal primary server, I setup a stub zone for em.doe.gov and list the two
> remote nameservers as masters. Here is the relevant excerpt from
> named.config:
>
> options {
> directory "/etc/named";
> pid-file "/etc/named.pid";
> check-names master warn;
> auth-nxdomain no;
> query-source address 146.138.1.215 port 53;
> transfer-format many-answers;
> forwarders {
> 205.254.144.110;
> 205.254.143.110;
> };
> also-notify {
> 146.138.198.215;
> };
>
> };
>
> zone "." {
> type hint;
> file "cache.named";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "127.0.0.db";
> };
>
> zone "em.doe.gov" {
> type stub;
> file "db.stub.em.doe.gov";
> masters {
> 132.172.137.102;
> 132.172.137.146;
> };
> };
>
> I also have the appropriate delegation and glue information in my doe.gov
> zone as follows:
>
> $TTL 3600
> @ IN SOA SUKHOI.DOE.GOV. root at sukhoi.doe.gov. (
> 19990550 ; serial
> 7200 ; refresh in seconds
> 3600 ; retry in seconds
> 604800 ; expire in seconds
> 43200 ) ; minimum in seconds
>
> ;NAMESERVERS
> IN NS sukhoi.doe.gov.
> IN NS fishbed.doe.gov.
> em IN NS ns3.em.doe.gov.
> IN NS ns7.em.doe.gov.
> ns3.em.doe.gov. IN A 132.172.137.146
> ns7.em.doe.gov. IN A 132.172.137.102
> sukhoi IN A 146.138.1.215
> fishbed IN A 146.138.198.215
>
> After restarting the nameserver on my server, sukhoi, the file
> db.stub.em.doe.gov is created and contains the following:
>
> $ORIGIN .
> $TTL 86400 ; 1 day
> em.doe.gov IN SOA emsun3.em.doe.gov.
> David\\\.Carts.em.doe.gov. (
> 153 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> NS ns3.em.doe.gov.
> NS ns7.em.doe.gov.
> NS emsun3.em.doe.gov.
> $ORIGIN em.doe.gov.
> emsun3 A 132.172.137.155
> ns3 A 132.172.137.146
> ns7 A 132.172.137.102
>
> So you can see I clearly got the appropriate stub information (SOA and NS)
> about EM's internal nameservers (ns3 and ns7) and stored it in my db file.
> Now with my named.conf ready to go, my new stub information, and the
> delegation records contained in the doe.gov zone, I good to go, correct?
> Well... here is the output from a sample nslookup:
>
> # nslookup
> Default Server: sukhoi.doe.gov
> Address: 146.138.1.215
>
> > set type=SOA
> > em.doe.gov
> Server: sukhoi.doe.gov
> Address: 146.138.1.215
>
> Non-authoritative answer:
> em.doe.gov
> origin = ns1.em.doe.gov
> mail addr = David.Carts.em.doe.gov
> serial = 119
> refresh = 10800 (3H)
> retry = 3600 (1H)
> expire = 604800 (1W)
> minimum ttl = 86400 (1D)
>
> Authoritative answers can be found from:
> em.doe.gov nameserver = ns1.em.doe.gov
> ns1.em.doe.gov internet address = 205.254.144.179
> > set type=NS
> > em.doe.gov
> Server: sukhoi.doe.gov
> Address: 146.138.1.215
>
> Non-authoritative answer:
> em.doe.gov nameserver = ns1.em.doe.gov
>
> Authoritative answers can be found from:
> ns1.em.doe.gov internet address = 205.254.144.179
>
> It's as if the nameserver has completely ignored all of my configurations
> and delegations, and worked its way down from the root servers looking for
> information on EM, such that it found there external public nameserver, ns1!
> What would cause this behavior?? If I remove the em.doe.gov zone from the
> named.conf file completely, leaving only my delegation and glue statements
> in the doe.gov zone, it shows the same behavior! The only way I have been
> able to get the correct information (queries routed to the correct, private
> name servers) is to make em.doe.gov a forward zone in named.conf, but I'd
> rather not do this... I'd rather just delegate to them and have that be
> that. Any reason why even with a stub zone that contains the correct
> information about private name servers, I end up returning information about
> their public nameserver that is not mentioned anywhere in my private
> nameserver's zone files?
>
> As always, any help and/or advice is appreciated!
>
> -William Von Alt
> Verizon/US Department of Energy
> 301.903.2710
More information about the bind-users
mailing list