stub versus forward
Von Alt, William
William.VonAlt at hq.doe.gov
Thu May 2 20:11:57 UTC 2002
I'm sorry ... I left out another piece of information from my testing: I
initially thought the same thing so I commented out my global forwarders
statement and it had no effect on the ability to resolve the proper records
for the em.doe.gov domain. I thought that was truly strange, and that's
what prompted me to write to ya'll. I suppose I shouldn't complain too
much... the configuration works by forwarding the em.doe.gov zone in the
named.conf, but I'd rather just delegate it from the doe.gov zone and not
have it in named.conf at all. Oh well :)
-William Von Alt
Verizon/US Department of Energy
301.903.2710
-----Original Message-----
From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
Sent: Thursday, May 02, 2002 3:58 PM
To: bind users
Subject: Re: stub versus forward
It would appear that your global forwarders declaration is overriding your
stub
information. To fix: put a "forwarders { }" statement into your
"doe.gov" master-zone definition (which you didn't show). Then you shouldn't
need a stub zone at all. BEWARE, however, that this will affect all
subzones/subdomains of doe.gov, so if you're relying on forwarding for any
of
those, you'll have to make other arrangements...
- Kevin
"Von Alt, William" wrote:
> Okay all... here is a situation that has been most perplexing today...
>
> Here at DOE HQ, we have the "standard" split DNS config with two private
> nameservers (master and slave) and two public nameservers (master and
> slave). I have a remote field site that also has a split DNS setup.
>
> We want our public nameservers left completely out of this picture... the
> goal is for my internal nameserver (authoritative for doe.gov) domain to
> delegate the em.doe.gov domain to his internal nameservers. So on my
> internal primary server, I setup a stub zone for em.doe.gov and list the
two
> remote nameservers as masters. Here is the relevant excerpt from
> named.config:
>
> options {
> directory "/etc/named";
> pid-file "/etc/named.pid";
> check-names master warn;
> auth-nxdomain no;
> query-source address 146.138.1.215 port 53;
> transfer-format many-answers;
> forwarders {
> 205.254.144.110;
> 205.254.143.110;
> };
> also-notify {
> 146.138.198.215;
> };
>
> };
>
> zone "." {
> type hint;
> file "cache.named";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "127.0.0.db";
> };
>
> zone "em.doe.gov" {
> type stub;
> file "db.stub.em.doe.gov";
> masters {
> 132.172.137.102;
> 132.172.137.146;
> };
> };
>
> I also have the appropriate delegation and glue information in my doe.gov
> zone as follows:
>
> $TTL 3600
> @ IN SOA SUKHOI.DOE.GOV. root at sukhoi.doe.gov. (
> 19990550 ; serial
> 7200 ; refresh in seconds
> 3600 ; retry in seconds
> 604800 ; expire in seconds
> 43200 ) ; minimum in seconds
>
> ;NAMESERVERS
> IN NS sukhoi.doe.gov.
> IN NS fishbed.doe.gov.
> em IN NS ns3.em.doe.gov.
> IN NS ns7.em.doe.gov.
> ns3.em.doe.gov. IN A 132.172.137.146
> ns7.em.doe.gov. IN A 132.172.137.102
> sukhoi IN A 146.138.1.215
> fishbed IN A 146.138.198.215
>
> After restarting the nameserver on my server, sukhoi, the file
> db.stub.em.doe.gov is created and contains the following:
>
> $ORIGIN .
> $TTL 86400 ; 1 day
> em.doe.gov IN SOA emsun3.em.doe.gov.
> David\\\.Carts.em.doe.gov. (
> 153 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> NS ns3.em.doe.gov.
> NS ns7.em.doe.gov.
> NS emsun3.em.doe.gov.
> $ORIGIN em.doe.gov.
> emsun3 A 132.172.137.155
> ns3 A 132.172.137.146
> ns7 A 132.172.137.102
>
> So you can see I clearly got the appropriate stub information (SOA and NS)
> about EM's internal nameservers (ns3 and ns7) and stored it in my db file.
> Now with my named.conf ready to go, my new stub information, and the
> delegation records contained in the doe.gov zone, I good to go, correct?
> Well... here is the output from a sample nslookup:
>
> # nslookup
> Default Server: sukhoi.doe.gov
> Address: 146.138.1.215
>
> > set type=SOA
> > em.doe.gov
> Server: sukhoi.doe.gov
> Address: 146.138.1.215
>
> Non-authoritative answer:
> em.doe.gov
> origin = ns1.em.doe.gov
> mail addr = David.Carts.em.doe.gov
> serial = 119
> refresh = 10800 (3H)
> retry = 3600 (1H)
> expire = 604800 (1W)
> minimum ttl = 86400 (1D)
>
> Authoritative answers can be found from:
> em.doe.gov nameserver = ns1.em.doe.gov
> ns1.em.doe.gov internet address = 205.254.144.179
> > set type=NS
> > em.doe.gov
> Server: sukhoi.doe.gov
> Address: 146.138.1.215
>
> Non-authoritative answer:
> em.doe.gov nameserver = ns1.em.doe.gov
>
> Authoritative answers can be found from:
> ns1.em.doe.gov internet address = 205.254.144.179
>
> It's as if the nameserver has completely ignored all of my configurations
> and delegations, and worked its way down from the root servers looking for
> information on EM, such that it found there external public nameserver,
ns1!
> What would cause this behavior?? If I remove the em.doe.gov zone from the
> named.conf file completely, leaving only my delegation and glue statements
> in the doe.gov zone, it shows the same behavior! The only way I have been
> able to get the correct information (queries routed to the correct,
private
> name servers) is to make em.doe.gov a forward zone in named.conf, but I'd
> rather not do this... I'd rather just delegate to them and have that be
> that. Any reason why even with a stub zone that contains the correct
> information about private name servers, I end up returning information
about
> their public nameserver that is not mentioned anywhere in my private
> nameserver's zone files?
>
> As always, any help and/or advice is appreciated!
>
> -William Von Alt
> Verizon/US Department of Energy
> 301.903.2710
More information about the bind-users
mailing list