forwarding a subdomain
Edward Buck
ed at bashware_REMOVEME_.net
Tue Nov 16 02:56:36 UTC 2004
Barry Margolin wrote:
> Edward Buck <ed at bashware_REMOVEME_.net> wrote:
>>
>>I'm trying to setup a subdomain via forwarding and I'm seeing some
>>unexpected behavior (unexpected for me, not necessarily for bind or
>>you). Here's the scenario:
>>
>>I have a public nameserver, i.e. ns1.domain.com, which is authoritative
>>for domain.com. In the zone file for domain.com, I've delegated a
>>subdomain to another nameserver by doing:
>>
>>sub IN NS ns1-sub.domain.com.
>>ns1-sub IN A 80.80.80.80 ; public ip
>>
>>Now, on ns1-sub.domain.com, I've configured bind with the following zone:
>>
>>zone "sub.domain.com" {
>> type forward;
>> forward first;
>> forwarders {
>> 10.5.5.1 port 10053; // private ip
>> };
>>};
>>
>>The 10.5.5.1 host above is on a private network accessible to ns1-sub
>>but not to the general public.
>>
>>The goal is to have ns1-sub resolve all queries for the subdomain
>>sub.domain.com by forwarding each request to the internal server at
>>10.5.5.1.
>>
>>Now, here's what I don't understand. If I query ns1-sub directly for a
>>host in sub.domain.com (i.e. host.sub.domain.com), the forwarding works
>>as expected. If I query ns1-sub using a different nameserver (i.e. from
>>my ISP nameserver), the query works ONLY If ns1-sub has cached the data.
>> If it's not in the cache, there's no answer. This suggests that the
>>forwarding doesn't work for recursive queries.
>
> When a recursive server is processing a query, it uses iterative mode,
> so it doesn't set the "Recursion Desired" flag when it sends its
> queries. When it queries a server that isn't authoritative for the
> zone, it expects to receive a referral, and it will then ask one of
> those servers, repeating this process until it reaches the authoritative
> servers.
Okay. That makes sense. Thanks for clarifying.
> In general, a subdomain can only be delegated to an authoritative
> server, not a forwarding server.
So, is this a limitation by design? Is there a workaround for what I'm
trying to do?
If I delegate a subdomain to a nameserver, intuitively I would expect
that nameserver to be authoritative for that subdomain regardless of
whether the zone data is master, slave or a forward.
The use case I'm referring to is a private RBL on an internal lan
running rbldnsd. I was planning to run rbldnsd on an internal address
and front-end it with bind to take advantage of bind's ACL support. The
scenario would be something like:
public rbl query
|
v
rbl.domain.com nameserver (bind with ACLs)
|
v
forward to internal server running rbldnsd
|
v
answer back to original query
At the moment, this only works for cached data. Is there a way to force
recursion on a forwarded subdomain for which the server is authoritative?
Thanks.
Ed
More information about the bind-users
mailing list