forwarding a subdomain

Tue Nov 16 02:56:36 UTC 2004

Barry Margolin wrote:
>  Edward Buck <ed at bashware_REMOVEME_.net> wrote:
>>
>>I'm trying to setup a subdomain via forwarding and I'm seeing some 
>>unexpected behavior (unexpected for me, not necessarily for bind or 
>>you).  Here's the scenario:
>>
>>I have a public nameserver, i.e. ns1.domain.com, which is authoritative 
>>for domain.com.  In the zone file for domain.com, I've delegated a 
>>subdomain to another nameserver by doing:
>>
>>sub      IN NS  ns1-sub.domain.com.
>>ns1-sub  IN A   80.80.80.80  ; public ip
>>
>>Now, on ns1-sub.domain.com, I've configured bind with the following zone:
>>
>>zone "sub.domain.com" {
>>         type forward;
>>         forward first;
>>         forwarders {
>>         10.5.5.1 port 10053; // private ip
>>         };
>>};
>>
>>The 10.5.5.1 host above is on a private network accessible to ns1-sub 
>>but not to the general public.
>>
>>The goal is to have ns1-sub resolve all queries for the subdomain 
>>sub.domain.com by forwarding each request to the internal server at 
>>10.5.5.1.
>>
>>Now, here's what I don't understand.  If I query ns1-sub directly for a 
>>host in sub.domain.com (i.e. host.sub.domain.com), the forwarding works 
>>as expected.  If I query ns1-sub using a different nameserver (i.e. from 
>>my ISP nameserver), the query works ONLY If ns1-sub has cached the data. 
>>  If it's not in the cache, there's no answer.  This suggests that the 
>>forwarding doesn't work for recursive queries.
> 
> When a recursive server is processing a query, it uses iterative mode, 
> so it doesn't set the "Recursion Desired" flag when it sends its 
> queries.  When it queries a server that isn't authoritative for the 
> zone, it expects to receive a referral, and it will then ask one of 
> those servers, repeating this process until it reaches the authoritative 
> servers.

Okay.  That makes sense.  Thanks for clarifying.

> In general, a subdomain can only be delegated to an authoritative 
> server, not a forwarding server.

So, is this a limitation by design?  Is there a workaround for what I'm 
trying to do?

If I delegate a subdomain to a nameserver, intuitively I would expect 
that nameserver to be authoritative for that subdomain regardless of 
whether the zone data is master, slave or a forward.

The use case I'm referring to is a private RBL on an internal lan 
running rbldnsd.  I was planning to run rbldnsd on an internal address 
and front-end it with bind to take advantage of bind's ACL support.  The 
scenario would be something like:

public rbl query
	|
	v
rbl.domain.com nameserver (bind with ACLs)
	|
	v
forward to internal server running rbldnsd
	|
	v
answer back to original query

At the moment, this only works for cached data.  Is there a way to force 
recursion on a forwarded subdomain for which the server is authoritative?

Thanks.
Ed