forwarding a subdomain
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 17 22:52:31 UTC 2004
Barry Margolin wrote:
>In article <cndfgm$gpa$1 at sf1.isc.org>,
> Edward Buck <ed at bashware_REMOVEME_.net> wrote:
>
>
>
>>So, is this a limitation by design? Is there a workaround for what I'm
>>trying to do?
>>
>>
>
>Configure your server as a slave, rather than a forwarder.
>
>
>
>>If I delegate a subdomain to a nameserver, intuitively I would expect
>>that nameserver to be authoritative for that subdomain regardless of
>>whether the zone data is master, slave or a forward.
>>
>>
>
>That's the point. Since the zone is delegated to the server, other
>servers expect that nameserver to be authoritative, so they don't ask it
>to recurse. But when you configure the zone as "type forward", the
>server is *not* authoritative.
>
>Being authoritative is a consequence of how the server is configured,
>*not* how the zone is delegated. Delegation specifies who *should* be
>authoritative, but it doesn't actually cause a server to be
>authoritative.
>
>
>
>>The use case I'm referring to is a private RBL on an internal lan
>>running rbldnsd. I was planning to run rbldnsd on an internal address
>>and front-end it with bind to take advantage of bind's ACL support. The
>>scenario would be something like:
>>
>>public rbl query
>> |
>> v
>>rbl.domain.com nameserver (bind with ACLs)
>> |
>> v
>>forward to internal server running rbldnsd
>> |
>> v
>>answer back to original query
>>
>>At the moment, this only works for cached data. Is there a way to force
>>recursion on a forwarded subdomain for which the server is authoritative?
>>
>>
>
>Servers only recurse when they're asked to. If the client says "don't
>recurse", BIND won't.
>
>The source code is available, so you could always patch your copy to
>ignore the setting of the RD bit, and act as if it's always set.
>
Of course, then your nameserver would violate Internet standards. RFC
1034, Section 4.3.1:
Note that the name server should never perform recursive
service unless asked via RD, since this interferes with trouble shooting
of name servers and their databases.
- Kevin
More information about the bind-users
mailing list