Sub-domain delegation for BIND 9.2.3
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Sep 6 21:36:46 UTC 2004
Apache Apache <apacheusr at hotmail.com> wrote:
> Appened are my files on the Primary DNS:
Look below for comments :
> //named.conf for Pri DNS for company.def.com & company.abc.com (ip is
> 130.1.2.3)
> // ACL for blocking RFC1918 space commonly used for DoS and spoofing
> attacks.
> acl noaccess-list { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
> 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
> acl slave { 130.1.2.4; };
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } ;
> };
> options {
> version "DNS Server";
> directory "/usr/local/named/log";
> pid-file "/usr/local/named/named.pid";
> allow-query { any; };
> listen-on-v6 { none; };
> listen-on { 130.1.2.3; };
> notify yes;
> provide-ixfr yes;
> blackhole { noaccess-list; };
> };
> zone "." {
> type hint;
> file "root.hint";
> };
> // IPv4 localhost and localhost reverse.
> zone "localhost" {
> type master;
> file "db.localhost";
> };
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0";
> notify no;
> };
> zone "2.1.130.in-addr.arpa" {
> type master;
> file "db.130.1.2";
> notify yes;
> allow-transfer { slave; };
> };
> zone "company.def.com" {
> type master;
> file "db.company.def.com";
Where is this file ??
> notify yes;
> allow-transfer { slave; };
> };
> zone "company.abc.com" {
> type master;
> file "db.company.abc.com";
> notify yes;
> forwarders { };
> allow-transfer { slave; };
> };
> //End of named.conf for Pri DNS
> ------------------------------------------------
> // root.hint
> . 3600000 IN NS A.ROOT-SERVERS.NET.
> A-ROOT-SERVERS.NET. 3600000 A 130.1.2.3
> //End of root.hint
Ok, you are running internal-roots with a single server, this
might fail ( you should need 3 )
> -------------------------------------------------
> // db.localhost
> @ 4h IN SOA pridns.company.def.com. postmaster.company.def.com. (
> 2001051701 // Serial Number
> 28800 // Refresh (8 hrs.)
> 7200 // Retry (2 hrs.)
> 604800 // Expire (7 days)
> 86400) // Minimum (1 day)
> IN NS pridns.company.def.com.
> $TTL 1h
> IN A 127.0.0.1
> // End of db.localhost
> ------------------------------------------------
> // db.127.0.0
> @ 4h IN SOA pridns.company.def.com. postmaster.company.def.com. (
> 2001051700 // Serial number
> 28800 // Refresh (8 hrs.)
> 7200 // Retry (2 hrs.)
> 604800 // Expire (7 days)
> 86400) // Minimum (1 day)
> IN NS pridns.company.def.com.
> 1 IN PTR localhost.
> //End of db.127.0.0
> ------------------------------------------------
> // db.company.abc.com
> @ 4h IN SOA pridns.company.def.com. postmaster.company.def.com. (
> 200105171 // Serial number
> 28800 // Refresh (8 hrs.)
> 7200 // Retry (2 hrs.)
> 604800 // Expire (7 days)
> 86400) // Minimum (1 day)
> IN NS pridns.company.def.com.
> IN NS slavedns.company.def.com.
if this is the zonefile for "company.def.com." you cannot
say anything about "def.com." here. it should be done at '.' or
'.com' level ( probably in your root-server )
> pridns.company.def.com. IN A 130.1.2.3
> slavedns.company.def.com. IN A 130.1.2.4
> xyz.company.abc.com. IN NS pridns.xyz.company.abc.com.
> pridns.xyz.company.abc.com. IN A 172.7.8.9
> intranet.company.abc.com IN A 130.1.2.10
> // End of db.company.abc.com
> -------------------------------------------------
> // db.130.1.2
> @ 4h IN SOA pridns.company.def.com. postmaster.company.def.com. (
> 200105173 // Serial number
> 28800 // Refresh (8 hrs.)
> 7200 // Retry (2 hrs.)
> 604800 // Expire (7 days)
> 86400) // Minimum (1 day)
> IN NS pridns.company.def.com. // master nameserver
> IN NS slavednsdns.company.def.com. // slave nameserver
> 3 IN PTR pridns.company.def.com.
> 4 IN PTR slavedns.company.def.com.
> // End of db.130.1.2
> ------------------------------------------------
> //etc/resolv.conf
> domain company.def.com
> nameserver 130.1.2.3
> nameserver 130.1.2.4
> Pls advise what went wrong.
> ------------------------------------------------
>>From: phn at icke-reklam.ipsec.nu
>>To: comp-protocols-dns-bind at isc.org
>>Subject: Re: Sub-domain delegation for BIND 9.2.3
>>Date: Fri, 3 Sep 2004 17:53:16 +0000 (UTC)
>>
>>Apache Apache <apacheusr at hotmail.com> wrote:
>> > Hi,
>>
>> > Have done as advised but when I performed a nslookup, I can only get
>> > non-existent host/domain and not able to resolve
>>host.xyz.company.abc.com.
>> > Pls advise is there anything that I missed out. Thank you.
>>
>>
>> >>From: phn at icke-reklam.ipsec.nu
>> >>To: comp-protocols-dns-bind at isc.org
>> >>Subject: Re: Sub-domain delegation for BIND 9.2.3
>> >>Date: Thu, 2 Sep 2004 16:52:18 +0000 (UTC)
>> >>
>> >>Apache Apache <apacheusr at hotmail.com> wrote:
>> >> > I have a server (ie. serverA) running BIND 9.2.3 and is a master DNS
>>fo=
>> >>r=20
>> >> > parent domain company.abc.com. Users are pointing to this server for
>>na=
>> >>me=20
>> >> > resolution.
>> >>
>> >> > I have another server (ie. serverB using F5 DNS) and I would like
>> >>this=20
>> >> > server to serve the domain xyz.company.abc.com.
>> >>
>> >> > What are the changes required on my named.conf and db.company.abc.com
>>f=
>> >>or=20
>> >> > serverA in order for users to be able to resolve
>>host.xyz.company.abc.c=
>> >>om???
>> >>
>> >>A proper delagation. ( a couple of NS records in xyz.company.abc.com. )
>> >>
>> >> > Thank you.
>> >>
>> >> > _________________________________________________________________
>> >> > Get MSN Hotmail alerts on your mobile.=20
>> >> > http://mobile.msn.com/ac.aspx?cid=3Duuhp_hotmail
>> >>
>> >>
>> >>
>> >>--=20
>> >>Peter H=E5kanson =20
>> >> IPSec Sverige ( At Gothenburg Riverside )
>> >> Sorry about my e-mail address, but i'm trying to keep spam
>>out=
>> >>,
>> >> remove "icke-reklam" if you feel for mailing me. Thanx.
>> >>
>>
>> > _________________________________________________________________
>> > Get MSN Hotmail alerts on your mobile.
>> > http://mobile.msn.com/ac.aspx?cid=uuhp_hotmail
>>
>>Proper delegation is to add a 'NS' records where LHS is the sibdomain name
>>and RHS is the FQDN of the nameserver(s) configured as servers for the
>>zone.
>>
>>nslookup is a tool that is broken in most hands. The symptoms you tell
>>about
>>might be problems with nslookup.
>>
>>Why don't you publish the name of the zone , the contents ( at least the
>>relevant parts)
>>of the zonefile(s) and configfiles ? That way we don't have to guess
>>
>>
>>--
>>Peter Håkanson
>> IPSec Sverige ( At Gothenburg Riverside )
>> Sorry about my e-mail address, but i'm trying to keep spam out,
>> remove "icke-reklam" if you feel for mailing me. Thanx.
>>
> _________________________________________________________________
> Fast. Clear. Easy. The new MSN Search. http://search.msn.com.sg/
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list