Forwarding problem; Forward Last?
Mark Andrews
Mark_Andrews at isc.org
Fri Feb 8 11:58:26 UTC 2008
> This is a multipart message in MIME format.
> --=_alternative 003AEE4DC12573E9_=
> Content-Type: text/plain; charset="US-ASCII"
>
> Right again, damn.
> My second set of test suffered a misconfiguration of my zonefile.
>
> I really don't see, however, what the subtle difference is between
> forwarding first and disabling forwarding alltogether for that zone when
> it comes to subzone nameservers lookup.
> If I understand correctly, the query should forward first, recieve no
> answers, then lookup it's own zone file for a matching NS record, then ask
> that server...
NXDOMAIN *is* a answer. It's a negative answer.
SERVFAIL/timeout is not a answer.
> And the answer is nowhere to be seen, but in the mouths of "those who
> know" it seems.
>
> bind-users-bounce at isc.org wrote on 08/02/2008 11:20:08:
>
> >
> > > You are right, I didn't apply it to the zone you specified;
> > > I first disabled forwarding in the ad.sub.company.com zone by setting
> > > forwarders to an empty list, which did not work.
> > >
> > > I then did the same with the sub.company.com zone, as you specified. I
>
> > > can't get it to work neither...
> > >
> > > As for made up names, there are rather strong confidentiality issues
> with
> > > my company. Let me put here a translation of my configurations files :
> > >
> > >
> > > /* named.conf */
> > >
> > > forwarders { 10.0.0.1; 10.0.0.2; };
> > >
> > > zone sub.company.com {
> > > type master;
> > > forwarders { }; #because you asked it
> > > file "master/myzonefile";
> > > };
> >
> > Which will work. Your testing methods must be flawed or there
> > is something else you are not telling us.
> >
> > Mark
> >
> > > # note that the ad.sub.company.com isn't defined as such. I defined it
> to
> > > put the empty forwarder list when I read your above mail.
> > >
> > > /* myzonefile */
> > > /* skipping SOA block */
> > >
> > > ad.sub.company.com. IN NS ns1.ad.sub.company.com.
> > > ns1.ad.sub.company.com. IN A 192.168.0.1
> > >
> > >
> > > This setup seems, as far as literature goes, a state of the art setup
> for
> > > delegation of a zone.
> > > And btw yes I am probably "not applying [something] correctly". I have
>
> > > read through many mailing list, docs, books and couldn't find an
> answer,
> > > hence why I am posting her.
> > >
> > > bind-users-bounce at isc.org wrote on 07/02/2008 23:03:01:
> > >
> > > >
> > > > > I was pretty sure I tested that, but I double checked anyway.
> > > > > It doesn't work; Or at least, it forces me to define the zone as a
>
> > > slave
> > > > > (or forward only) zone in named.conf, wich is not the solution I
> > > > > envisioned.
> > > > > I just want to define a NS record and the corresponding A record
> for
> > > > > delegation, wich works well as long as I can't forward to my main
> > > > > forwarders.
> > > >
> > > > It does work. You are just not applying it correctly.
> > > > Please look at the example below and apply it to the
> > > > corresponding zone in you heirachy.
> > > >
> > > > This is a perfect example of why one should not hide zone
> > > > names etc. when asking for help. It makes it hard to
> > > > do the examples when one is using made up names.
> > > >
> > > > Mark
> > > >
> > > > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:
> > > > >
> > > > > >
> > > > > > > Hi,
> > > > > > > (needless to say I have been looking for the answer for days
> > > before
> > > > > > > posting here).
> > > > > > >
> > > > > > > I am in the process of replacing Novell Netware's repackaged
> Bind
> > > by a
> > > > >
> > > > > > > standard Linux Bind build.
> > > > > > > My setup is quite simple :
> > > > > > >
> > > > > > > Bind is authoritative for sub.company.com. It uses 2
> company.com
> > > > > > > forwarders (which doesn't know anything about our zone and/or
> > > network
> > > > > > > apart from a couple A records it holds for external
> > > sub.company.com
> > > > > > > access. That's stupid but that's how they do.)
> > > > > > > There is an active directory, which is named -you guessed it
> > > allready-
> > > > >
> > > > > > > ad.sub.company.com. Bind is not a slave for that zone, it just
>
> > > holds a
> > > > > NS
> > > > > > > and it's glue record, as follow
> > > > > > > ad NS ns.ad.sub.company.com.
> > > > > > > ns.ad.sub.company.com. A 192.168.0.1
> > > > > > >
> > > > > > > My problem is the following: when my forwarders are down or
> > > undefined
> > > > > and
> > > > > > > I query Bind for a record in ad.company.com, it asks
> > > > > ns.ad.sub.company.com
> > > > > > > and answer with the right answer. (read : if the forwarders
> are
> > > > > defined
> > > > > > > but not reachable for some reasons, like FW blocking access,
> the
> > > > > cascading
> > > > > > > works).
> > > > > > > However when Bind can reach the forwarders, it just asks them
> for
> > > > > records
> > > > > > > in ad domain; they answer with a no such domain and resolution
>
> > > stops
> > > > > > > there.
> > > > > > >
> > > > > > > Reading Bind's documentation (and O'reilly's book, 5th
> edition) I
> > > am
> > > > > not
> > > > > > > missing anything obvious about delegation. It might have to do
>
> > > with my
> > > > >
> > > > > > > forwarder being unaware of my setup but I don't see quite how
> (and
> > > I
> > > > > can't
> > > > > > > do anything about it).
> > > > > > > I have not tried to make bind a slave for the AD zone. I would
>
> > > like
> > > > > the
> > > > > > > above setup to work before trying other setups.
> > > > > > >
> > > > > > > Any help would be apreciated,
> > > > > >
> > > > > > turn forwarding off for the sub zone.
> > > > > >
> > > > > > zone sub.company.com {
> > > > > > ....
> > > > > > forwarders { /* empty */ };
> > > > > > };
> > > > > > >
> > > > > > >
> > > > > > --
> > > > > > Mark Andrews, ISC
> > > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > > > PHONE: +61 2 9871 4742 INTERNET:
> > > Mark_Andrews at isc.org
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > --
> > > > Mark Andrews, ISC
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > PHONE: +61 2 9871 4742 INTERNET:
> Mark_Andrews at isc.org
> > > >
> > > >
> > >
> > > --=_alternative 0035C92DC12573E9_=
> > > Content-Type: text/html; charset="US-ASCII"
> > >
> > >
> > > <br><font size=2 face="sans-serif">You are right, I didn't apply it to
> > > the zone you specified;</font>
> > > <br><font size=2 face="sans-serif">I first disabled forwarding in
> > the ad.sub.
> > > company.com
> > > zone by setting forwarders to an empty list, which did not
> work.</font>
> > > <br>
> > > <br><font size=2 face="sans-serif">I then did the same with the
> > sub.company.c
> > > om
> > > zone, as you specified. I can't get it to work neither...</font>
> > > <br>
> > > <br><font size=2 face="sans-serif">As for made up names, there are
> rather
> > > strong confidentiality issues with my company. Let me put here a
> translation
> > > of my configurations files :</font>
> > > <br>
> > > <br>
> > > <br><font size=2 face="sans-serif">/* named.conf */</font>
> > > <br>
> > > <br><font size=2 face="sans-serif">forwarders { 10.0.0.1; 10.0.0.
> > 2; };</font>
> > > <br>
> > > <br><font size=2 face="sans-serif">zone sub.company.com {</font>
> > > <br><font size=2 face="sans-serif"> type
> > > master;</font>
> > > <br><font size=2 face="sans-serif">
> forwarders
> > > { }; #because you asked it</font>
> > > <br><font size=2 face="sans-serif"> file
> > > "master/myzonefile";</font>
> > > <br><font size=2 face="sans-serif">};</font>
> > > <br>
> > > <br><font size=2 face="sans-serif"># note that the ad.sub.company.com
> isn't
> > > defined as such. I defined it to put the empty forwarder list when I
> read
> > > your above mail.</font>
> > > <br>
> > > <br><font size=2 face="sans-serif">/* myzonefile */</font>
> > > <br><font size=2 face="sans-serif">/* skipping SOA block */</font>
> > > <br>
> > > <br><font size=2 face="sans-serif">ad.sub.company.com.
>
> > > IN NS ns1.ad.sub.company.com.</font>
> > > <br><font size=2 face="sans-serif">ns1.ad.sub.company.com.
>
> > > IN A 192.168.0.1</font>
> > > <br>
> > > <br>
> > > <br><font size=2 face="sans-serif">This setup seems, as far as
> literature
> > > goes, a state of the art setup for delegation of a zone.</font>
> > > <br><font size=2 face="sans-serif">And btw yes I am probably "not
> > > applying [something] correctly". I have read through many mailing
> > > list, docs, books and couldn't find an answer, hence why I am
> > posting her.</f
> > > ont>
> > > <br>
> > > <br><tt><font size=2>bind-users-bounce at isc.org wrote on
> 07/02/200823:03:01:<
> > > br>
> > <br>
> > > > <br>
> > > > > I was pretty sure I tested that, but I double checked
> anyway.<br>
> > > > > It doesn't work; Or at least, it forces me to define the
> zone
> > > as a slave <br>
> > > > > (or forward only) zone in named.conf, wich is not the
> solution
> > > I <br>
> > > > > envisioned.<br>
> > > > > I just want to define a NS record and the corresponding A
> record
> > > for <br>
> > > > > delegation, wich works well as long as I can't forward to my
> > > main <br>
> > > > > forwarders.<br>
> > > > <br>
> > > > It does work. You are just not applying
> itcorrectly.
> > > <br>
> > > > Please look at the example below and apply it to
> the<br>
> > > > corresponding zone in you heirachy.<br>
> > > > <br>
> > > > This is a perfect example of why one should not hide
> > > zone<br>
> > > > names etc. when asking for help. It makes it
> hard
> > > to<br>
> > > > do the examples when one is using made up names.<br>
> > > > <br>
> > > > Mark<br>
> > > > <br>
> > > > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:<br>
> > > > > <br>
> > > > > > <br>
> > > > > > > Hi,<br>
> > > > > > > (needless to say I have been looking for the
> answer
> > > for days before <br>
> > > > > > > posting here).<br>
> > > > > > > <br>
> > > > > > > I am in the process of replacing Novell
> > Netware's repacka
> > > ged
> > > Bind by a <br>
> > > > > <br>
> > > > > > > standard Linux Bind build.<br>
> > > > > > > My setup is quite simple :<br>
> > > > > > > <br>
> > > > > > > Bind is authoritative for sub.company.com. It uses
> > > 2 company.com <br>
> > > > > > > forwarders (which doesn't know anything about our
> zone
> > > and/or network <br>
> > > > > > > apart from a couple A records it holds for
> external
> > > sub.company.com <br>
> > > > > > > access. That's stupid but that's how they do.)<br>
> > > > > > > There is an active directory, which is named -
> > you guessed
> > > it allready- <br>
> > > > > <br>
> > > > > > > ad.sub.company.com. Bind is not a slave for that
> zone,
> > > it just holds a <br>
> > > > > NS <br>
> > > > > > > and it's glue record, as follow<br>
> > > > > > > ad NS
> > ns.ad.sub.c
> > > ompany.com.<br>
> > > > > > > ns.ad.sub.company.com. A
>
> > > 192.168.0.1<br>
> > > > > > > <br>
> > > > > > > My problem is the following: when my forwarders
> are
> > > down or undefined <br>
> > > > > and <br>
> > > > > > > I query Bind for a record in ad.company.com, it
> asks
> > > <br>
> > > > > ns.ad.sub.company.com <br>
> > > > > > > and answer with the right answer. (read : if
> > the forwarde
> > > rs
> > > are <br>
> > > > > defined <br>
> > > > > > > but not reachable for some reasons, like FW
> blocking
> > > access, the <br>
> > > > > cascading <br>
> > > > > > > works).<br>
> > > > > > > However when Bind can reach the forwarders, it
> just
> > > asks them for <br>
> > > > > records <br>
> > > > > > > in ad domain; they answer with a no such domain
> and
> > > resolution stops <br>
> > > > > > > there.<br>
> > > > > > > <br>
> > > > > > > Reading Bind's documentation (and O'reilly's book,
> > > 5th edition) I am <br>
> > > > > not <br>
> > > > > > > missing anything obvious about delegation. It
> might
> > > have to do with my <br>
> > > > > <br>
> > > > > > > forwarder being unaware of my setup but I don't
> see
> > > quite how (and I <br>
> > > > > can't <br>
> > > > > > > do anything about it).<br>
> > > > > > > I have not tried to make bind a slave for the AD
> zone.
> > > I would like <br>
> > > > > the <br>
> > > > > > > above setup to work before trying other
> setups.<br>
> > > > > > <br>
> > > > > > > Any help would be apreciated,<br>
> > > > > > <br>
> > > > > > turn forwarding off for the sub zone.<br>
> > > > > > <br>
> > > > > > zone sub.company.com {<br>
> > > > > > ....<br>
> > > > > > forwarders { /* empty */ };<br>
> > > > > > };<br>
> > > > > > > <br>
> > > > > > > <br>
> > > > > > -- <br>
> > > > > > Mark Andrews, ISC<br>
> > > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > > > PHONE: +61 2 9871 4742
>
> > > INTERNET: Mark_Andrews at isc.org<br>
> > > > > > <br>
> > > > > > <br>
> > > > > <br>
> > > > > <br>
> > > > > <br>
> > > > -- <br>
> > > > Mark Andrews, ISC<br>
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > PHONE: +61 2 9871 4742
>
> > > INTERNET: Mark_Andrews at isc.org<br>
> > > > <br>
> > > > <br>
> > > </font></tt>
> > > --=_alternative 0035C92DC12573E9_=--
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
> >
> >
>
> --=_alternative 003AEE4DC12573E9_=
> Content-Type: text/html; charset="US-ASCII"
>
>
> <br><font size=2 face="sans-serif">Right again, damn.</font>
> <br><font size=2 face="sans-serif">My second set of test suffered a misconfiguration
> of my zonefile.</font>
> <br>
> <br><font size=2 face="sans-serif">I really don't see, however, what the
> subtle difference is between forwarding first and disabling forwarding
> alltogether for that zone when it comes to subzone nameservers lookup.</font>
> <br><font size=2 face="sans-serif">If I understand correctly, the query
> should forward first, recieve no answers, then lookup it's own zone file
> for a matching NS record, then ask that server...</font>
> <br>
> <br><font size=2 face="sans-serif">And the answer is nowhere to be seen,
> but in the mouths of "those who know" it seems.</font>
> <br>
> <br><tt><font size=2>bind-users-bounce at isc.org wrote on 08/02/2008 11:20:08:<br>
> <br>
> > <br>
> > > You are right, I didn't apply it to the zone you specified;<br>
> > > I first disabled forwarding in the ad.sub.company.com zone by
> setting <br>
> > > forwarders to an empty list, which did not work.<br>
> > > <br>
> > > I then did the same with the sub.company.com zone, as you specified.
> I <br>
> > > can't get it to work neither...<br>
> > > <br>
> > > As for made up names, there are rather strong confidentiality
> issues with <br>
> > > my company. Let me put here a translation of my configurations
> files :<br>
> > > <br>
> > > <br>
> > > /* named.conf */<br>
> > > <br>
> > > forwarders { 10.0.0.1; 10.0.0.2; };<br>
> > > <br>
> > > zone sub.company.com {<br>
> > > type master;<br>
> > > forwarders { }; #because you asked
> it<br>
> > > file "master/myzonefile";<br>
> > > };<br>
> > <br>
> > Which will work. Your testing methods must be flawed
> or there<br>
> > is something else you are not telling us.<br>
> > <br>
> > Mark<br>
> > <br>
> > > # note that the ad.sub.company.com isn't defined as such. I defined
> it to <br>
> > > put the empty forwarder list when I read your above mail.<br>
> > > <br>
> > > /* myzonefile */<br>
> > > /* skipping SOA block */<br>
> > > <br>
> > > ad.sub.company.com. IN NS ns1.ad.sub.company.com.<br>
> > > ns1.ad.sub.company.com. IN A 192.168.0.1<br>
> > > <br>
> > > <br>
> > > This setup seems, as far as literature goes, a state of the art
> setup for <br>
> > > delegation of a zone.<br>
> > > And btw yes I am probably "not applying [something] correctly".
> I have <br>
> > > read through many mailing list, docs, books and couldn't find
> an answer, <br>
> > > hence why I am posting her.<br>
> > > <br>
> > > bind-users-bounce at isc.org wrote on 07/02/2008 23:03:01:<br>
> > > <br>
> > > > <br>
> > > > > I was pretty sure I tested that, but I double checked
> anyway.<br>
> > > > > It doesn't work; Or at least, it forces me to define
> the zone as a <br>
> > > slave <br>
> > > > > (or forward only) zone in named.conf, wich is not the
> solution I <br>
> > > > > envisioned.<br>
> > > > > I just want to define a NS record and the corresponding
> A record for <br>
> > > > > delegation, wich works well as long as I can't forward
> to my main <br>
> > > > > forwarders.<br>
> > > > <br>
> > > > It does work. You are just not applying
> it correctly.<br>
> > > > Please look at the example below and apply
> it to the<br>
> > > > corresponding zone in you heirachy.<br>
> > > > <br>
> > > > This is a perfect example of why one should
> not hide zone<br>
> > > > names etc. when asking for help. It makes
> it hard to<br>
> > > > do the examples when one is using made up names.<br>
> > > > <br>
> > > > Mark<br>
> > > > <br>
> > > > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:<br>
> > > > > <br>
> > > > > > <br>
> > > > > > > Hi,<br>
> > > > > > > (needless to say I have been looking for
> the answer for days <br>
> > > before <br>
> > > > > > > posting here).<br>
> > > > > > > <br>
> > > > > > > I am in the process of replacing Novell Netware's
> repackaged Bind <br>
> > > by a <br>
> > > > > <br>
> > > > > > > standard Linux Bind build.<br>
> > > > > > > My setup is quite simple :<br>
> > > > > > > <br>
> > > > > > > Bind is authoritative for sub.company.com.
> It uses 2 company.com <br>
> > > > > > > forwarders (which doesn't know anything about
> our zone and/or <br>
> > > network <br>
> > > > > > > apart from a couple A records it holds for
> external <br>
> > > sub.company.com <br>
> > > > > > > access. That's stupid but that's how they
> do.)<br>
> > > > > > > There is an active directory, which is named
> -you guessed it <br>
> > > allready- <br>
> > > > > <br>
> > > > > > > ad.sub.company.com. Bind is not a slave for
> that zone, it just <br>
> > > holds a <br>
> > > > > NS <br>
> > > > > > > and it's glue record, as follow<br>
> > > > > > > ad NS ns.ad.sub.compan
> y.com.<br>
> > > > > > > ns.ad.sub.company.com. A
> 192.168.0.1<br>
> > > > > > > <br>
> > > > > > > My problem is the following: when my forwarders
> are down or <br>
> > > undefined <br>
> > > > > and <br>
> > > > > > > I query Bind for a record in ad.company.com,
> it asks <br>
> > > > > ns.ad.sub.company.com <br>
> > > > > > > and answer with the right answer. (read :
> if the forwarders are <br>
> > > > > defined <br>
> > > > > > > but not reachable for some reasons, like
> FW blocking access, the <br>
> > > > > cascading <br>
> > > > > > > works).<br>
> > > > > > > However when Bind can reach the forwarders,
> it just asks them for <br>
> > > > > records <br>
> > > > > > > in ad domain; they answer with a no such
> domain and resolution <br>
> > > stops <br>
> > > > > > > there.<br>
> > > > > > > <br>
> > > > > > > Reading Bind's documentation (and O'reilly's
> book, 5th edition) I <br>
> > > am <br>
> > > > > not <br>
> > > > > > > missing anything obvious about delegation.
> It might have to do <br>
> > > with my <br>
> > > > > <br>
> > > > > > > forwarder being unaware of my setup but I
> don't see quite how (and <br>
> > > I <br>
> > > > > can't <br>
> > > > > > > do anything about it).<br>
> > > > > > > I have not tried to make bind a slave for
> the AD zone. I would <br>
> > > like <br>
> > > > > the <br>
> > > > > > > above setup to work before trying other setups.<br>
> > > > > > > <br>
> > > > > > > Any help would be apreciated,<br>
> > > > > > <br>
> > > > > > turn forwarding off for the sub zone.<br>
> > > > > > <br>
> > > > > > zone sub.company.com {<br>
> > > > > > ....<br>
> > > > > > forwarders { /* empty */
> };<br>
> > > > > > };<br>
> > > > > > > <br>
> > > > > > > <br>
> > > > > > -- <br>
> > > > > > Mark Andrews, ISC<br>
> > > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > > > PHONE: +61 2 9871 4742
> INTERNET: <br>
> > > Mark_Andrews at isc.org<br>
> > > > > > <br>
> > > > > > <br>
> > > > > <br>
> > > > > <br>
> > > > > <br>
> > > > -- <br>
> > > > Mark Andrews, ISC<br>
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > PHONE: +61 2 9871 4742
> INTERNET: Mark_Andrews at isc.org<br>
> > > > <br>
> > > > <br>
> > > <br>
> > > --=_alternative 0035C92DC12573E9_=<br>
> > > Content-Type: text/html; charset="US-ASCII"<br>
> > > <br>
> > > <br>
> > > <br><font size=2 face="sans-serif">You
> are right, I didn't apply it to<br>
> > > the zone you specified;</font><br>
> > > <br><font size=2 face="sans-serif">I first
> disabled forwarding in <br>
> > the ad.sub.<br>
> > > company.com<br>
> > > zone by setting forwarders to an empty list, which did not work.</font><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">I then
> did the same with the <br>
> > sub.company.c<br>
> > > om<br>
> > > zone, as you specified. I can't get it to work neither...</font><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">As for
> made up names, there are rather<br>
> > > strong confidentiality issues with my company. Let me put here
> a translation<br>
> > > of my configurations files :</font><br>
> > > <br><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">/* named.conf
> */</font><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">forwarders
> { 10.0.0.1; 10.0.0.<br>
> > 2; };</font><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">zone
> sub.company.com {</font><br>
> > > <br><font size=2 face="sans-serif">
> type<br>
> > > master;</font><br>
> > > <br><font size=2 face="sans-serif">
> forwarders<br>
> > > { }; #because you asked it</font><br>
> > > <br><font size=2 face="sans-serif">
> file<br>
> > > "master/myzonefile";</font><br>
> > > <br><font size=2 face="sans-serif">};</font><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif"># note
> that the ad.sub.company.com isn't<br>
> > > defined as such. I defined it to put the empty forwarder list
> when I read<br>
> > > your above mail.</font><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">/* myzonefile
> */</font><br>
> > > <br><font size=2 face="sans-serif">/* skipping
> SOA block */</font><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">ad.sub.company.com.
> <br>
> > > IN NS ns1.ad.sub.company.com.
> </font><br>
> > > <br><font size=2 face="sans-serif">ns1.ad.sub.company.com.
> <br>
> > > IN A 192.168.0.1</font><br>
> > > <br><br>
> > > <br><br>
> > > <br><font size=2 face="sans-serif">This
> setup seems, as far as literature<br>
> > > goes, a state of the art setup for delegation of a zone.</font><br>
> > > <br><font size=2 face="sans-serif">And
> btw yes I am probably "not<br>
> > > applying [something] correctly". I have read through
> many mailing<br>
> > > list, docs, books and couldn't find an answer, hence why I am
> <br>
> > posting her.</f<br>
> > > ont><br>
> > > <br><br>
> > > <br><tt><font size=2>bind-users-bounce at isc.org
> wrote on 07/02/200823:03:01:<<br>
> > > br><br>
> > > <br><br>
> > > > <br><br>
> > > > > I was pretty sure I tested that, but I double
> checked anyway.<br><br>
> > > > > It doesn't work; Or at least, it forces me
> to define the zone<br>
> > > as a slave <br><br>
> > > > > (or forward only) zone in named.conf, wich
> is not the solution<br>
> > > I <br><br>
> > > > > envisioned.<br><br>
> > > > > I just want to define a NS record and the corresponding
> A record<br>
> > > for <br><br>
> > > > > delegation, wich works well as long as I can't
> forward to my<br>
> > > main <br><br>
> > > > > forwarders.<br><br>
> > > > <br><br>
> > > > It does work. You are
> just not applying itcorrectly.<br>
> > > <br><br>
> > > > Please look at the example below
> and apply it to the<br><br>
> > > > corresponding zone in you heirachy.<br><br>
> > > > <br><br>
> > > > This is a perfect example of why
> one should not hide<br>
> > > zone<br><br>
> > > > names etc. when asking for help.
> It makes it hard<br>
> > > to<br><br>
> > > > do the examples when one is using
> made up names.<br><br>
> > > > <br><br>
> > > > Mark<br><br>
> > > > <br><br>
> > > > > bind-users-bounce at isc.org wrote on 07/02/2008
> 14:09:38:<br><br>
> > > > > <br><br>
> > > > > > <br><br>
> > > > > > > Hi,<br><br>
> > > > > > > (needless to say I have been
> looking for the answer<br>
> > > for days before <br><br>
> > > > > > > posting here).<br><br>
> > > > > > > <br><br>
> > > > > > > I am in the process of replacing
> Novell <br>
> > Netware's repacka<br>
> > > ged<br>
> > > Bind by a <br><br>
> > > > > <br><br>
> > > > > > > standard Linux Bind build.<br><br>
> > > > > > > My setup is quite simple
> :<br><br>
> > > > > > > <br><br>
> > > > > > > Bind is authoritative for
> sub.company.com. It uses<br>
> > > 2 company.com <br><br>
> > > > > > > forwarders (which doesn't
> know anything about our zone<br>
> > > and/or network <br><br>
> > > > > > > apart from a couple A records
> it holds for external<br>
> > > sub.company.com <br><br>
> > > > > > > access. That's stupid but
> that's how they do.)<br><br>
> > > > > > > There is an active directory,
> which is named -<br>
> > you guessed<br>
> > > it allready- <br><br>
> > > > > <br><br>
> > > > > > > ad.sub.company.com. Bind
> is not a slave for that zone,<br>
> > > it just holds a <br><br>
> > > > > NS <br><br>
> > > > > > > and it's glue record, as
> follow<br><br>
> > > > > > > ad
> NS <br>
> > ns.ad.sub.c<br>
> > > ompany.com.<br><br>
> > > > > > > ns.ad.sub.company.com. A
> <br>
> > > 192.168.0.1<br><br>
> > > > > > > <br><br>
> > > > > > > My problem is the following:
> when my forwarders are<br>
> > > down or undefined <br><br>
> > > > > and <br><br>
> > > > > > > I query Bind for a record
> in ad.company.com, it asks<br>
> > > <br><br>
> > > > > ns.ad.sub.company.com <br><br>
> > > > > > > and answer with the right
> answer. (read : if <br>
> > the forwarde<br>
> > > rs<br>
> > > are <br><br>
> > > > > defined <br><br>
> > > > > > > but not reachable for some
> reasons, like FW blocking<br>
> > > access, the <br><br>
> > > > > cascading <br><br>
> > > > > > > works).<br><br>
> > > > > > > However when Bind can reach
> the forwarders, it just<br>
> > > asks them for <br><br>
> > > > > records <br><br>
> > > > > > > in ad domain; they answer
> with a no such domain and<br>
> > > resolution stops <br><br>
> > > > > > > there.<br><br>
> > > > > > > <br><br>
> > > > > > > Reading Bind's documentation
> (and O'reilly's book,<br>
> > > 5th edition) I am <br><br>
> > > > > not <br><br>
> > > > > > > missing anything obvious
> about delegation. It might<br>
> > > have to do with my <br><br>
> > > > > <br><br>
> > > > > > > forwarder being unaware of
> my setup but I don't see<br>
> > > quite how (and I <br><br>
> > > > > can't <br><br>
> > > > > > > do anything about it).<br><br>
> > > > > > > I have not tried to make
> bind a slave for the AD zone.<br>
> > > I would like <br><br>
> > > > > the <br><br>
> > > > > > > above setup to work before
> trying other setups.<br><br>
> > > > > > > <br><br>
> > > > > > > Any help would be apreciated,<br><br>
> > > > > > <br><br>
> > > > > > turn forwarding
> off for the sub zone.<br><br>
> > > > > > <br><br>
> > > > > > zone sub.company.com
> {<br><br>
> > > > > > ....<br><br>
> > > > > > forwarders
> { /* empty */ };<br><br>
> > > > > > };<br><br>
> > > > > > > <br><br>
> > > > > > > <br><br>
> > > > > > -- <br><br>
> > > > > > Mark Andrews, ISC<br><br>
> > > > > > 1 Seymour St., Dundas Valley, NSW
> 2117, Australia<br><br>
> > > > > > PHONE: +61 2 9871 4742
> <br>
> > > INTERNET: Mark_Andrews at isc.org<br><br>
> > > > > > <br><br>
> > > > > > <br><br>
> > > > > <br><br>
> > > > > <br><br>
> > > > > <br><br>
> > > > -- <br><br>
> > > > Mark Andrews, ISC<br><br>
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br><br>
> > > > PHONE: +61 2 9871 4742
> <br>
> > > INTERNET: Mark_Andrews at isc.org<br><br>
> > > > <br><br>
> > > > <br><br>
> > > </font></tt><br>
> > > --=_alternative 0035C92DC12573E9_=--<br>
> > -- <br>
> > Mark Andrews, ISC<br>
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > PHONE: +61 2 9871 4742
> INTERNET: Mark_Andrews at isc.org<br>
> > <br>
> > <br>
> </font></tt>
> --=_alternative 003AEE4DC12573E9_=--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list