Subdomain delegation not working for external view
Kevin Darcy
kcd at chrysler.com
Tue Jul 15 22:59:26 UTC 2008
Tom Mikelson wrote:
> Problem: Delegations of subdomains do not work in the "external" view. They
> do work in the "internal" view. For example
> the subdomain "bis.mydomain.edu" has been properly delegated to another DNS
> in the publicly reachable IP address space of mydomain.edu.
> The "internal" clients receive the correct response to a query for "
> some-server.bis.mydomain.edu". The "external" clients receive
> "Can't find some-server.bis.mydomain.edu: No answer". If views are not
> implemented all clients receive the correct response. I am
> trying to implement views in order to prevent recursion for clients that are
> not part of my domain.
> options
> {
> version "";
> notify no;
> allow-query { any; };
> listen-on { <public IP address>; };
> directory "/var/named";
> };
>
> logging
> {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> view "internal" {
> match-clients { <IP address range of internal clients>; localnets;
> };
> recursion yes;
> include "/etc/named.rfc1912.zones";
>
> //
> // ROOT SERVERS
> //
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone "mydomain.edu" {
> type slave;
> file "internal/mydomain.db";
> masters { <internal DNS server>; };
> allow-transfer { none; };
> };
>
> zone "<reverse zone for mydomain.edu>.in-addr.arpa" {
> type slave;
> file "internal/mydomain.rev";
> masters { <internal DNS server>; };
> allow-transfer { none; };
> };
>
> };
>
> view "external" {
> match-clients { any; };
> recursion no;
>
> zone "mydomain.edu" {
> type slave;
> file "internal/mydomain.db";
> masters { <internal DNS server>; };
> allow-transfer { none; };
> };
>
> zone "<reverse zone for mydomain.edu>.in-addr.arpa" {
> type slave;
> file "internal/mydomain.rev";
> masters { <internal DNS server>; };
> allow-transfer { none; };
> };
> };
>
Your basic problem here is you're trying to serve stub resolvers from a
view that has recursion turned off -- they get referral responses and
don't know what to do with them (hence the "No answer" error you cite).
If your only requirement is "to prevent recursion for clients that are
not part of my domain", where "domain" is defined by address ranges, I
probably wouldn't use views at all, just use "allow-recursion". With a
sufficiently-modern version of BIND, that will, by default, take care of
cache snooping as well, or you can exercise finer-grained control of
that with some combination of allow-recursion/allow-query/allow-query-cache.
- Kevin
More information about the bind-users
mailing list