Forwarding and sub-zones servers !

Kevin Darcy kcd at chrysler.com
Thu Jun 26 03:02:14 UTC 2008 

Yes, the important piece of the puzzle here is that a forwarder must 
*always* honor recursion for the clients/queries that are desired be 
forwarded. Otherwise a referral gets returned to the client, whenever 
the answer doesn't happen to be in cache, and that's basically a wasted 
query/response transaction. Recursion and forwarding go hand in hand; 
they're practically synonymous. So, if you have recursion turned off 
globally on your "root" servers (as would be typical for a "root" 
server), via "recursion no", to make this forwarding-to-root-servers 
work you're going to have to re-do your config somewhat to open 
recursion up selectively.

Having said all of that, though, please re-consider your architecture. 
Forwarding is a necessary evil in some circumstances: usually, to deal 
with connectivity issues. But *multi-level* forwarding is a whole other 
level of ugliness. More latency, worse scaling, potentially more points 
of potential failure. If you can continue with your distributed BIND 
instances querying the remote nameservers of your business partner 
*directly*, I would recommend sticking with that, unless you have other 
considerations (e.g. security/auditing, inter-company politics, 
bandwidth issues) which preclude it.

Depending on the structure of the sessions.rservices.com domain and your 
connectivity/bandwidth to the nameservers of any and/or all (sub)zones 
contained within it, you may also want to consider "slave" or "stub" as 
alternatives to forwarding.

                                                                         
                                          - Kevin

P.S. A conceptual note: the fact that your distributed BIND instances 
happen to also be authoritative for subdomains of your main domain 
(aa.toto.com etc.), really has nothing whatsoever to do with their 
function as *resolvers* of names in the session.rservices.com domain. 
It's usually best to separate these functions -- authoritative 
nameservice versus resolver -- mentally, since they often have different 
architectural considerations, even though the same functions may 
co-exist within the same BIND instance running on the same box.

Dawn Connelly wrote:
> So you want your other DNS servers to point to your ROOT servers for the
> sessions.rservices.com zone but not for all other zones? You can set a
> forwarder on them to your server...assuming your root server(s) will do
> recursive queries for your other servers. If it has recursion disabled, then
> they will just hand back a referral.
> section of named.conf on non-root boxes
> zone "session.rservices.com"    { type forward; forward only;
> forwarders { <IP_of_ROOT_1>; <IP_of_ROOT_2>; }; };
>
> On Tue, Jun 24, 2008 at 2:21 PM, Richard Migneron <richard at migneron.com>
> wrote:
>
>   
>> Content-Type: multipart/alternative;
>>        boundary=Apple-Mail-2--187890168
>>
>> --Apple-Mail-2--187890168
>> Content-Type: text/plain;
>>        charset=US-ASCII;
>>        format=flowed;
>>        delsp=yes
>> Content-Transfer-Encoding: 7bit
>>
>> Hi,
>>
>> We have internal DNS master servers of zone "toto.com" (example) which
>> are also ROOT servers, they don't see Internet.
>>
>> These servers also forward requests to external (suppliers) DNS servers.
>>
>> zone "session.rservices.com"    { type forward; forward only;
>> forwarders { 155.195.48.4; }; };
>>
>> Now, we also have sub-zone delegation for aa.toto.com (and
>> bb.toto.com, etc) to other DNS servers internally, that know of our
>> ROOT servers.  They have the same forward in their named.conf, of
>> course it works.
>>
>> How do I keep the forward only on the ROOT servers, and make the other
>> DNS servers forward the request to them for it ??
>>
>> We have servers with versions 9.2.4, 9.3.1, 9.4.1 and 9.4.2.  On the
>> masters we are in 9.4.1.
>>
>> Thanks,
>>
>> R.
>> _________________
>> Richard Migneron
>> iChat ID: rmigneron at mac.com
>> "It doesn't work, because the buttons & controls can't change !",
>> Steve Jobs, MacWorld 2007 Keynote
>> --Apple-Mail-2--187890168
>> Content-Type: text/html;
>>        charset=US-ASCII
>> Content-Transfer-Encoding: 7bit
>>
>> <html><body style="word-wrap: break-word; -webkit-nbsp-mode: space;
>> -webkit-line-break: after-white-space; ">Hi,<div><br></div><div>We have
>> internal DNS master servers of zone "<a href="http://toto.com">toto.com</a>"
>> (example) which are also ROOT servers, they don't see
>> Internet.</div><div><br></div><div>These servers also forward requests to
>> external (suppliers) DNS servers.</div>
>> <div><br></div><div>zone "<a href="http://session.rservices.com">
>> session.rservices.com</a>"    { type forward; forward only;
>>   forwarders { <a href="http://155.195.48.4">155.195.48.4</a>; };
>> };</div><div><br></div>
>> <div>Now, we also have sub-zone delegation for <a href="http://aa.toto.com
>> ">aa.toto.com</a> (and bb.toto.com, etc) to other DNS servers
>> internally, that know of our ROOT servers.  They have the same forward
>> in their named.conf, of course it works.</div>
>> <div><br></div><div>How do I keep the forward only on the ROOT servers, and
>> make the other DNS servers forward the request to them for it
>> ??</div><div><br></div><div>We have servers with versions 9.2.4, 9.3.1,
>> 9.4.1 and <a href="http://9.4.2.">9.4.2.</a>  On the masters we are
>> in <a href="http://9.4.1.">9.4.1.</a></div>
>> <div><br></div><div>Thanks,</div><div><br></div><div>R.<br>_________________<br>Richard
>> Migneron<br>iChat ID: <a href="mailto:rmigneron at mac.com">rmigneron at mac.com</a><br>"It
>> doesn't work, because the buttons & controls can't change !",<br>
>> Steve Jobs, MacWorld 2007 Keynote
>> </div>
>> </body></html>
>> --Apple-Mail-2--187890168--
>>
>>
>>
>>
>>
>>     
>
>
>
>
>
>

More information about the bind-users mailing list