zone forwarding

Petr Menšík pemensik at redhat.com
Tue Jan 18 10:52:54 UTC 2022


Hi!

On 1/17/22 11:46, ONRUBIA AVILES Carlos (CCS/MST) wrote:
>
> Hello,
>
>  
>
> Maybe someone can help me with the following problem:
>
>  
>
> My name server is authoritative with the following domain “toto.be”:
>
> zone "toto.be." {
>
>         type master;
>
>         file "/etc/masterdns.db";
>
>  
>
> But I would like that a subdomain “titi.toto.be” is not searched in my
> masterdns.db file but via the normal process via internet.
>
>  
>
> I have tried to 2 solutions but it do not work:
>
>  
>
>  1. Adding a forward for this subdomain:
>
>  
>
> zone "titi.toto.be." {
>
> type forward;
>
> forwarders {1.2.3.4; 5.6.7.8;};     (ip’s from dsn cache servers)
>
> forward only;
>
> };
>
>  
>
>   * Seems not to work.  Not possible to add a subdomain forwarding?
>
No, because authoritative zone knows what is inside the zone and what is
not there. If titi.toto.be is not in the zone, it would respond NXDOMAIN
on any name under it. Regardless of forwarders specified. If specified
forwarders are authoritative for the titi.toto.be zone, just direct any
server there. Note those cache servers would be contacted by any
recursive servers from the internet, they have to be reachable and allow
queries to that zone from anyone.


 
>  
>
>  2. Using directly the cache servers as NS:
>
>  
>
> Cache.proximus.be.      IN    A     1.2.3.4
>
> Cache.proximus.be.      IN    A     5.6.7.8
>
> Titi.toto.be.                     IN    NS     cache.proximus.be.
>
>  
>
>   * Not always working as if “titi.toto.be” is not at this moment in
>     the cache, the cache will answer SERVFAIL and not do the
>     recursion. (I guess the query via this method is done with flag
>     “Recursion Desired” set to false)
>
>  
>
>  
>
> So my question is: Is it possible to configure what I am trying to do?
>
Recursive servers which queries your authoritative server want to do the
recursion themselves. They send queries without recursion ok bit,
meaning they want to speak authoritative server only. cache.proximus.be
would have to be authoritative for titi.toto.be zone and answer everyone
from the internet. It cannot be hidden behind your authoritative server.

"dig @cache.proximus.be +norec titi.toto.be" command should contain aa
flag. If that cache does not know how to be authoritative, it has to
serve zone not under primary or secondary zones of your server. dnsmasq
knows --auth-zone for similar queries, for example.

>  
>
>  
>
> Thanks in advance for your feedback,
>
>  
>
> Carlos,
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
>  
>
> *Carlos Onrubia Aviles*
> Solution Engineer | WIFI @ INTERNET TECHNOLOGIES
>
> Proximus <http://www.proximus.be>
>
> Discover a world of possibilities on Thinkpossible.be
> <http://www.thinkpossible.be>
>
>
Cheers,
Petr

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220118/3cac611b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7060 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220118/3cac611b/attachment.png>


More information about the bind-users mailing list