Problem with subdomain delegation - NS RR ignored?

Petr Menšík pemensik at redhat.com
Tue May 23 10:50:01 UTC 2023 

What is status of your dnssec-validation? .hub does not exist in public 
dns tree and dnssec has a proof that it does not exist. Any validating 
resolver will therefore turn the response to NXDOMAIN. You should use 
your own existing domain with a proper delegation instead. Or use just 
home.arpa domain, which is reserved for local use of networks. If you 
want to keep .hub, you will have to set exception to not validate this 
domain on every  validating resolver in your network.

# to allow this domain forever, add to named.conf options{}:
validate-except { "hub" };

Cheers,
Petr

On 10. 05. 23 6:07, binduser at thegeezer.net wrote:
> Howdy
>
> I'm struggling with subdomain creation, for some reason the delegation 
> glue records are being ignored - and i was wondering if someone could 
> help me identify what I've done wrong please.  I know i need to setup 
> another server for the subdomain, but I've been trying to get this 
> going at work and getting the same issue, so thought to try on my test 
> bed.  Can't even get the NS record returned for the subdomain
>
> Given the domain ".hub"  I can verify the domain level NS
> # host -t NS hub localhost
> > hub name server localhost.
>
> I can create an A record  for "salmon.hub."  and this resolves as 
> expected:
> # host -t a salmon.hub localhost
> > salmon.hub has address 8.8.8.8
>
> I want to delegate to a different domain server the subdomain 
> "fish.hub" and have created glue records as below in the config 
> snippet, but get NXDOMAIN for both the A record and the NS record
> # host -t a ns1.fish.hub localhost
> > Host ns1.fish.hub not found: 3(NXDOMAIN)
>
> # host -t NS fish.hub localhost
> > Host fish.hub not found: 3(NXDOMAIN)
>
> Any suggestions gratefully received.  Pertinent parts of named.conf 
> and zone file are shown below, if you need more info please don't 
> hesitate to ask
>
> thanks in advance!
>
> TG
>
> /etc/bind/named.conf
> acl "trusted" {
>         10.0.0.0/8;
>         192.168.0.0/16;
>         127.0.0.0/8;
>         ::1/128;
> };
> allow-recursion {
>                 trusted;
>        };
> forwarders {
>                 208.67.220.220;
>                 208.67.222.222;
>         };
> zone "hub" IN {
>                type master;
>                file "pri/hub.zone";
>                notify no;
>         };
>
> /etc/bind/pri/hub.zone
> $TTL 1W
> @       IN      SOA     hub. root.hub.  (
>                                       2008122601 ; Serial
>                                       28800      ; Refresh
>                                       14400      ; Retry
>                                       604800     ; Expire - 1 week
>                                       86400 )    ; Minimum
> @               IN      NS      localhost.
> @               IN      A       127.0.0.1
>
> @               IN      AAAA    ::1
>
> salmon.hub.     IN      A       8.8.8.8
> fish.hub.       IN      NS      ns1.fish.hub.
> ns1.fish.hub.   IN      A       4.4.4.4
>
>
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the bind-users mailing list