subdomain forwarders problem

Kevin Darcy kcd at daimlerchrysler.com
Wed Nov 24 01:27:49 UTC 1999 

Dave wrote:

> I seem to have hit an issue with subdomains and the way BIND handles them as
> forward zones.  I'm running 8.2.2_P5 everywhere.  Basically we have
> authoritative servers for each of several subdomains in our network, for
> instance:
>
> ns00.devel.name.dom     is authoritative for devel.name.dom
> ns00.test.name.dom      is authoritative for test.name.dom
> ns00.sv.name.dom        is authoritative for sv.name.dom
>
> We also have the two name servers listed as authoritative for name.dom and
> they are publicly addressed.  They hold secondary zones for everything
> in the test, sv, and devel subdomains.  The idea being here that all
> hosts in devel.name.dom will resolve DNS from their respective subdomain
> server, and if that server doesn't know the answer it is set globally to
> "forward only;" to the two public name servers.
>
> This idea works great except for one of the servers.  We don't want to have
> the authoritative information for our second level domain (name.dom) held
> on the publicly addressed server for security reasons.  We'd rather have it
> stored on, say, ns00.test.name.dom, and then secondaried to the public
> servers.  But, as soon as I put in a master zone statement in named.conf for
> "name.dom", the server apparently thinks that the name.dom zone file should
> contain authoritative information for all the subdomains denver, test, and
> sv, and it will immediately stop forwarding requests for any of those hosts
> to the outside DNS servers.  It starts returning NXDOMAIN errors.

I can't reproduce this. If I define global forwarding and then a master zone,
anything I query in a subzone of that master zone is forwarded. What are you
seeing in your debug logs? At debug level 3, I see a call to ns_forw(), several
invocations of find_zone(), up the levels of the domain hierarchy all the way
to root, all of them indicating "unknown zone" except for the level I have
defined as a master zone, a call to evSetTimer() and then "forw: forw ->" to my
global forwarder's address. Are you seeing something different from that? Is
there something perhaps wrong with your forwarder? Have you tried just bouncing
regular recursive queries of the same names off that forwarder using, say,
nslookup or dig?

> I've also tried putting separate statements such as:
>
> zone "devel.name.dom" {
>         type forward;
>         forward only;
> };
>
> in named.conf to no avail.

Shouldn't be necessary. But, just for the hell of it, I tried that as well and
it worked fine for me.


- Kevin

More information about the bind-users mailing list