forwarding to a child zone is different!!

Badbanchi, Hossein HBadbanchi at Webasto.de
Tue Apr 24 04:06:39 UTC 2001 

I should tell that the whole reason this came up was NOT a
confoguration error.
I am testing bind 9.1.1, and want to see how does it behave.
I agree with Kevin that the behaviour of bind here is incosistant.

If I have:
named.conf:
zone "child.stub.myomain.com" {
	type forward;
	forward only;
	forwarders { some_other_ip_addr; };
};
zone "stub.mydomain.com" {
	type stub;
	file "db.stub.mydomain.com";
};

db.mydomain.com:
$ORIGIN mydomain.com.
@	IN SOA  mydomain.com. ...
@...
stub	IN NS  stub.mydomain.com.
ns.stub	IN 	A	some_ip_addr
host.stub	IN	A	ip_addr1
host.child.stub	IN	A	ip_adrr2

db.stub.mydomain.com on the stub machine:
$ORIGIN stub.mydomain.com.
@	IN SOA  stub.mydomain.com. ...
@...
host	IN	A	ip_addr3
host.child	IN	A	ip_adrr4

db.child.stub.mydomain.com on child.stub machine:
$ORIGIN child.stub.mydomain.com.
@	IN SOA  child.stub.mydomain.com. ...
@...
host.child.stub	IN	A	ip_adrr5

Now if I ask for "host.stub.mydomain.com." and
"host.child.stub.mydomain.com.",
for the first one I will get ip_addr3 (from stub zone).
and for the second one I get ip_addr5 (from the forwarded zone).
I do NOT get ip_addr4 for host.child (from the stub zone).

I want to say that eventhough bind knows that child.stub is in the stub zone
and has all the information to try to resolve it from it's original place,
but it follows the forwarding directive, but for a similar query where
he himself has the data it doesn't follow the directive.
And worse even if he doesn't happen to have the data, it does not try
the forward directive, but simply return not found!

Hossein.


-----Original Message-----
From: Brian Wellington [mailto:Brian.Wellington at nominum.com]
Sent: Tuesday, April 24, 2001 05:12
To: Kevin Darcy
Cc: 'bind-users at isc.org'; 'bind9-users at isc.org'
Subject: Re: forwarding to a child zone is different!!



On Mon, 23 Apr 2001, Kevin Darcy wrote:

> I disagree with the design decision that ISC has apparently made here. The
> ability to forward queries for a particular domain to some particular set
of
> nameservers should not IMO depend on whether that domain happens to be
delegated,
> or, worse yet, on whether the forwarding nameserver *knows* whether the
domain is
> delegated or not because of pure happenstance it is also authoritative for
an
> ancestor zone. Two machines sit side by side, each with a defined zone of
type
> "forward" for foo.example.com, an undelegated domain; this forwarding
works for
> one nameserver but not the other, because one of them happens to also be
> authoritative for some *other* zone (example.com). To me, this violates
the
> Principle of Least Surprise. Forwarding is an *explicit* directive from
the
> administrator, and often zones of "type forward" are created specifically
> *because* the zones are undelegated and that is the only way names in the
domain
> can be resolved. The presence or absence of delegations for a domain, in
turn,
> are often driven by local policy (e.g. security policy) which I don't
think
> should be dictated by a DNS implementation.

This makes perfect sense, and follows the resolver algorithm specified in
RFC 1034.  Relevant parts quoted and annotated:

   2. Search the available zones for the zone which is the nearest
      ancestor to QNAME.  If such a zone is found, go to step 3,
      otherwise step 4.

If a child zone is not delegated properly, records under the child are in
the parent zone.  No amount of configuration changes the concept of
delegation, which is a property of the data.

   3. Start matching down, label by label, in the zone.  The
      matching process can terminate several ways:

         a. If the whole of QNAME is matched, we have found the
            node.

This doesn't happen, since the name doesn't exist.

         b. If a match would take us out of the authoritative data,
            we have a referral.  This happens when we encounter a
            node with NS RRs marking cuts along the bottom of a
            zone.

This would happen with a correctly configured delegation.

         c. If at some label, a match is impossible (i.e., the
            corresponding label does not exist), look to see if a
            the "*" label exists.

            If the "*" label does not exist, check whether the name
            we are looking for is the original QNAME in the query
            or a name we have followed due to a CNAME.  If the name
            is original, set an authoritative name error in the
            response and exit.  Otherwise just exit.

This is what happens.

> I also find it architecturally inconsistent to impose a new
> requirement that zones of type "forward" be delegated, if the same
> requirement is not imposed on zones of type "stub". The two mechanisms
> are logically similar, inasmuch as they are both ways to direct
> queries matching certain criteria to a specific set of nameservers,
> instead of following the normal delegation chain. That one works in
> the absence of zone delegation and the other does not is, as I said,
> inconsistent.

DNS doesn't have the concept of forward zones.  Forward zones are an
abomination of bind 8.  The point of them is domain-specific forwarding in
cases when the normal resolver algorithm is insufficient or will not work.
When delegation records are omitted and the data is part of an
authoritative zone, the resolver is never used.

> At the very least, since forwarding of undelegated domains/zones is
> something that worked in BIND 8 and by design (apparently) no longer
> works, this should be clearly documented in doc/misc/migration; the
> specific impact on forwarding is not something that can be clearly
> inferred from "No Information Leakage between Zones".

Maybe.  But don't forget that the whole reason this came up was a
configuration error.

Brian

More information about the bind-users mailing list