Real tricky setup Q: different name servers for 3rd level domain: possible? how??

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 2 20:07:56 UTC 2003 

" ! Looney Scripter !" wrote:

> "Mathias" <mathias at berufsleben.de> wrote in message
> news:atqi4p$cf4d$1 at isrv4.isc.org...
> <snip>
>
> > test1           IN      NS      NS3.NAMESERVER.DE.
> >                 IN      NS      NS4.NAMESERVER.DE.
> >
> >                 IN      MX      10 MAILSERVER3.DE.
> >                 IN      MX      20 MAILSERVER4.DE.
>
> Isn't this your second-level name server giving the complete answer?  I do
> not want this.
> I want the request to have to be looked up using my different name server.

No, the original answer was incorrect: it is not legal to both delegate a child
zone (the NS records) and to have non-glue records (the MX records) with the
same name. Ignore the MX records. You just need a pure delegation.

> This setup (in my 2nd level DNS) *almost* fixed my problem:-
>
>      [root at localhost etc]# cat named.conf
>      # named.conf by Chris.
>
>      options {recursion yes;};
>
>      zone "rn.securitymarked.com" {
>              type forward;
>                      forwarders {  20.14.126.5; 19.11.233.33; };
>               };
>
>      [root at localhost etc]#
>
> except that I dont want MY name server to supply the answer (because I can't
> use
> an access control list on my 3rd level DNS - the IP address is always set to
> the IP
> address of my 2nd level DNS...): I want the request to come directly from
> the person
> wanting the answer (or at least their ISP's DNS anyhow).
>
> I also do NOT want "options {recursion yes;};" turned on for everything, and
> "named"
> is too pathetically stupid: with "recursion no" is simply ignores the "type
> forward" zones.
> What moron dreamed up that dumb idea I'll never know...

It's not a "dumb idea"; it's just the way DNS works and the way the terms are
defined. Recursion enabled basically means "I'll fetch the answer for you if
you want". If you turn off recursion, you don't fetch answers for clients, via
forwarding or any other mechanism; you only give answers that you already know
(i.e. from authoritative data, or from your cache). So turning off recursion is
mutually exclusive with fetching answers via forwarding. For that matter, it's
also mutually exclusive with fetching answers via iterative resolution...


- Kevin

More information about the bind-users mailing list