forwarding a subdomain

Kevin Darcy kcd at daimlerchrysler.com
Wed Nov 17 22:52:31 UTC 2004 

Barry Margolin wrote:

>In article <cndfgm$gpa$1 at sf1.isc.org>,
> Edward Buck <ed at bashware_REMOVEME_.net> wrote:
>
>  
>
>>So, is this a limitation by design?  Is there a workaround for what I'm 
>>trying to do?
>>    
>>
>
>Configure your server as a slave, rather than a forwarder.
>
>  
>
>>If I delegate a subdomain to a nameserver, intuitively I would expect 
>>that nameserver to be authoritative for that subdomain regardless of 
>>whether the zone data is master, slave or a forward.
>>    
>>
>
>That's the point.  Since the zone is delegated to the server, other 
>servers expect that nameserver to be authoritative, so they don't ask it 
>to recurse.  But when you configure the zone as "type forward", the 
>server is *not* authoritative.
>
>Being authoritative is a consequence of how the server is configured, 
>*not* how the zone is delegated.  Delegation specifies who *should* be 
>authoritative, but it doesn't actually cause a server to be 
>authoritative.
>
>  
>
>>The use case I'm referring to is a private RBL on an internal lan 
>>running rbldnsd.  I was planning to run rbldnsd on an internal address 
>>and front-end it with bind to take advantage of bind's ACL support.  The 
>>scenario would be something like:
>>
>>public rbl query
>>	|
>>	v
>>rbl.domain.com nameserver (bind with ACLs)
>>	|
>>	v
>>forward to internal server running rbldnsd
>>	|
>>	v
>>answer back to original query
>>
>>At the moment, this only works for cached data.  Is there a way to force 
>>recursion on a forwarded subdomain for which the server is authoritative?
>>    
>>
>
>Servers only recurse when they're asked to.  If the client says "don't 
>recurse", BIND won't.
>
>The source code is available, so you could always patch your copy to 
>ignore the setting of the RD bit, and act as if it's always set.
>
Of course, then your nameserver would violate Internet standards. RFC 
1034, Section 4.3.1:

Note that the name server should never perform recursive
service unless asked via RD, since this interferes with trouble shooting
of name servers and their databases.

  

                                                                         
                           - Kevin

More information about the bind-users mailing list