FW: forwarding a subdomain

[Agency Staff (Infosec)]

-----Original Message-----
From: Kevin Darcy [mailto:kcd at daimlerchrysler.com]
Sent: 17 November 2004 01:10
To: comp-protocols-dns-bind at isc.org
Subject: Re: forwarding a subdomain


Edward Buck wrote:

>Hi there,
>
>I'm trying to setup a subdomain via forwarding and I'm seeing some 
>unexpected behavior (unexpected for me, not necessarily for bind or 
>you).  Here's the scenario:
>
>I have a public nameserver, i.e. ns1.domain.com, which is authoritative 
>for domain.com.  In the zone file for domain.com, I've delegated a 
>subdomain to another nameserver by doing:
>
>sub      IN NS  ns1-sub.domain.com.
>ns1-sub  IN A   80.80.80.80  ; public ip
>
>Now, on ns1-sub.domain.com, I've configured bind with the following zone:
>
>zone "sub.domain.com" {
>         type forward;
>         forward first;
>         forwarders {
>         10.5.5.1 port 10053; // private ip
>         };
>};
>
>The 10.5.5.1 host above is on a private network accessible to ns1-sub 
>but not to the general public.
>
>The goal is to have ns1-sub resolve all queries for the subdomain 
>sub.domain.com by forwarding each request to the internal server at 
>10.5.5.1.
>
>Now, here's what I don't understand.  If I query ns1-sub directly for a 
>host in sub.domain.com (i.e. host.sub.domain.com), the forwarding works 
>as expected.  If I query ns1-sub using a different nameserver (i.e. from 
>my ISP nameserver), the query works ONLY If ns1-sub has cached the data. 
>  If it's not in the cache, there's no answer.  This suggests that the 
>forwarding doesn't work for recursive queries.
>
>Can anyone explain to me if this is normal behavior?  I'm guessing that 
>it has something to do with authoritative/non-authoritative answers and 
>possibly subdomain delegation issues but I'm stumped.  
>
No, it's more likely that you have recursion turned off globally -- a 
standard configuration for an authoritative-only nameserver. Forwarding 
is a form of recursive resolution, so recursion needs to be enabled in 
order for it work. You can re-enable recursion on a per-zone basis using 
"allow-recursion".

By the way, does this nameserver have any way to retrieve data for 
sub.domain.com names other than by forwarding? If not, then you 
shouldn't specify "forward first". "Forward first" is an opportunistic 
form of forwarding which will fall back to iterative resolution if the 
forwarder is unavailable. It should only be used as a performance 
optimization (which is rarely effective), not in situations like yours, 
presumably, where the answer is *only* available through forwarding.

- Kevin




********************
This e-mail contains information intended for the addressee only.
It may be confidential and may be the subject of legal and/or professional privilege. 
If you are not the addressee you are not authorised to disseminate, distribute, copy or use this e-mail or any attachment to it
The content may be personal or contain personal opinions and unless specifically stated or followed up in writing, the content cannot be taken to form a contract or to be an expression of the County Council's position.
LCC reserves the right to monitor all incoming and outgoing email
LCC has taken reasonable steps to ensure that outgoing communications do not contain  malicious software and it is your responsibility to carry out any checks on this email before accepting the email and opening attachments.
********************