authoritative server lame for subdomain delegation?

Wed Apr 20 21:56:20 UTC 2005

Hi all,

I'm doing DNS for a local government with a .us domain name, and we're
experiencing what is probably a misconfiguration error that I don't
know how to pinpoint.  Our authoritative nameservers fail on queries
for NS delegations for a subdomain of a domain we are authoritative
for, and the only way to make it work is to make ourselves
authoritative for the subdomain, placing NS records into its zonefile!

Here's just one scenario of at least two occurances that I can see:

We are authoritative for foo.state.us and are delegating
city.foo.state.us to an ISP's nameservers as follows:

Inside the zonefile for the parent zone (foo.state.us) is a delegation:

city    IN  NS ns1-auth.sprintlink.net.
        IN  NS ns2-auth.sprintlink.net.
        IN  NS ns3-auth.sprintlink.net.

our named.conf has:

zone "foo.state.us" {
        type master;
        file "named/primary/db.foo.state.us";
        allow-transfer { <our network>; <our ISP's secondary>; };
};

If I were to query our ISP's secondary nameserver:

     dig @ourISP city.foo.state.us ns

They return the list of nameservers just as they should.  But when we
query our own server, we get:

     dig @localhost city.foo.state.us ns

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1507
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

Making our server master for that subdomain, and putting NS records
into that, seems to be the only way to make our server give out any
answer at all, but that is pretty weak.  :)  It was my understanding
that no recursion would be necessary since the parent zone is local.
Could someone please point me in the right direction?

Thanks,
Joe