Delegation (to Active Directory DNS) woes

Biscottino muccacucu*IVESTITI* at gmail.com
Tue Oct 11 16:17:03 UTC 2005 

Joost De Cock <Joost.DeCock at astrid.be> wrote:
> I'm setting up a hybrid DNS in which all ip to name resolving is done
> in BIND on linux, and the specific Active Directory stuff is
> delegated to our domain controllers. What I'm trying to do is a
> simple delegation of the microsoft specific subdomains (for example
> _tcp) to another machine.
>
> I've got a BIND server (linda) who's auth. for:
> company.be
> site1.company.be
> site2.company.be
>
> I want to delegate _tcp.company.be to another server (willow) who is
> in the comapny.be namespace.
>
> Here's part of the zone file on linda for the company.be zone:
>
> $TTL 3D
> @                       IN              SOA
> linda.company.be. hostmaster.company.be. (
>                        1126260125      ;
>                        8H              ;
>                        1H              ;
>                        4W              ;
>                        1D )            ;
> ;
>        NS      linda.company.be.  ;
> MX      10 mx.company.be.        ;
> ;
> localhost A               127.0.0.1
> ;
> willow               A               10.10.1.220
> linda                A               10.10.1.221
> hostmaster     CNAME           linda
> frank                A               10.10.1.24
> _tcp.company.be                  NS              willow.company.be.
>
>
> This doesn't work. I've added the following in the named.conf file
> since that was suggested in some earlier posts about delegation.:
>
> zone "company.be" {
>        type master;
>        notify no;
>        file "db.company";
>        forwarders { /* empty */ };
> };
> zone "_tcp.company.be" {
> type forward;
> forwarders { 10.1001.220; };
> };
>
>
> But when if do `dig -t ns _tcp.company.be` it doesn't find an answer
> and the delegation is not working.
> I just can't see why it doesn't. Maybe someone else does?

I hope to have understood fine your problem I have had more or less the same 
problem when my DNS named 9.3.X to be done SLAVE for an active diretory 
zone.

So I have an AD DNS and M$ tree registration use _ for the name, I have 
place on the internal view thi command

check-names slave ignore;

view "internal" {
  match-clients { any; };
  match-destinations { [blah blah] };
  recursion yes;
  check-names slave ignore;

zone "ad.lcl" { type slave; masters { [blah blah] }; };

In my bind version is a default to check the compiance on the name to RFC 
952, and _ in not permitted.

I hope to help you,

See soon

Nice job

More information about the bind-users mailing list