Delegation (to Active Directory DNS) woes
Biscottino
muccacucu*IVESTITI* at gmail.com
Tue Oct 11 16:17:03 UTC 2005
Joost De Cock <Joost.DeCock at astrid.be> wrote:
> I'm setting up a hybrid DNS in which all ip to name resolving is done
> in BIND on linux, and the specific Active Directory stuff is
> delegated to our domain controllers. What I'm trying to do is a
> simple delegation of the microsoft specific subdomains (for example
> _tcp) to another machine.
>
> I've got a BIND server (linda) who's auth. for:
> company.be
> site1.company.be
> site2.company.be
>
> I want to delegate _tcp.company.be to another server (willow) who is
> in the comapny.be namespace.
>
> Here's part of the zone file on linda for the company.be zone:
>
> $TTL 3D
> @ IN SOA
> linda.company.be. hostmaster.company.be. (
> 1126260125 ;
> 8H ;
> 1H ;
> 4W ;
> 1D ) ;
> ;
> NS linda.company.be. ;
> MX 10 mx.company.be. ;
> ;
> localhost A 127.0.0.1
> ;
> willow A 10.10.1.220
> linda A 10.10.1.221
> hostmaster CNAME linda
> frank A 10.10.1.24
> _tcp.company.be NS willow.company.be.
>
>
> This doesn't work. I've added the following in the named.conf file
> since that was suggested in some earlier posts about delegation.:
>
> zone "company.be" {
> type master;
> notify no;
> file "db.company";
> forwarders { /* empty */ };
> };
> zone "_tcp.company.be" {
> type forward;
> forwarders { 10.1001.220; };
> };
>
>
> But when if do `dig -t ns _tcp.company.be` it doesn't find an answer
> and the delegation is not working.
> I just can't see why it doesn't. Maybe someone else does?
I hope to have understood fine your problem I have had more or less the same
problem when my DNS named 9.3.X to be done SLAVE for an active diretory
zone.
So I have an AD DNS and M$ tree registration use _ for the name, I have
place on the internal view thi command
check-names slave ignore;
view "internal" {
match-clients { any; };
match-destinations { [blah blah] };
recursion yes;
check-names slave ignore;
zone "ad.lcl" { type slave; masters { [blah blah] }; };
In my bind version is a default to check the compiance on the name to RFC
952, and _ in not permitted.
I hope to help you,
See soon
Nice job
More information about the bind-users
mailing list