hint zone or forward ?

Kevin Darcy kcd at daimlerchrysler.com
Fri Jul 7 23:04:38 UTC 2006 

cmic wrote:
> Hello.
> I am using Bind 9.3.1 under Linux for a private zone "dom.prv"
> in which clients cannot resolve anything but "dom.prv"
> But now I want the clients to be able resolve another private
> zone named "iq". I solved the problem by inserting this
> in my named.conf (i think the rest of named.conf is of no use
> for the matter...)
> ...
> zone "." {
>         type hint;
>         file "interne/db.root";
> };
> ...
>
> And the db.root file is :
>
> @       0       SOA     iq admin\server.iq (
>                 2006090201 ; serial
>                 1H ; refresh
>                 2H ; retry
>                 4W ; expire
>                 1D ) ; minimum
> ;
>                 IN      NS      ns.iq.
> ns.iq		IN      A       172.21.16.254
>
>
> It works as expected:  The commands 'host abc.dom.prv' and
> 'host macine.sub.iq' both yieds correct answers, but I wonder if
> the hint zone is the correct (elegant?) way to solve this problem.
> I thought forward & forwarders would have been a better
> solution, but i can't make it work.
>
> Any advice ?
>   
Instead of defining ns.iq as the one-and-only root nameserver (as you 
have done), you should define *yourself* as the one-and-only root 
nameserver (because you might want to set up a caching-only nameserver 
some day and it should see the proper root-zone information), and then 
delegate the "iq" subzone to ns.iq. While you're at it, delegate dom.prv 
from that root zone too.

The hints file is only used for the nameserver to find root-zone 
information at startup, and as such, should only contain root NS records 
and associated glue A records. You can't put arbitrary stuff in there, 
e.g. "iq" or "ns.iq" stuff, and expect it to work. If you're master for 
the root zone, you wouldn't be defining a hints zone anyway, since your 
nameserver obviously already knows everything it needs to know about the 
root zone.

Forwarding could probably be made to work once you're delegated "iq" 
from your root zone, but at that point, you probably don't need 
forwarding anyway, since "iq" names should be resolvable anyway through 
"iterative resolution", i.e. following the delegation chain down from 
the root zone. The only exception would be if "iq" has descendant zones 
delegated to nameservers that your nameserver cannot reach. In that 
case, you might need to define "iq" or some branch of it as a "type 
forward" zone, just to get around the connectivity obstacle.

                                                                         
                           - Kevin

More information about the bind-users mailing list