Can't create & delegate subdomains on internal view
Mark Andrews
Mark_Andrews at isc.org
Tue Nov 14 20:26:33 UTC 2006
> Hello,
>
> I have been trying to track down a problem I've been having while trying
> to delegate authority for a subdomain to another server. I created the
> appropriate NS record and glue record for the machine hosting the
> subdomain (incremented the serial too). However, when I try to query the
> parent server for the NS of the subdomain I get a SERVFAIL or NXDOMAIN
> response from dig. I tracked this down for two hours, wondering if I had
> gone crazy. Out of frustration I then created the subdomain in my public
> zone and it works perfectly. I am using a view statement to maintain
> seperate internal and external zone information. Here are the relevant
> pieces of my configuration files.
>
> >From named.conf...
>
> // Define our internal networks, they should use the internal (private)
> zone // information
> acl "internal" {
> 127/8; 192.168.0/24; 10.8.0.0/16;
> };
>
> // Zones that internal clients have access to
> view "internal" {
> match-clients { internal; };
> recursion yes;
>
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones,
> and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> // blissfulidiot.com Internal domain
> zone "blissfulidiot.com" {
> type master;
> notify no;
> file "/etc/bind/db.internal.blissfulidiot.com";
> };
> };
>
> view "external" {
> // Match Internet queries
> match-clients {any;};
> // Do not do recursive lookups for non-authoritative queries
> recursion no;
>
> zone "blissfulidiot.com" {
> type master;
> notify no;
> file "/etc/bind/db.blissfulidiot.com";
> };
> };
>
>
>
> And from the actual zone files for blissfulidiot.com, I used the identical
> records in both the internal and external views, works fine on the
> external, but not the internal.....
>
> sub 30 IN NS ns.sub.blissfulidiot.com.
> ns.sub 30 IN A 1.2.3.4
>
>
>
> I also turned on query logging to see if there was something strange going
> on, it looks to me like bind is trying to resolve the subdomain from my
> ISP DNS servers, though when I do lookups for other hosts on the internal
> zone they get returned fine....
>
> Nov 13 13:59:17 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:17 yura named[26025]: client 209.98.98.98#1618: view
> external: query: sub.blissfulidiot.com IN NS -E
> Nov 13 13:59:18 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'sub.blissfulidiot.com/NS/IN': 209.98.98.98#53
> Nov 13 13:59:18 yura named[26025]: client 208.42.42.42#2020: view
> external: query: sub.blissfulidiot.com IN NS -E
> Nov 13 13:59:18 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'sub.blissfulidiot.com/NS/IN': 208.42.42.42#53
> Nov 13 13:59:20 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'ns.sub.blissfulidiot.com/AAAA/IN': 208.42.42.42#53
> Nov 13 13:59:22 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:27 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:31 yura named[26025]: client 211.202.2.3#34091: view
> external: query: blissfulidiot.com IN MX -E
> Nov 13 13:59:37 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:42 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:44 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'ns.sub.blissfulidiot.com/AAAA/IN': 209.98.98.98#53
>
> I really appreciate any help you folks can give me.
>
> Regards,
>
> Tom Johnson
If you want to see the delegation make a non recursive query.
Note: it is good practice to have the sub-zone established
*before* you make the delegation.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list