authorative-only and NS delegation conflict?
cytroic at moog.netaxs.com
cytroic at moog.netaxs.com
Fri Oct 20 12:58:21 UTC 2006
Thank you for your answer, Kevin. From what I am understand from your
explaination, how I am testing the test name server with the new
configuration (recursion off) is where my problem is.
Does anyone have any ideas of how I can accuratly test this new
configuration without hurting our current name server, outside of
registering a new domain for testing, using the test name server as a
authorative nameserver, and setting up the domain to test on there?
On Thu, 19 Oct 2006, Kevin Darcy wrote:
> Shouldn't be a problem. Any iterative resolver on the Internet, upon
> receiving the referral from your nameservers, will follow that referral
> and query the load-balancers directly. This is really no different than
> following a referral from the root zone to a TLD such as .com, and then
> from .com to your domain, such as example.com. It's all part of the
> iterative-resolution algorithm. No special configuration required.
>
> - Kevin
>
> cytroic at moog.netaxs.com wrote:
> > I think Ive become a little rusty with my DNS administation over the
> > last few years. Ive run into a problem and can't figure out a solutions.
> > My research in the Bind9 mannual and other online resources haven't come
> > up with anything solid yet. Im sure there are other people out there who
> > have run into this problem and have found solutions.
> >
> > Our authorative nameservers currently allow cacheing and we want to turn
> > recursion off, thus only handling authorative requests from the intenet.
> > We are testing this on a test name server before making the change to our
> > live name servers.
> >
> > Testing so far has shown problems caused by our current network
> > architecture. Our websites are redundant across multiple sites, and we use
> > networking devices which provides load balancing. The networking devices
> > load balance at each site, but also work together to provide load
> > balancing between sites. One these methods is determining which site the
> > customer can get to quicker, and directs the customer to the appropiate
> > site by sending their local resolver the ip of the website at that site.
> >
> > As a result, the dns records of these websites are NS records pointing to
> > these network devices. Since our authorative name server don't hold the A
> > record for these websites, queries for these will not work if recursion is
> > turned off.
> >
> > I read about the fetch-glue option, but that is obsolete in Bind9, and so
> > not a solution in this case, let alone that fact that it would be pointless
> > since it seems just as insecure as recurision. I thought of spliting out
> > the network devicies to subdomains, and setting up forwarder rules for
> > these subdomains. I haven't read if this will work with recurrsion
> > off or not, and it would require a lot of changes on the network devices
> > as well as on the name servers, and want to use that as a last resort for
> > now.
> >
> > Has anyone enountered this before? If so, were you able to find a safe way
> > around it? I am thinking in the back of my mind that there is a easy
> > solution to this and Im going to slap myself on the forehead once I find a
> > solution.
> >
> > Thanks!
> >
> >
> > Examples of some digs are shown below to help explain the problem I am
> > trying to get around. I have changed the ips and hostnames for personal
> > reasons. 111.222.333/24 and 444.555.666/24 are 2 of our sites. .101 are
> > our authorative name servers, .103 is the test name server, .111 is the
> > website, and .104 are the network devices.
> >
> > Querying the new NS server. Recursion is off, and no answer is given. the
> > network device addresses are returned.
> > bash-2.05b$ dig www.mydomain.com @111.222.333.103
> >
> > ; <<>> DiG 9.2.3 <<>> www.mydomain.com @111.222.333.103
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55578
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;www.mydomain.com. IN A
> >
> > ;; AUTHORITY SECTION:
> > www.mydomain.com. 900 IN NS netdev1.mydomain.com.
> > www.mydomain.com. 900 IN NS netdev2.mydomain.com.
> >
> > ;; ADDITIONAL SECTION:
> > netdev1.mydomain.com. 900 IN A 111.222.333.104
> > netdev2.mydomain.com. 900 IN A 444.555.666.104
> >
> > ;; Query time: 92 msec
> > ;; SERVER: 111.222.333.103#53(111.222.333.103)
> > ;; WHEN: Tue Oct 17 15:25:52 2006
> > ;; MSG SIZE rcvd: 111
> >
> >
> > Here I am querying our domain against our live servers via a trace.
> > recursion is on. notice how final answer is given by the network devices.
> > dig +trace www.mydomain.com @ns1.netaxs.com | more
> >
> >
> > ; <<>> DiG 9.2.3 <<>> +trace www.mydomain.com @ns1.netaxs.com
> > ;; global options: printcmd
> > . 425605 IN NS D.ROOT-SERVERS.NET.
> > . 425605 IN NS E.ROOT-SERVERS.NET.
> > . 425605 IN NS F.ROOT-SERVERS.NET.
> > . 425605 IN NS G.ROOT-SERVERS.NET.
> > . 425605 IN NS H.ROOT-SERVERS.NET.
> > . 425605 IN NS I.ROOT-SERVERS.NET.
> > . 425605 IN NS J.ROOT-SERVERS.NET.
> > . 425605 IN NS K.ROOT-SERVERS.NET.
> > . 425605 IN NS L.ROOT-SERVERS.NET.
> > . 425605 IN NS M.ROOT-SERVERS.NET.
> > . 425605 IN NS A.ROOT-SERVERS.NET.
> > . 425605 IN NS B.ROOT-SERVERS.NET.
> > . 425605 IN NS C.ROOT-SERVERS.NET.
> > ;; Received 436 bytes from 207.106.1.2#53(ns1.netaxs.com) in 244 ms
> >
> > com. 172800 IN NS A.GTLD-SERVERS.NET.
> > com. 172800 IN NS G.GTLD-SERVERS.NET.
> > com. 172800 IN NS H.GTLD-SERVERS.NET.
> > com. 172800 IN NS C.GTLD-SERVERS.NET.
> > com. 172800 IN NS I.GTLD-SERVERS.NET.
> > com. 172800 IN NS B.GTLD-SERVERS.NET.
> > com. 172800 IN NS D.GTLD-SERVERS.NET.
> > com. 172800 IN NS L.GTLD-SERVERS.NET.
> > com. 172800 IN NS F.GTLD-SERVERS.NET.
> > com. 172800 IN NS J.GTLD-SERVERS.NET.
> > com. 172800 IN NS K.GTLD-SERVERS.NET.
> > com. 172800 IN NS E.GTLD-SERVERS.NET.
> > com. 172800 IN NS M.GTLD-SERVERS.NET.
> > ;; Received 497 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 130 ms
> >
> > mydomain.com. 172800 IN NS ns1.mydomain.com.
> > mydomain.com. 172800 IN NS ns2.mydomain.com.
> > ;; Received 105 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 125 ms
> >
> > www.mydomain.com. 900 IN NS netdev1.mydomain.com.
> > www.mydomain.com. 900 IN NS netdev2.mydomain.com.
> > ;; Received 111 bytes from 111.222.333.101#53(ns1.mydomain.com) in 72 ms
> >
> > www.mydomain.com. 60 IN A 111.222.333.111
> > ;; Received 53 bytes from 111.222.333.104#53(netdev1.mydomain.com) in 198
> > ms
> >
> > Here I am querying the domain against one of our live servers again.
> > recursion is on. notice how final answer is given by the network devices.
> > dig www.mydomain.com @111.222.333.101
> >
> > ; <<>> DiG 9.2.3 <<>> www.mydomain.com @111.222.333.101
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32222
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
> >
> > ;; QUESTION SECTION:
> > ;www.mydomain.com. IN A
> >
> > ;; ANSWER SECTION:
> > www.mydomain.com. 60 IN A 111.222.333.111
> >
> > ;; AUTHORITY SECTION:
> > www.mydomain.com. 900 IN NS netdev1.mydomain.com.
> > www.mydomain.com. 900 IN NS netdev2.mydomain.com.
> >
> > ;; ADDITIONAL SECTION:
> > netdev1.mydomain.com. 900 IN A 111.222.333.104
> > netdev2.mydomain.com. 900 IN A 444.555.666.104
> >
> > ;; Query time: 586 msec
> > ;; SERVER: 111.222.333.101#53(111.222.333.101)
> > ;; WHEN: Tue Oct 17 15:31:46 2006
> > ;; MSG SIZE rcvd: 127
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
More information about the bind-users
mailing list