Forwarding problem; Forward Last?
Gabriel.Quennesson at fr.michelin.com
Gabriel.Quennesson at fr.michelin.com
Fri Feb 8 12:34:58 UTC 2008
That is indeed subtle. Thanks for helping me figure this out.
bind-users-bounce at isc.org wrote on 08/02/2008 12:58:26:
>
> > This is a multipart message in MIME format.
> > --=_alternative 003AEE4DC12573E9_=
> > Content-Type: text/plain; charset="US-ASCII"
> >
> > Right again, damn.
> > My second set of test suffered a misconfiguration of my zonefile.
> >
> > I really don't see, however, what the subtle difference is between
> > forwarding first and disabling forwarding alltogether for that zone
when
> > it comes to subzone nameservers lookup.
> > If I understand correctly, the query should forward first, recieve no
> > answers, then lookup it's own zone file for a matching NS record, then
ask
> > that server...
>
> NXDOMAIN *is* a answer. It's a negative answer.
>
> SERVFAIL/timeout is not a answer.
>
> > And the answer is nowhere to be seen, but in the mouths of "those who
> > know" it seems.
> >
> > bind-users-bounce at isc.org wrote on 08/02/2008 11:20:08:
> >
> > >
> > > > You are right, I didn't apply it to the zone you specified;
> > > > I first disabled forwarding in the ad.sub.company.com zone by
setting
> > > > forwarders to an empty list, which did not work.
> > > >
> > > > I then did the same with the sub.company.com zone, as you
specified. I
> >
> > > > can't get it to work neither...
> > > >
> > > > As for made up names, there are rather strong confidentiality
issues
> > with
> > > > my company. Let me put here a translation of my configurations
files :
> > > >
> > > >
> > > > /* named.conf */
> > > >
> > > > forwarders { 10.0.0.1; 10.0.0.2; };
> > > >
> > > > zone sub.company.com {
> > > > type master;
> > > > forwarders { }; #because you asked it
> > > > file "master/myzonefile";
> > > > };
> > >
> > > Which will work. Your testing methods must be flawed or there
> > > is something else you are not telling us.
> > >
> > > Mark
> > >
> > > > # note that the ad.sub.company.com isn't defined as such. I
defined it
> > to
> > > > put the empty forwarder list when I read your above mail.
> > > >
> > > > /* myzonefile */
> > > > /* skipping SOA block */
> > > >
> > > > ad.sub.company.com. IN NS ns1.ad.sub.company.com.
> > > > ns1.ad.sub.company.com. IN A 192.168.0.1
> > > >
> > > >
> > > > This setup seems, as far as literature goes, a state of the art
setup
> > for
> > > > delegation of a zone.
> > > > And btw yes I am probably "not applying [something] correctly". I
have
> >
> > > > read through many mailing list, docs, books and couldn't find an
> > answer,
> > > > hence why I am posting her.
> > > >
> > > > bind-users-bounce at isc.org wrote on 07/02/2008 23:03:01:
> > > >
> > > > >
> > > > > > I was pretty sure I tested that, but I double checked anyway.
> > > > > > It doesn't work; Or at least, it forces me to define the zone
as a
> >
> > > > slave
> > > > > > (or forward only) zone in named.conf, wich is not the solution
I
> > > > > > envisioned.
> > > > > > I just want to define a NS record and the corresponding A
record
> > for
> > > > > > delegation, wich works well as long as I can't forward to my
main
> > > > > > forwarders.
> > > > >
> > > > > It does work. You are just not applying it correctly.
> > > > > Please look at the example below and apply it to the
> > > > > corresponding zone in you heirachy.
> > > > >
> > > > > This is a perfect example of why one should not hide zone
> > > > > names etc. when asking for help. It makes it hard to
> > > > > do the examples when one is using made up names.
> > > > >
> > > > > Mark
> > > > >
> > > > > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:
> > > > > >
> > > > > > >
> > > > > > > > Hi,
> > > > > > > > (needless to say I have been looking for the answer for
days
> > > > before
> > > > > > > > posting here).
> > > > > > > >
> > > > > > > > I am in the process of replacing Novell Netware's
repackaged
> > Bind
> > > > by a
> > > > > >
> > > > > > > > standard Linux Bind build.
> > > > > > > > My setup is quite simple :
> > > > > > > >
> > > > > > > > Bind is authoritative for sub.company.com. It uses 2
> > company.com
> > > > > > > > forwarders (which doesn't know anything about our zone
and/or
> > > > network
> > > > > > > > apart from a couple A records it holds for external
> > > > sub.company.com
> > > > > > > > access. That's stupid but that's how they do.)
> > > > > > > > There is an active directory, which is named -you guessed
it
> > > > allready-
> > > > > >
> > > > > > > > ad.sub.company.com. Bind is not a slave for that zone, it
just
> >
> > > > holds a
> > > > > > NS
> > > > > > > > and it's glue record, as follow
> > > > > > > > ad NS ns.ad.sub.company.com.
> > > > > > > > ns.ad.sub.company.com. A 192.168.0.1
> > > > > > > >
> > > > > > > > My problem is the following: when my forwarders are down
or
> > > > undefined
> > > > > > and
> > > > > > > > I query Bind for a record in ad.company.com, it asks
> > > > > > ns.ad.sub.company.com
> > > > > > > > and answer with the right answer. (read : if the
forwarders
> > are
> > > > > > defined
> > > > > > > > but not reachable for some reasons, like FW blocking
access,
> > the
> > > > > > cascading
> > > > > > > > works).
> > > > > > > > However when Bind can reach the forwarders, it just asks
them
> > for
> > > > > > records
> > > > > > > > in ad domain; they answer with a no such domain and
resolution
> >
> > > > stops
> > > > > > > > there.
> > > > > > > >
> > > > > > > > Reading Bind's documentation (and O'reilly's book, 5th
> > edition) I
> > > > am
> > > > > > not
> > > > > > > > missing anything obvious about delegation. It might have
to do
> >
> > > > with my
> > > > > >
> > > > > > > > forwarder being unaware of my setup but I don't see quite
how
> > (and
> > > > I
> > > > > > can't
> > > > > > > > do anything about it).
> > > > > > > > I have not tried to make bind a slave for the AD zone. I
would
> >
> > > > like
> > > > > > the
> > > > > > > > above setup to work before trying other setups.
> > > > > > > >
> > > > > > > > Any help would be apreciated,
> > > > > > >
> > > > > > > turn forwarding off for the sub zone.
> > > > > > >
> > > > > > > zone sub.company.com {
> > > > > > > ....
> > > > > > > forwarders { /* empty */ };
> > > > > > > };
> > > > > > > >
> > > > > > > >
> > > > > > > --
> > > > > > > Mark Andrews, ISC
> > > > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > > > > PHONE: +61 2 9871 4742 INTERNET:
> > > > Mark_Andrews at isc.org
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > --
> > > > > Mark Andrews, ISC
> > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > > PHONE: +61 2 9871 4742 INTERNET:
> > Mark_Andrews at isc.org
> > > > >
> > > > >
> > > >
> > > > --=_alternative 0035C92DC12573E9_=
> > > > Content-Type: text/html; charset="US-ASCII"
> > > >
> > > >
> > > > <br><font size=2 face="sans-serif">You are right, I didn't apply
it to
> > > > the zone you specified;</font>
> > > > <br><font size=2 face="sans-serif">I first disabled forwarding in
> > > the ad.sub.
> > > > company.com
> > > > zone by setting forwarders to an empty list, which did not
> > work.</font>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">I then did the same with the
> > > sub.company.c
> > > > om
> > > > zone, as you specified. I can't get it to work neither...</font>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">As for made up names, there are
> > rather
> > > > strong confidentiality issues with my company. Let me put here a
> > translation
> > > > of my configurations files :</font>
> > > > <br>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">/* named.conf */</font>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">forwarders { 10.0.0.1; 10.0.0.
> > > 2; };</font>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">zone sub.company.com {</font>
> > > > <br><font size=2 face="sans-serif">
type
> > > > master;</font>
> > > > <br><font size=2 face="sans-serif">
> > forwarders
> > > > { }; #because you asked it</font>
> > > > <br><font size=2 face="sans-serif">
file
> > > > "master/myzonefile";</font>
> > > > <br><font size=2 face="sans-serif">};</font>
> > > > <br>
> > > > <br><font size=2 face="sans-serif"># note that the
ad.sub.company.com
> > isn't
> > > > defined as such. I defined it to put the empty forwarder list when
I
> > read
> > > > your above mail.</font>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">/* myzonefile */</font>
> > > > <br><font size=2 face="sans-serif">/* skipping SOA block */</font>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">ad.sub.company.com.
> >
> > > > IN NS
ns1.ad.sub.company.com.</font>
> > > > <br><font size=2 face="sans-serif">ns1.ad.sub.company.com.
> >
> > > > IN A 192.168.0.1</font>
> > > > <br>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">This setup seems, as far as
> > literature
> > > > goes, a state of the art setup for delegation of a zone.</font>
> > > > <br><font size=2 face="sans-serif">And btw yes I am probably
"not
> > > > applying [something] correctly". I have read through many
mailing
> > > > list, docs, books and couldn't find an answer, hence why I am
> > > posting her.</f
> > > > ont>
> > > > <br>
> > > > <br><tt><font size=2>bind-users-bounce at isc.org wrote on
> > 07/02/200823:03:01:<
> > > > br>
> > > <br>
> > > > > <br>
> > > > > > I was pretty sure I tested that, but I double checked
> > anyway.<br>
> > > > > > It doesn't work; Or at least, it forces me to define the
> > zone
> > > > as a slave <br>
> > > > > > (or forward only) zone in named.conf, wich is not the
> > solution
> > > > I <br>
> > > > > > envisioned.<br>
> > > > > > I just want to define a NS record and the corresponding
A
> > record
> > > > for <br>
> > > > > > delegation, wich works well as long as I can't forward
to my
> > > > main <br>
> > > > > > forwarders.<br>
> > > > > <br>
> > > > > It does work. You are just not applying
> > itcorrectly.
> > > > <br>
> > > > > Please look at the example below and apply it to
> > the<br>
> > > > > corresponding zone in you heirachy.<br>
> > > > > <br>
> > > > > This is a perfect example of why one should not
hide
> > > > zone<br>
> > > > > names etc. when asking for help. It makes
it
> > hard
> > > > to<br>
> > > > > do the examples when one is using made up
names.<br>
> > > > > <br>
> > > > > Mark<br>
> > > > > <br>
> > > > > > bind-users-bounce at isc.org wrote on 07/02/2008
14:09:38:<br>
> > > > > > <br>
> > > > > > > <br>
> > > > > > > > Hi,<br>
> > > > > > > > (needless to say I have been looking for the
> > answer
> > > > for days before <br>
> > > > > > > > posting here).<br>
> > > > > > > > <br>
> > > > > > > > I am in the process of replacing Novell
> > > Netware's repacka
> > > > ged
> > > > Bind by a <br>
> > > > > > <br>
> > > > > > > > standard Linux Bind build.<br>
> > > > > > > > My setup is quite simple :<br>
> > > > > > > > <br>
> > > > > > > > Bind is authoritative for sub.company.com. It
uses
> > > > 2 company.com <br>
> > > > > > > > forwarders (which doesn't know anything about
our
> > zone
> > > > and/or network <br>
> > > > > > > > apart from a couple A records it holds for
> > external
> > > > sub.company.com <br>
> > > > > > > > access. That's stupid but that's how they
do.)<br>
> > > > > > > > There is an active directory, which is named -
> > > you guessed
> > > > it allready- <br>
> > > > > > <br>
> > > > > > > > ad.sub.company.com. Bind is not a slave for
that
> > zone,
> > > > it just holds a <br>
> > > > > > NS <br>
> > > > > > > > and it's glue record, as follow<br>
> > > > > > > > ad NS
> > > ns.ad.sub.c
> > > > ompany.com.<br>
> > > > > > > > ns.ad.sub.company.com. A
> >
> > > > 192.168.0.1<br>
> > > > > > > > <br>
> > > > > > > > My problem is the following: when my
forwarders
> > are
> > > > down or undefined <br>
> > > > > > and <br>
> > > > > > > > I query Bind for a record in ad.company.com,
it
> > asks
> > > > <br>
> > > > > > ns.ad.sub.company.com <br>
> > > > > > > > and answer with the right answer. (read : if
> > > the forwarde
> > > > rs
> > > > are <br>
> > > > > > defined <br>
> > > > > > > > but not reachable for some reasons, like FW
> > blocking
> > > > access, the <br>
> > > > > > cascading <br>
> > > > > > > > works).<br>
> > > > > > > > However when Bind can reach the forwarders, it
> > just
> > > > asks them for <br>
> > > > > > records <br>
> > > > > > > > in ad domain; they answer with a no such
domain
> > and
> > > > resolution stops <br>
> > > > > > > > there.<br>
> > > > > > > > <br>
> > > > > > > > Reading Bind's documentation (and O'reilly's
book,
> > > > 5th edition) I am <br>
> > > > > > not <br>
> > > > > > > > missing anything obvious about delegation. It
> > might
> > > > have to do with my <br>
> > > > > > <br>
> > > > > > > > forwarder being unaware of my setup but I
don't
> > see
> > > > quite how (and I <br>
> > > > > > can't <br>
> > > > > > > > do anything about it).<br>
> > > > > > > > I have not tried to make bind a slave for the
AD
> > zone.
> > > > I would like <br>
> > > > > > the <br>
> > > > > > > > above setup to work before trying other
> > setups.<br>
> > > > > > > <br>
> > > > > > > > Any help would be apreciated,<br>
> > > > > > > <br>
> > > > > > > turn forwarding off for the sub
zone.<br>
> > > > > > > <br>
> > > > > > > zone sub.company.com {<br>
> > > > > > > ....<br>
> > > > > > > forwarders { /* empty */
};<br>
> > > > > > > };<br>
> > > > > > > > <br>
> > > > > > > > <br>
> > > > > > > -- <br>
> > > > > > > Mark Andrews, ISC<br>
> > > > > > > 1 Seymour St., Dundas Valley, NSW 2117,
Australia<br>
> > > > > > > PHONE: +61 2 9871 4742
> >
> > > > INTERNET: Mark_Andrews at isc.org<br>
> > > > > > > <br>
> > > > > > > <br>
> > > > > > <br>
> > > > > > <br>
> > > > > > <br>
> > > > > -- <br>
> > > > > Mark Andrews, ISC<br>
> > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > > PHONE: +61 2 9871 4742
> >
> > > > INTERNET: Mark_Andrews at isc.org<br>
> > > > > <br>
> > > > > <br>
> > > > </font></tt>
> > > > --=_alternative 0035C92DC12573E9_=--
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742 INTERNET:
Mark_Andrews at isc.org
> > >
> > >
> >
> > --=_alternative 003AEE4DC12573E9_=
> > Content-Type: text/html; charset="US-ASCII"
> >
> >
> > <br><font size=2 face="sans-serif">Right again, damn.</font>
> > <br><font size=2 face="sans-serif">My second set of test suffered
> a misconfiguration
> > of my zonefile.</font>
> > <br>
> > <br><font size=2 face="sans-serif">I really don't see, however, what
the
> > subtle difference is between forwarding first and disabling forwarding
> > alltogether for that zone when it comes to subzone nameservers
> lookup.</font>
> > <br><font size=2 face="sans-serif">If I understand correctly, the
query
> > should forward first, recieve no answers, then lookup it's own zone
file
> > for a matching NS record, then ask that server...</font>
> > <br>
> > <br><font size=2 face="sans-serif">And the answer is nowhere to be
seen,
> > but in the mouths of "those who know" it seems.</font>
> > <br>
> > <br><tt><font size=2>bind-users-bounce at isc.org wrote on 08/02/2008
> 11:20:08:<br>
> > <br>
> > > <br>
> > > > You are right, I didn't apply it to the zone you
specified;<br>
> > > > I first disabled forwarding in the ad.sub.company.com zone
by
> > setting <br>
> > > > forwarders to an empty list, which did not work.<br>
> > > > <br>
> > > > I then did the same with the sub.company.com zone, as
> you specified.
> > I <br>
> > > > can't get it to work neither...<br>
> > > > <br>
> > > > As for made up names, there are rather strong
confidentiality
> > issues with <br>
> > > > my company. Let me put here a translation of my
configurations
> > files :<br>
> > > > <br>
> > > > <br>
> > > > /* named.conf */<br>
> > > > <br>
> > > > forwarders { 10.0.0.1; 10.0.0.2; };<br>
> > > > <br>
> > > > zone sub.company.com {<br>
> > > > type master;<br>
> > > > forwarders { }; #because you
asked
> > it<br>
> > > > file "
> master/myzonefile";<br>
> > > > };<br>
> > > <br>
> > > Which will work. Your testing methods mustbe
flawed
> > or there<br>
> > > is something else you are not telling us.<br>
> > > <br>
> > > Mark<br>
> > > <br>
> > > > # note that the ad.sub.company.com isn't defined as
> such. I defined
> > it to <br>
> > > > put the empty forwarder list when I read your above
mail.<br>
> > > > <br>
> > > > /* myzonefile */<br>
> > > > /* skipping SOA block */<br>
> > > > <br>
> > > > ad.sub.company.com. IN NS ns1.ad.
> sub.company.com.<br>
> > > > ns1.ad.sub.company.com. IN A 192.168.0.1<br>
> > > > <br>
> > > > <br>
> > > > This setup seems, as far as literature goes, a state of the
art
> > setup for <br>
> > > > delegation of a zone.<br>
> > > > And btw yes I am probably "not applying [something]
> correctly".
> > I have <br>
> > > > read through many mailing list, docs, books and couldn't
find
> > an answer, <br>
> > > > hence why I am posting her.<br>
> > > > <br>
> > > > bind-users-bounce at isc.org wrote on 07/02/2008 23:03:01:<br>
> > > > <br>
> > > > > <br>
> > > > > > I was pretty sure I tested that, but I double
checked
> > anyway.<br>
> > > > > > It doesn't work; Or at least, it forces me to
define
> > the zone as a <br>
> > > > slave <br>
> > > > > > (or forward only) zone in named.conf, wich is not
the
> > solution I <br>
> > > > > > envisioned.<br>
> > > > > > I just want to define a NS record and the
corresponding
> > A record for <br>
> > > > > > delegation, wich works well as long as I can't
forward
> > to my main <br>
> > > > > > forwarders.<br>
> > > > > <br>
> > > > > It does work. You are just not
applying
> > it correctly.<br>
> > > > > Please look at the example below and apply
> > it to the<br>
> > > > > corresponding zone in you heirachy.<br>
> > > > > <br>
> > > > > This is a perfect example of why one
should
> > not hide zone<br>
> > > > > names etc. when asking for help. It
makes
> > it hard to<br>
> > > > > do the examples when one is using made
> up names.<br>
> > > > > <br>
> > > > > Mark<br>
> > > > > <br>
> > > > > > bind-users-bounce at isc.org wrote on 07/02/2008
> 14:09:38:<br>
> > > > > > <br>
> > > > > > > <br>
> > > > > > > > Hi,<br>
> > > > > > > > (needless to say I have been looking for
> > the answer for days <br>
> > > > before <br>
> > > > > > > > posting here).<br>
> > > > > > > > <br>
> > > > > > > > I am in the process of replacing
> Novell Netware's
> > repackaged Bind <br>
> > > > by a <br>
> > > > > > <br>
> > > > > > > > standard Linux Bind build.<br>
> > > > > > > > My setup is quite simple :<br>
> > > > > > > > <br>
> > > > > > > > Bind is authoritative for
sub.company.com.
> > It uses 2 company.com <br>
> > > > > > > > forwarders (which doesn't know anything
about
> > our zone and/or <br>
> > > > network <br>
> > > > > > > > apart from a couple A records it holds
for
> > external <br>
> > > > sub.company.com <br>
> > > > > > > > access. That's stupid but that's how
they
> > do.)<br>
> > > > > > > > There is an active directory, which is
named
> > -you guessed it <br>
> > > > allready- <br>
> > > > > > <br>
> > > > > > > > ad.sub.company.com. Bind is not a slave
for
> > that zone, it just <br>
> > > > holds a <br>
> > > > > > NS <br>
> > > > > > > > and it's glue record, as follow<br>
> > > > > > > > ad NS
> ns.ad.sub.compan
> > y.com.<br>
> > > > > > > > ns.ad.sub.company.com. A
> > 192.168.0.1<br>
> > > > > > > > <br>
> > > > > > > > My problem is the following: when
myforwarders
> > are down or <br>
> > > > undefined <br>
> > > > > > and <br>
> > > > > > > > I query Bind for a record in
ad.company.com,
> > it asks <br>
> > > > > > ns.ad.sub.company.com <br>
> > > > > > > > and answer with the right answer. (read
:
> > if the forwarders are <br>
> > > > > > defined <br>
> > > > > > > > but not reachable for some reasons, like
> > FW blocking access, the <br>
> > > > > > cascading <br>
> > > > > > > > works).<br>
> > > > > > > > However when Bind can reach the
forwarders,
> > it just asks them for <br>
> > > > > > records <br>
> > > > > > > > in ad domain; they answer with a no such
> > domain and resolution <br>
> > > > stops <br>
> > > > > > > > there.<br>
> > > > > > > > <br>
> > > > > > > > Reading Bind's documentation (and
O'reilly's
> > book, 5th edition) I <br>
> > > > am <br>
> > > > > > not <br>
> > > > > > > > missing anything obvious about
delegation.
> > It might have to do <br>
> > > > with my <br>
> > > > > > <br>
> > > > > > > > forwarder being unaware of my setup but
I
> > don't see quite how (and <br>
> > > > I <br>
> > > > > > can't <br>
> > > > > > > > do anything about it).<br>
> > > > > > > > I have not tried to make bind a slave
for
> > the AD zone. I would <br>
> > > > like <br>
> > > > > > the <br>
> > > > > > > > above setup to work before trying
> other setups.<br>
> > > > > > > > <br>
> > > > > > > > Any help would be apreciated,<br>
> > > > > > > <br>
> > > > > > > turn forwarding off for the
> sub zone.<br>
> > > > > > > <br>
> > > > > > > zone sub.company.com {<br>
> > > > > > > ....<br>
> > > > > > > forwarders { /* empty */
> > };<br>
> > > > > > > };<br>
> > > > > > > > <br>
> > > > > > > > <br>
> > > > > > > -- <br>
> > > > > > > Mark Andrews, ISC<br>
> > > > > > > 1 Seymour St., Dundas Valley, NSW 2117,
> Australia<br>
> > > > > > > PHONE: +61 2 9871 4742
> > INTERNET: <br>
> > > > Mark_Andrews at isc.org<br>
> > > > > > > <br>
> > > > > > > <br>
> > > > > > <br>
> > > > > > <br>
> > > > > > <br>
> > > > > -- <br>
> > > > > Mark Andrews, ISC<br>
> > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > > PHONE: +61 2 9871 4742
> > INTERNET: Mark_Andrews at isc.org<br>
> > > > > <br>
> > > > > <br>
> > > > <br>
> > > > --=_alternative 0035C92DC12573E9_=<br>
> > > > Content-Type: text/html; charset="US-ASCII"<br>
> > > > <br>
> > > > <br>
> > > > <br><font size=2 face="sans-serif">You
> > are right, I didn't apply it to<br>
> > > > the zone you specified;</font><br>
> > > > <br><font size=2 face="sans-serif">I
first
> > disabled forwarding in <br>
> > > the ad.sub.<br>
> > > > company.com<br>
> > > > zone by setting forwarders to an empty list, which did
> not work.</font><br>
> > > > <br><br>
> > > > <br><font size=2 face="sans-serif">I
then
> > did the same with the <br>
> > > sub.company.c<br>
> > > > om<br>
> > > > zone, as you specified. I can't get it to work
> neither...</font><br>
> > > > <br><br>
> > > > <br><font size=2 face="sans-serif">As
for
> > made up names, there are rather<br>
> > > > strong confidentiality issues with my company. Let me put
here
> > a translation<br>
> > > > of my configurations files :</font><br>
> > > > <br><br>
> > > > <br><br>
> > > > <br><font size=2 face="sans-serif"
> >/* named.conf
> > */</font><br>
> > > > <br><br>
> > > > <br><font size=2 face="sans-serif"
> >forwarders
> > { 10.0.0.1; 10.0.0.<br>
> > > 2; };</font><br>
> > > > <br><br>
> > > > <br><font size=2
face="sans-serif">zone
> > sub.company.com {</font><br>
> > > > <br><font size=2 face="sans-serif"
> >
> > type<br>
> > > > master;</font><br>
> > > > <br><font size=2 face="sans-serif"
> >
> > forwarders<br>
> > > > { }; #because you asked it</font><br>
> > > > <br><font size=2 face="sans-serif"
> >
> > file<br>
> > > > "master/myzonefile";</font><br>
> > > > <br><font size=2 face="sans-serif"
> >};</font><br>
> > > > <br><br>
> > > > <br><font size=2 face="sans-serif">#
note
> > that the ad.sub.company.com isn't<br>
> > > > defined as such. I defined it to put the empty forwarder
list
> > when I read<br>
> > > > your above mail.</font><br>
> > > > <br><br>
> > > > <br><font size=2 face="sans-serif"
> >/* myzonefile
> > */</font><br>
> > > > <br><font size=2 face="sans-serif"
> >/* skipping
> > SOA block */</font><br>
> > > > <br><br>
> > > > <br><font size=2 face="sans-serif"
> >ad.sub.company.com.
> > <br>
> > > > IN NS &
> nbsp;ns1.ad.sub.company.com.
> > </font><br>
> > > > <br><font size=2 face="sans-serif"
> >ns1.ad.sub.company.com.
> > <br>
> > > > IN A 192.168.0.1</font><br>
> > > > <br><br>
> > > > <br><br>
> > > > <br><font size=2
face="sans-serif">This
> > setup seems, as far as literature<br>
> > > > goes, a state of the art setup for delegation of a zone.
> </font><br>
> > > > <br><font size=2 face="sans-serif">And
> > btw yes I am probably "not<br>
> > > > applying [something] correctly". I have read
through
> > many mailing<br>
> > > > list, docs, books and couldn't find an answer, hence why I
am
> > <br>
> > > posting her.</f<br>
> > > > ont><br>
> > > > <br><br>
> > > > <br><tt><font
size=2>bind-users-bounce at isc.org
> > wrote on 07/02/200823:03:01:<<br>
> > > > br><br>
> > > > <br><br>
> > > > > <br><br>
> > > > > > I was pretty sure I tested that, but I
double
> > checked anyway.<br><br>
> > > > > > It doesn't work; Or at least, it forces me
> > to define the zone<br>
> > > > as a slave <br><br>
> > > > > > (or forward only) zone in named.conf, wich
> > is not the solution<br>
> > > > I <br><br>
> > > > > > envisioned.<br><br>
> > > > > > I just want to define a NS record and
> the corresponding
> > A record<br>
> > > > for <br><br>
> > > > > > delegation, wich works well as long as I
can't
> > forward to my<br>
> > > > main <br><br>
> > > > > > forwarders.<br><br>
> > > > > <br><br>
> > > > > It does work. You
are
> > just not applying itcorrectly.<br>
> > > > <br><br>
> > > > > Please look at the example
below
> > and apply it to the<br><br>
> > > > > corresponding zone in you
> heirachy.<br><br>
> > > > > <br><br>
> > > > > This is a perfect example of
why
> > one should not hide<br>
> > > > zone<br><br>
> > > > > names etc. when asking for
help.
> > It makes it hard<br>
> > > > to<br><br>
> > > > > do the examples when one is
using
> > made up names.<br><br>
> > > > > <br><br>
> > > > > Mark<br><br>
> > > > > <br><br>
> > > > > > bind-users-bounce at isc.org wrote on
07/02/2008
> > 14:09:38:<br><br>
> > > > > > <br><br>
> > > > > > > <br><br>
> > > > > > > > Hi,<br><br>
> > > > > > > > (needless to say I have
been
> > looking for the answer<br>
> > > > for days before <br><br>
> > > > > > > > posting
here).<br><br>
> > > > > > > > <br><br>
> > > > > > > > I am in the process
> of replacing
> > Novell <br>
> > > Netware's repacka<br>
> > > > ged<br>
> > > > Bind by a <br><br>
> > > > > > <br><br>
> > > > > > > > standard Linux Bind
> build.<br><br>
> > > > > > > > My setup is quite simple
> > :<br><br>
> > > > > > > > <br><br>
> > > > > > > > Bind is authoritative
for
> > sub.company.com. It uses<br>
> > > > 2 company.com <br><br>
> > > > > > > > forwarders (which
doesn't
> > know anything about our zone<br>
> > > > and/or network <br><br>
> > > > > > > > apart from a couple A
records
> > it holds for external<br>
> > > > sub.company.com <br><br>
> > > > > > > > access. That's stupid
but
> > that's how they do.)<br><br>
> > > > > > > > There is an active
directory,
> > which is named -<br>
> > > you guessed<br>
> > > > it allready- <br><br>
> > > > > > <br><br>
> > > > > > > > ad.sub.company.com. Bind
> > is not a slave for that zone,<br>
> > > > it just holds a <br><br>
> > > > > > NS <br><br>
> > > > > > > > and it's glue record, as
> > follow<br><br>
> > > > > > > > ad
> > NS <br>
> > > ns.ad.sub.c<br>
> > > > ompany.com.<br><br>
> > > > > > > > ns.ad.sub.company.
> com. A
> > <br>
> > > > 192.168.0.1<br><br>
> > > > > > > > <br><br>
> > > > > > > > My problem is the
following:
> > when my forwarders are<br>
> > > > down or undefined <br><br>
> > > > > > and <br><br>
> > > > > > > > I query Bind for a
record
> > in ad.company.com, it asks<br>
> > > > <br><br>
> > > > > > ns.ad.sub.company.com <br><br>
> > > > > > > > and answer with the
right
> > answer. (read : if <br>
> > > the forwarde<br>
> > > > rs<br>
> > > > are <br><br>
> > > > > > defined <br><br>
> > > > > > > > but not reachable for
some
> > reasons, like FW blocking<br>
> > > > access, the <br><br>
> > > > > > cascading <br><br>
> > > > > > > > works).<br><br>
> > > > > > > > However when Bind can
reach
> > the forwarders, it just<br>
> > > > asks them for <br><br>
> > > > > > records <br><br>
> > > > > > > > in ad domain; they
answer
> > with a no such domain and<br>
> > > > resolution stops <br><br>
> > > > > > > > there.<br><br>
> > > > > > > > <br><br>
> > > > > > > > Reading Bind's
documentation
> > (and O'reilly's book,<br>
> > > > 5th edition) I am <br><br>
> > > > > > not <br><br>
> > > > > > > > missing anything obvious
> > about delegation. It might<br>
> > > > have to do with my <br><br>
> > > > > > <br><br>
> > > > > > > > forwarder being unaware
of
> > my setup but I don't see<br>
> > > > quite how (and I <br><br>
> > > > > > can't <br><br>
> > > > > > > > do anything about
> it).<br><br>
> > > > > > > > I have not tried to make
> > bind a slave for the AD zone.<br>
> > > > I would like <br><br>
> > > > > > the <br><br>
> > > > > > > > above setup to work
before
> > trying other setups.<br><br>
> > > > > > > > <br><br>
> > > > > > > > Any help would be
> apreciated,<br><br>
> > > > > > > <br><br>
> > > > > > > turn
forwarding
> > off for the sub zone.<br><br>
> > > > > > > <br><br>
> > > > > > > zone
> sub.company.com
> > {<br><br>
> > > > > > > &
> nbsp; ....<br><br>
> > > > > > > &
> nbsp; forwarders
> > { /* empty */ };<br><br>
> > > > > > >
};<br><br>
> > > > > > > > <br><br>
> > > > > > > > <br><br>
> > > > > > > -- <br><br>
> > > > > > > Mark Andrews, ISC<br><br>
> > > > > > > 1 Seymour St., Dundas Valley, NSW
> > 2117, Australia<br><br>
> > > > > > > PHONE: +61 2 9871 4742
> > <br>
> > > > INTERNET:
> Mark_Andrews at isc.org<br><br>
> > > > > > > <br><br>
> > > > > > > <br><br>
> > > > > > <br><br>
> > > > > > <br><br>
> > > > > > <br><br>
> > > > > -- <br><br>
> > > > > Mark Andrews, ISC<br><br>
> > > > > 1 Seymour St., Dundas Valley, NSW 2117,
> Australia<br><br>
> > > > > PHONE: +61 2 9871 4742
> > <br>
> > > > INTERNET: Mark_Andrews at isc.org<br><br>
> > > > > <br><br>
> > > > > <br><br>
> > > > </font></tt><br>
> > > > --=_alternative 0035C92DC12573E9_=--<br>
> > > -- <br>
> > > Mark Andrews, ISC<br>
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > PHONE: +61 2 9871 4742
> > INTERNET: Mark_Andrews at isc.org<br>
> > > <br>
> > > <br>
> > </font></tt>
> > --=_alternative 003AEE4DC12573E9_=--
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
>
>
More information about the bind-users
mailing list