Name resolution follows forwarders instead of delegations on master server

Taylor, Gord gord.taylor at rbc.com
Tue Jan 26 15:07:06 UTC 2010 

I've noticed that if I have default forwarders setup in the options
section of my named.conf, then BIND (9.4.1-P1) will forward to these
servers rather than following the delegations for zones where it's
authoritative (verified via sniffer trace). Is this true of all BIND
versions?

In my case, the forwarders in the options section are in my primary data
centre which is authoritative for all of our internal zones, and the
config below exists in one our geographical data centers (overseas),
which is master only a subset of the zones. Since the delegation is to a
local F5 GTM in that same geographical datacenters, I really don't want
everything coming back across the WAN, only to be delegated back across
the WAN again (lots of inefficiencies). I've found that putting an empty
forwarders statement in the zone config (e.g. forwarders { };) prevents
following the default forwarders, so I have a workaround for now. 

This behavior seems a little counter-intuitive to me and never caused me
any problems until recently. So I wanted to know if this behavior was
consistent across all BIND versions, or if it only happened recently due
to our BIND version upgrade last year (9.4.1-P1). I'm looking at another
code upgrade shortly, so want to ensure no surprises...

Any help/clarification is appreciated

Here's a simplified config of what I'm running. In this case, queries to
this DNS server (172.16.1.1), will be forwarded to 10.1.1.1 & 10.2.2.2
first, then if no reply it will try the NS servers for appx listed in
the zone file (delegated to a global load balancer):

NAMED.CONF
~~~~~~~~~~~
Options {
    directory "/var/named";
    allow-recursion { any; };
    allow-query { any; };
    allow-query-cache { any; };
    forwarders { 10.1.1.1; 10.2.2.2; };
};

Zone "internal.corp.sample" in {
   type master;
   file "db.internal.corp.sample";
   allow-update { none; };
   allow-transfer { internal-acl-list; };
};


Db.internal.corp.sample
~~~~~~~~~~~~~~~~~~
@ IN SOA ;(...the usual stuff)

  IN NS 172.16.1.1
  IN NS 172.16.2.2
  IN NS 10.1.1.1
  IN NS 10.2.2.2

appx IN NS 172.16.3.3
appx IN NS 172.16.4.4



Gord Taylor (CISSP, GCIH, GEEK) | Senior Network Analyst, Internet
Technologies | Royal Bank of Canada


_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender does not waive
any related rights and obligations. Any distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.

Ce courriel peut contenir des renseignements protégés et confidentiels.
L’expéditeur ne renonce pas aux droits et obligations qui s’y rapportent.
Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu’il contient
par une personne autre que le destinataire désigné est interdite.
Si vous recevez ce courriel par erreur, veuillez m’en aviser immédiatement, 
par retour de courriel ou par un autre moyen.

More information about the bind-users mailing list