Stub zone vs forward zone
Marc Haber
mh+bind-users at zugschlus.de
Fri Mar 18 09:15:25 UTC 2011
Hi,
On Mon, Mar 14, 2011 at 09:16:13PM -0400, Kevin Darcy wrote:
> Stub zones: only available as a single level beyond one's "authoritative
> core", i.e. the stub server must be able to talk directly to one or more
> authoritative servers for the zone.
> Forward zones: can be daisy-chained an arbitrary number of levels from
> the authoritative core (but this is not recommended due to
> manageability, performance and reliability concerns).
>
> Stub zones: will use whatever is in the NS records of the zone (or
> descendants of the zone, if not otherwise defined) to resolve queries
> which are below a zone cut.
> Forward zones: will always use the configured forwarders, which must
> support recursion, even for names which are known to be deeper in the
> delegation hierarchy and whose delegated/authoritative nameservers might
> respond more quickly than the forwarders, if asked.
Thanks for the clarification, I appreciate that.
> As a general rule, use "type forward" zones only if you have some
> connectivity issue you need to work around, e.g. trying to resolve
> Internet names from behind a restrictive firewall.
So, a "type forward" zone is the right thing to do for the reverse DNS
zones of RFC1918 networks that are reachable via a VPN link. However,
my setup using a "type forward" zone doesn't work, and bind does not
even try querying the forwarders listed in the type forward zone
statement when I try to obtain a PTR record for an IP on these nets.
> Use slave zones if you want a full copy of the zone available at all
> times (unless it expires of course), thus maximizing fault-tolerance
> and client-to-resolver performance, but subject to the replication
> overhead, storage space and willingness of the zone owner to allow
> zone transfers. And use stub zones if you want a more lightweight
> alternative to slaving, at the expense of some fault-tolerance and
> client-to-resolver performance.
In my case, my slave could only intermittendly reach the master
servers for the zones, so I'd need to reload these zones quite
frequently to "catch" a time when the VPN tunnel is built. Does a stub
zone use the same mechanism, or will it immediately query for the
stub's NS records when a query comes in and the NS records are no
longer cached?
> To answer your specific question, the non-intuitive[1] "forwarders { };"
> is needed to inhibit forwarding which has presumably been defined at a
> higher level (semantically) in your config, either at the
> 1.10.in-addr.arpa level, or somewhere above that, explicitly, or
> so-called "global forwarding" defined in the "options" clause.
Global forwarders. So they would take precedence over the locally
available delegations for the stub zone?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the bind-users
mailing list