Static-stub zones and forwarding

Mark Picone mark.picone at deakin.edu.au
Fri Aug 24 05:45:22 UTC 2012 

Hi All,

I am in the process of migrating all of our client facing resolver hosts back to BIND (from unbound) and have hit a roadblock.
I wanted to confirm if I have missed something in my BIND configuration or I have hit some sort of limitation in BIND.

It appears as if BIND is ignoring the static-stub zone and just forwarding all queries to the specified forwarders.

The reason that I require a static-stub and not a forward zone is that our internal name servers have delegated zones (to Cisco GSS/F5 devices) which return site-specific answers; If I allow the client facing resolvers to recursively query the internal name servers I will get back the site-specific answer for the internal name server instead of the client facing resolver.
Using a static-stub zone forces the client facing resolver to use iterative queries which will eventually lead it to query the Cisco GSS/F5 device for itself.

Environment info:
- I have obscured hostnames & IP addresses.

Public facing name servers (host the 'external' view of our primary zone & also perform recursive lookups for our internal servers):
- 111.111.111.111
- 222.222.222.222

Internal facing name servers (host the 'internal' view of our primary zone, will perform recursive queries for client facing resolvers):
- 10.0.0.1
- 10.0.0.2
- 10.0.0.3

BIND/Unbound, (client facing resolver) details:

user at host:~ %cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.2 (Santiago)

user at host:~ %rpm -qa | grep ^bind
bind-9.8.2-0.10.rc1.el6_3.2.x86_64
bind-utils-9.8.2-0.10.rc1.el6_3.2.x86_64
bind-libs-9.8.2-0.10.rc1.el6_3.2.x86_64

user at host:~ %rpm -qa | grep unbound
unbound-1.4.14-1.el6.x86_64
unbound-libs-1.4.14-1.el6.x86_64


Unbound config (working):
- http://pastebin.com/MDFwZRLq
- Unbound sends iterative queries to the name servers specified in the stub zone.

BIND config #1 (static-stub zone ignored, all queries are forwarded to 111.111.111.111/222.222.222.222):
- http://pastebin.com/3rcZdxbQ

BIND config #2 (static-stub zone ignored, all queries are forwarded to 111.111.111.111/222.222.222.222):
- http://pastebin.com/cgbxSYph

Note: I have also tried setting 'forwards {};' in the static-stub zone but BIND returns with the error:
- "option 'forwarders' is not allowed in 'static-stub' zone 'obscured.edu.au'"


Regards,

Mark Picone
Unix Administrator
Deakin eSolutions

Deakin University
Geelong Waterfront Campus
1 Gheringhap Street, Geelong, VIC 3220
Phone: +61 3 52278602
Deakin University CRICOS Provider Code 00113B



Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.

More information about the bind-users mailing list