Delegation questions

Bob McDonald bmcdonaldjr at gmail.com
Thu Aug 11 17:14:23 UTC 2016 

Let me be a bit more clear...

This is strictly internal. There are no external clients or servers
involved. All three of the servers have recursion turned ON.

Server A has a domain (example.com.)
example.com. has an NS record that points to server B and delegate
child.example.com. (yes there's really two, this is just an example)

Server B is at another company. (probably connected via some sort of IPSEC
tunnel)

Server C has a slave copy of example.com. from server A (and the associated
NS record delegating child.example.com. to server B)
Server C is at another site at the same company as server A

Currently, clients sending queries for domain child.example.com. to server
A get good results.
However, clients sending queries for domain child.example.com. to server C
get SERVFAIL because server C has no access to server B. (I'm guessing
there is a firewall issue)

The question is if I get rid of the delegation and put in a stub zone on
server A pointing to child.example.com. on server B, can I use forwarders
for child.example.com. on server C to point at server A for resolution of
child.example.com.? (Will server A get answers directly from server B or
will server A simply refer me to server B?)

Hope that's clearer.

Bob


On Thu, Aug 11, 2016 at 11:52 AM, Matthew Pounsett <matt at conundrum.com>
wrote:

>
>
> On 11 August 2016 at 09:13, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
>
>> I have a child domain that is delegated to a second site. Pretty
>> straightforward situation. In the parent zone I have NS records that point
>> to the DNS servers at the second site.
>>
>> The issue comes up when a slaved copy of the parent domain is running at
>> a third site and that third site doesn't have a rule in their firewall
>> allowing DNS access to the second site (where the child domain is
>> delegated).
>>
>> The question is this; can I use stub zones to reference the child domain
>> on the master server (instead of delegation) and the use forwarding at the
>> third site to direct queries for the child domain through the master
>> server?
>>
>> I hope the picture I've tried to describe is somewhat clear.
>>
>
> If the setup is exactly as you describe, then there's probably no reason
> for a name server authoritative for the parent zone to ever need to contact
> a server authoritative for the child zone.  Delegation from A to B doesn't
> imply direct communication between A and B.
>
> That said, you never know where on the Internet queries for a zone will
> arrive from.  If you want the Internet at large to be able to resolve names
> in your zone, then you can't firewall yourself off from parts of the
> Internet.
>
> If any of the servers in this scenario are also acting as recursive
> servers, then you have the same problem;  you never know where on the
> Internet an authoritative server you need to speak to is going to be, so
> you can't firewall your recursive server off from speaking to parts of the
> Internet and expect it to work reliably.
>
>
>
>
>>
>> Regards,
>>
>> Bob
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160811/69d735d6/attachment.html>

More information about the bind-users mailing list