Forwarding zone, setup

Tue Mar 1 18:13:27 UTC 2022

This got held up in moderation. Let me repost it, from my regular mail client...

> You didn’t share much of your configuration except the one forwarded zone, not a lot to go on.

Fair enough. (I guess I thought you could just infer all the needed information! <grin> Oops!)

Let me try Ondrej's static-sub and see if that makes a difference.

As for more detail.
Yeah, it's a recursive resolver, used internally only.
It's also authoritative for the somedomain.local zone.
I simply want(ed) to pass queries for *.ad.somedomain.local to another server(s), so thought the forwarder setup was the right way to do that.

Sorry for being so lame in not providing enough detail - I think I just figured I must be doing something terribly wrong and the forwarder setup must be wrong in some obvious detail I wasn't seeing. 
That doesn't appear to be the case, so we'll look again, try static-sub and then re-group if it doesn't work.

Thanks all!

> But one thing to check, you do have recursion enabled on the server?
> On Mon, Feb 28, 2022 at 6:34 PM Gregory Sloop <gregs at sloop.net> wrote:

>> Wow. I hate to be the guy who looks the gift horse in the mouth - but that just seems "wrong." :) 
>> (Not the answer, but that that would be the way BIND wants it done.)
>>  
>> So, now I've got two sets of NS and glue records? 
>> Please tell me that's not the way BIND insists you do this!
>>  
>> I guess I should try it, but dang.
>> Does anyone know for sure?
>>  
>>   

>>> Add Delegating NS records:

>>> ab.somedomain.local 3600 NS server1.ab.somedomain.local
>>> .
>>> .
>>> .

>>> And glue records

>>> server1.ab.somedomain.local 3600 A 10.0.0.1
>>> .
>>> .

>>> And see if it works. It’s got something to do with the way the record is matched (or not) before the forward statement is hit.

>>> J
>>>> On Feb 28, 2022, at 3:47 PM, Gregory Sloop <gregs at sloop.net> wrote:

>>>> So, I want to forward all queries for 
>>>> *.ab.somedomain.local to some other internal DNS servers.
>>>> (Records in *.ab.somedomain.local actually are our active domain servers)
>>>>  
>>>> (Yes, I know .local is reserved now, but we've been using it a long time and changing would be rather painful. Unless there's some horrible consequences, I think we'll just continue for now. We won't ever use mDNS.)
>>>>  
>>>> zone "ab.somedomain.local" {
>>>> type forward;
>>>> forward only;
>>>> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
>>>> };

>>>> But this doesn't appear to do what I want.
>>>>  
>>>> If I add the above to my regular BIND servers configuration, it doesn't return results like it's forwarding them. (I get NXOMAIN for abc.ab.somedomain.local.)
>>>>  
>>>> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get a proper result. (force dig to use the AD name servers directly, instead of relying on the forward.)
>>>>  
>>>> (And yes the resolv.conf file has the ip addresses of the main internal BIND servers in it, and those only.)
>>>> I've looked and while I think I'm doing it right, I'm not entirely sure.
>>>> I figured before I beat my head against the wall for too long, I'd ask the real experts! :)
>>>>  -- 
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail: gregs at sloop.net
http://www.sloop.net
---
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220301/54d1f7e1/attachment-0001.htm>