Does global forwarding take precedence over selective forwarding?
Bob Vance
bobvance at alumni.caltech.edu
Tue Sep 5 21:09:52 UTC 2000
>Does global forwarding take precedence over selective forwarding?
No ...
and they do work together :)
I had a very similar setup and problem and "wasted" a half day trying to
get the selective forwarding to work with "global" forwarding.
After dumping named's zone data, I discovered that the delegation of the
sub-domain was broken -- I had a typo.
So the server thought that it was still auth for the sub-domain and
returned NXDOMAIN for everything rather than forwarding.
After fixing that, it worked like a charm.
Notice that your 'dig' showed no NS for the sub-domain and that
"nameserver1.principal.com" was SOA for it.
So, double-check your zone data.
-----------------------------------------------
Tks | BVance at sbm.com
BV | BobVance at alumni.caltech.edu
Sr. Tech. Consultant, SBM
Vox 770-623-3430 11455 Lakefield Dr.
Fax 770-623-3429 Duluth, GA 30097-1511
===============================================
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Treptow, Craig
Sent: Thursday, August 31, 2000 9:13 PM
To: BIND List (E-mail)
Subject: Does global forwarding take precedence over selective
forwarding?
Hi. This is BIND 8.2.2-p5 on AIX 4.3. This is an internal DNS server that
forwards requests to two firewalls and onto the Internet for things it's not
authoritative for. This works fine. To this we wanted to add
prodplex.principal.com on the internal side and have that serverd by another
DNS server. Delegating this child domain won't work, because the forwarding
takes precedence over the delegation...or so I've learned from this list.
So I've been trying in vain to get selective forwarding to work for this
child
domain. By everything I've read what I've shown below should work.
When I go "ndc trace", I don't get a named.run.
So is the forwarding to our firewalls somehow stopping the selective
forwarding? If not, does anybody have some other tips to help me debug
this?
Here are my dig sessions followed by snippets of my named.conf:
nameserver1.principal.com # dig @162.131.250.150
wlmftp.prodplex.principal.com
<
; <<>> DiG 8.2 <<>> @162.131.250.150 wlmftp.prodplex.principal.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; wlmftp.prodplex.principal.com, type = A, class = IN
;; ANSWER SECTION:
wlmftp.prodplex.principal.com. 1S IN A 162.131.250.150
;; AUTHORITY SECTION:
prodplex.principal.com. 1D IN NS mvst.prodplex.principal.com.
prodplex.principal.com. 1D IN NS mvse.prodplex.principal.com.
;; ADDITIONAL SECTION:
mvst.prodplex.principal.com. 1D IN A 162.131.250.150
mvse.prodplex.principal.com. 1D IN A 162.131.250.105
;; Total query time: 22 msec
;; FROM: nameserver1.principal.com to SERVER: 162.131.250.150
;; WHEN: Thu Aug 31 19:54:27 2000
;; MSG SIZE sent: 47 rcvd: 155
nameserver1.principal.com # dig wlmftp.prodplex.principal.com
; <<>> DiG 8.2 <<>> wlmftp.prodplex.principal.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; wlmftp.prodplex.principal.com, type = A, class = IN
;; AUTHORITY SECTION:
principal.com. 6H IN SOA nameserver1.principal.com.
kratochvil.k(
2000083102 ; serial
3H ; refresh
1H ; retry
1W ; expiry
6H ) ; minimum
;; Total query time: 5 msec
;; FROM: nameserver1.principal.com to SERVER: default -- 0.0.0.0
;; WHEN: Thu Aug 31 19:55:41 2000
;; MSG SIZE sent: 47 rcvd: 125
options {
directory "/usr/local/named";
pid-file "/etc/named.pid";
named-xfer "/usr/local/bin/bind/named-xfer";
notify yes;
check-names master ignore; /* default. */
check-names slave ignore;
listen-on port 53 { any; };
forward only;
forwarders {204.167.169.129;204.167.169.131;};
allow-query { any; };
allow-transfer { dns-secondary-servers; };
transfer-format many-answers;
};
...
zone "prodplex.principal.com" {
type forward;
forward only;
forwarders {162.131.250.150; 162.131.250.105;};
};
zone "principal.com" IN {
type master;
file "db.principal.com";
allow-update { none; };
allow-transfer { dns-secondary-servers; unix-servers; };
};
Thanks!
Craig Treptow
Principal Financial Group
I/S Network Administration
(515) 247-6207
More information about the bind-users
mailing list