Does global forwarding take precedence over selective forwarding?

Bob Vance bobvance at alumni.caltech.edu
Tue Sep 5 21:09:52 UTC 2000 

>Does global forwarding take precedence over selective forwarding?
No ...
and they do work together :)

I had a very similar setup and problem and "wasted" a half day trying to
get the selective forwarding to work with "global" forwarding.

After dumping named's zone data, I discovered that the delegation of the
sub-domain was broken -- I had a typo.
So the server thought that it was still auth for the sub-domain and
returned NXDOMAIN for everything rather than forwarding.
After fixing that, it worked like a charm.

Notice that your 'dig' showed no NS for the sub-domain and that
"nameserver1.principal.com" was SOA for it.

So, double-check your zone data.


-----------------------------------------------
Tks          |  BVance at sbm.com
BV           |  BobVance at alumni.caltech.edu
Sr. Tech. Consultant,    SBM
Vox 770-623-3430         11455 Lakefield Dr.
Fax 770-623-3429         Duluth, GA 30097-1511
===============================================

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Treptow, Craig
Sent: Thursday, August 31, 2000 9:13 PM
To: BIND List (E-mail)
Subject: Does global forwarding take precedence over selective
forwarding?



Hi.  This is BIND 8.2.2-p5 on AIX 4.3.  This is an internal DNS server that
forwards requests to two firewalls and onto the Internet for things it's not
authoritative for.  This works fine.  To this we wanted to add
prodplex.principal.com on the internal side and have that serverd by another
DNS server.  Delegating this child domain won't work, because the forwarding
takes precedence over the delegation...or so I've learned from this list.

So I've been trying in vain to get selective forwarding to work for this
child
domain.  By everything I've read what I've shown below should work.

When I go "ndc trace", I don't get a named.run.

So is the forwarding to our firewalls somehow stopping the selective
forwarding?  If not, does anybody have some other tips to help me debug
this?

Here are my dig sessions followed by snippets of my named.conf:

nameserver1.principal.com # dig @162.131.250.150
wlmftp.prodplex.principal.com
<

; <<>> DiG 8.2 <<>> @162.131.250.150 wlmftp.prodplex.principal.com
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;;      wlmftp.prodplex.principal.com, type = A, class = IN

;; ANSWER SECTION:
wlmftp.prodplex.principal.com.  1S IN A  162.131.250.150

;; AUTHORITY SECTION:
prodplex.principal.com.  1D IN NS  mvst.prodplex.principal.com.
prodplex.principal.com.  1D IN NS  mvse.prodplex.principal.com.

;; ADDITIONAL SECTION:
mvst.prodplex.principal.com.  1D IN A  162.131.250.150
mvse.prodplex.principal.com.  1D IN A  162.131.250.105

;; Total query time: 22 msec
;; FROM: nameserver1.principal.com to SERVER: 162.131.250.150
;; WHEN: Thu Aug 31 19:54:27 2000
;; MSG SIZE  sent: 47  rcvd: 155

nameserver1.principal.com # dig wlmftp.prodplex.principal.com

; <<>> DiG 8.2 <<>> wlmftp.prodplex.principal.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;      wlmftp.prodplex.principal.com, type = A, class = IN

;; AUTHORITY SECTION:
principal.com.          6H IN SOA       nameserver1.principal.com.
kratochvil.k(
                                        2000083102      ; serial
                                        3H              ; refresh
                                        1H              ; retry
                                        1W              ; expiry
                                        6H )            ; minimum


;; Total query time: 5 msec
;; FROM: nameserver1.principal.com to SERVER: default -- 0.0.0.0
;; WHEN: Thu Aug 31 19:55:41 2000
;; MSG SIZE  sent: 47  rcvd: 125



options {
        directory "/usr/local/named";
        pid-file "/etc/named.pid";
        named-xfer "/usr/local/bin/bind/named-xfer";
        notify yes;
        check-names master ignore;              /* default. */
        check-names slave  ignore;
        listen-on port 53 { any; };
        forward only;
        forwarders {204.167.169.129;204.167.169.131;};
        allow-query { any; };
        allow-transfer { dns-secondary-servers; };
        transfer-format many-answers;
};
...
zone "prodplex.principal.com" {
        type forward;
        forward only;
        forwarders {162.131.250.150; 162.131.250.105;};
};

zone "principal.com" IN {
        type master;
        file "db.principal.com";
        allow-update { none; };
        allow-transfer { dns-secondary-servers; unix-servers; };
};

Thanks!

Craig Treptow
Principal Financial Group
I/S Network Administration
(515) 247-6207

More information about the bind-users mailing list