Creating forward only zones...

Jim Reid jim at rfc1035.com
Wed May 16 10:55:17 UTC 2001


>>>>> "Cihan" == Cihan Subasi (Garanti Teknoloji) <CihanS at garanti.com.tr> writes:

    Cihan> 	I am trying to create forward only zones on 8.2.3, and
    Cihan> having some difficulties...I have checked DNS and Bind 3rd
    Cihan> edition and only found globaly setting the name server as
    Cihan> forward only...But what I am trying to do is setting some
    Cihan> of the zones to forward only...I tried to do as type slave
    Cihan> (did not work) and type master (did not work either)...When
    Cihan> a configure the zone as type slave it requires the masters
    Cihan> directive and get the zone info from masters if you
    Cihan> configure as masters it requires file directive and does
    Cihan> not resolv anything because the file is there....Can
    Cihan> anybody send me a example of forward only zone conf?

A zone{} statement can only be of one type. Either it's master or
slave or forward. (Or hint for the root zone.) Stub zones are just a
special case of slave: the zone is slaved but everything apart from
the zone's records is discarded. If a server is master or slave for
some zone, it answers for it directly. By definition it doesn't
forward because it already knows the answer for all the names in that
zone.

The use of forwarders and forward clauses in slave/master zones are
for baroque configurations that are truly disgusting. For example,
overriding any global forwarding policy: "forward everything to foo or
bar, except for names in foobar which the server should resolve for
itself".

My advice to you -- and everyone else -- is to avoid forwarding at all
costs. It's ugly, messy and horrible. It's an unnecessary complication
that has no real benefits and creates lots of problems that are hard
to troubleshoot and fix. [Consult the list archives for reasons why.
The topic has been explained in depth before.] There are a small
number of cases where forwarding is mandatory: stupid network setups
mainly. But using forwarding as a general policy is foolish.

If you *really* must use zone-specific forwarding, try something like:

	zone "example.com" {
		type forward;
		forward only;
		forwarders {
			127.0.0.1;
			10.9.8.7;
		};
	};

ie queries for names example.com, get sent to 127.0.0.1 or 10.9.8.7 if
127.0.0.1 fails to answer.

Be sure to keep any forwarding configurations simple and well
documented. Think of the people who look after your organisation's
DNS when you're not there or who will take over that job.


More information about the bind-users mailing list