Delegation problems

Thu Sep 5 01:17:01 UTC 2002

Darren Birkett wrote:

> I've got a couple of DNS servers that are authoritative for two zones,
> abc.cheese.com and xyz.cheese.com
> I've just been told that there is another subdomain to the
> xyz.cheese.com that is called sub.xyz.cheese.com  This is
> where all the Win2k servers and hosts sit, and this domain itself is
> served
> by two Win2k active directory DNS servers.  I am trying to delegate
> authority
> for this zone in my zone file for xyz.cheese.com by adding the
> following lines:
>
> --------------------------------------------------------------------------
> ;Delegation records for sub.xyz.cheese.com
> sub.xyz.cheese.com.  IN      NS            ad01.sub.xyz.cheese.com.
> sub.xyz.cheese.com.  IN      NS            ad02.sub.xyz.cheese.com.
>
> ;Glue records for nameservers in sub.xyz.cheese.com
> ad01.sub.xyz.cheese.com.   IN      A       42.149.30.46
> ad02.sub.xyz.cheese.com.   IN      A       42.149.30.47
> ----------------------------------------------------------------------------
>
> The DNS servers in the sub sub-domain are quite happily forwarding
> requests on up to my DNS servers, but delegation isn't working.  When
> I do
> an nslookup for a host in the crmwin subdomain from my DNS servers, I
> get: the following:
>
> ----------------------------------------------------------------------------
> [c06u1dns01:root:/etc/nameserver:] nslookup
> Default Server:  localhost
> Address:  127.0.0.1
>
> > c06p1doc01
> Server:  localhost
> Address:  127.0.0.1
>
> *** localhost can't find c06p1doc01:Non-existent host/domain
> ----------------------------------------------------------------------------
>
> The same is true if I use the FQDN.  I'm just wondering if there is
> anything
> I am missing to allow delegation to work?  I have looked at the
> named.run
> file after doing the above nslookup and there appears to be no attempt
> to
> contact the sub DNS servers at all.
> Any ideas here?

Do you have "global" forwarding enabled, i.e. defined in your "options" clause,
as opposed to in a zone definition? If so, then what's probably happening is
that these queries, being outside of your authoritative zones, are being
forwarded instead of sent to the delegated nameservers. Global forwarding
applies to *all* queries outside your authoritative zones, regardless of
whether the containing zone is "above", "below" or at the same level as an
authoritative zone. You can disable forwarding for a whole branch of the
namespace by specifying "forwarders { }" in the corresponding zone definition,
even if it's a master, slave or stub zone (sometimes folks set up a stub zone
solely for the purposes of "hanging" a "forwarders { }" statement from it and
thus inhibiting forwarding for that part of the namespace). So, in your case,
maybe you want "forwarders { }" in the xyz.cheese.com zone definition, to
prevent sub.xyz.cheese.com queries being forwarded.

Alternatively, you could "fix" this the old-fashioned way: just make yourself a
slave for the sub.xyz.cheese.com zone. Of course, if any subzones of
sub.xyz.cheese.com were created, you'd have to deal with those too. The
old-fashioned way doesn't exactly scale well...

- Kevin