Delegation of Authority
Barry Margolin
barmar at alum.mit.edu
Wed Jun 2 15:15:42 UTC 2004
In article <c9kkic$2972$1 at sf1.isc.org>, Joel <jc517 at wmi.com> wrote:
> Stephane Bortzmeyer wrote:
> >
> > On Wed, Jun 02, 2004 at 01:08:01PM +0000,
> > Joel <jc517 at wmi.com> wrote
> > a message of 27 lines which said:
> >
> > > I'm authoritative for wmi.com but not lpx.wmi.com. I want to
> > > delegate that to another machine. I could not get it to work until I
> > > added the empty forwarders declaration.
> >
> > Strange. The delegation was probably broken in some way and the
> > forwarder was unable to reach the name servers of the delegated
> > zone. RFC 1918 addresses? IP filtering?
>
> RFC1918 - yes.
> IP filtering - no.
>
> > > I was snooping packets and anytime I'd look up something in the
> > > lpx.wmi.com subdomain it was sent to the forwarder.
>
> > Which seems perfectly sensible. Any request for which your name server
> > is not authoritative for is sent to the forwarder.
>
> But I told it where to go to lookup lpx.wmi.com. I guess this gets back
> to the broken delegation.
But "forwarders" tells it *not* to use follow NS records, but to query
those servers instead.
Remember, the root servers are just NS records, no different from
delegation records as far as the resolution process is concerned.
This should only be an issue for clients that use your server as a
resolver, since they request recursion from your server. Other
resolvers should get the delegation records from your server and query
the subdomain server on their own.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list