Question regarding configuring a forward zone

Barry Finkel b19141 at achilles.ctd.anl.gov
Mon Mar 15 15:11:59 UTC 2004


"Bell, William  IT" <WBell at mvphealthcare.com> wrote:

>I've been reading the DNS & BIND book, and I've done a search online, but I
>can't seem to find an answer to my specific question...
>
>We currently have a mix of two DNS environments on our LAN: Windows DNS &
>BIND (on Unix).  Unfortunately, this is due to the fact that we're migrating
>our internal DNS to Windows because of our new AD implementation (our
>internet DNS will remain on BIND however!)
>
>To facilitate this migration, we're putting/migrating all the "new" DNS
>entries into a subdomain of our new company name (hq.company.com) that is
>served by Windows AD/DNS.  Note that our external (internet) DNS also has
>the same "root" domain (company.com) as our new internal subdomain
>(hq.company.com).
>
>The old internal domain (oldcompany.com), and a very small part of the
>internet domain (for internal access to servers in our DMZ), is still served
>by BIND.  This includes everything that has not been migrated, including all
>the Unix servers and network switches/routers/firewalls.
>
>When we're done with this migration, all internal hosts will be in the new
>subdomain (hq.company.com) and the old internal domain (oldcompany.com) will
>be turned off.
>
>We thought that in order to keep the DNS/hosts in the subdomain visible to
>the hosts served by BIND during the migration, we would just put a forward
>zone in the named.conf file to forward any queries for the new subdomain to
>the WinDNS servers.  However, when I tried doing this, the queries failed.
>Not sure what I'm doing wrong here...
>
>Here's the pertinent part of my named.conf file:
>----------------------------------------------------------------------
>acl "trusted" {
>        10.0.0.0/8;
>        localhost;
>};
>
>include "/etc/rndc.key";
>
>server 10.14.5.111 {
>       keys { ns1-ns2 ;};
>};
>
>options {
>        directory "/var/named";
>        pid-file "/var/run/named.pid";
>        statistics-file "/var/run/named.stats";
>        dump-file "/var/run/named.dump";
>
>        version "Off with your head!";
>        query-source address * port 53;
>
>        allow-query { trusted; };
>        allow-recursion { trusted; };
>
>        // IP addresses of Internet nameservers authoritative for
>        // our internet namespace; these are our forwarders.
>        forwarders {
>                218.52.204.86;
>                218.16.33.182;
>                64.132.95.50;
>                136.92.94.12;
>        };
>        forward only;
>
>        notify yes;
>        interface-interval 0;
>        transfer-format many-answers;
>        max-transfer-time-in 60;
>        max-transfer-time-out 60;
>};
>
>controls {
>        inet * allow { localhost; 10.14.5.111; } keys { rndc-key; ns1-ns2 ;
>};
>};
>
>zone "oldcompany.com" {
>        type master;
>        file "db.oldcompany";
>        allow-transfer { key ns1-ns2; };
>        also-notify { 10.14.5.111; };
>};
>
>zone "10.in-addr.arpa" {
>        type master;
>        file "db.10";
>        allow-transfer { key ns1-ns2; };
>        also-notify { 10.14.5.111; };
>};
>
>zone "hq.company.com" {
>        type forward;
>        forwarders {10.14.6.7; 10.14.5.202; 10.14.6.5; };
>};
>
>zone "company.com" {
>        type master;
>        file "db.company";
>        allow-transfer { key ns1-ns2; };
>        also-notify { 10.14.5.111; };
>};
>
>...
>----------------------------------------------------------------------
>
>Any advice would be greatly appreciated.

1) Look at the archives of this group and of its sister group

         bind9-users at isc.org

2) What is wrong with having the AD zones mastered on the MS W2k DNS
   Server and having those zones slaved on your BIND servers?  That is
   what I do, and check the archives for caveats.

----------------------------------------------------------------------
Barry S. Finkel
Computing and Instrumentation Solutions Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



More information about the bind-users mailing list