FW: forwarding a subdomain

Agency Staff (Infosec) security.manager2 at its.lancscc.gov.uk
Tue Nov 30 09:17:05 UTC 2004

-----Original Message-----
From: Barry Margolin [mailto:barmar at alum.mit.edu]
Sent: 17 November 2004 04:26
To: comp-protocols-dns-bind at isc.org
Subject: Re: forwarding a subdomain

In article <cndfgm$gpa$1 at sf1.isc.org>,
 Edward Buck <ed at bashware_REMOVEME_.net> wrote:

> So, is this a limitation by design?  Is there a workaround for what I'm 
> trying to do?

Configure your server as a slave, rather than a forwarder.

> If I delegate a subdomain to a nameserver, intuitively I would expect 
> that nameserver to be authoritative for that subdomain regardless of 
> whether the zone data is master, slave or a forward.

That's the point.  Since the zone is delegated to the server, other 
servers expect that nameserver to be authoritative, so they don't ask it 
to recurse.  But when you configure the zone as "type forward", the 
server is *not* authoritative.

Being authoritative is a consequence of how the server is configured, 
*not* how the zone is delegated.  Delegation specifies who *should* be 
authoritative, but it doesn't actually cause a server to be 

> The use case I'm referring to is a private RBL on an internal lan 
> running rbldnsd.  I was planning to run rbldnsd on an internal address 
> and front-end it with bind to take advantage of bind's ACL support.  The 
> scenario would be something like:
> public rbl query
> 	|
> 	v
> rbl.domain.com nameserver (bind with ACLs)
> 	|
> 	v
> forward to internal server running rbldnsd
> 	|
> 	v
> answer back to original query
> At the moment, this only works for cached data.  Is there a way to force 
> recursion on a forwarded subdomain for which the server is authoritative?

Servers only recurse when they're asked to.  If the client says "don't 
recurse", BIND won't.

The source code is available, so you could always patch your copy to 
ignore the setting of the RD bit, and act as if it's always set.

Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

This e-mail contains information intended for the addressee only.
It may be confidential and may be the subject of legal and/or professional privilege. 
If you are not the addressee you are not authorised to disseminate, distribute, copy or use this e-mail or any attachment to it
The content may be personal or contain personal opinions and unless specifically stated or followed up in writing, the content cannot be taken to form a contract or to be an expression of the County Council's position.
LCC reserves the right to monitor all incoming and outgoing email
LCC has taken reasonable steps to ensure that outgoing communications do not contain  malicious software and it is your responsibility to carry out any checks on this email before accepting the email and opening attachments.

More information about the bind-users mailing list