Sub-domain delegation for BIND 9.2.3

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Sep 6 21:36:46 UTC 2004 

Apache Apache <apacheusr at hotmail.com> wrote:
> Appened are my files on the Primary DNS:

Look below for comments :

> //named.conf for Pri DNS for company.def.com & company.abc.com (ip is 
> 130.1.2.3)
> // ACL for blocking RFC1918 space commonly used for DoS and spoofing 
> attacks.
> acl noaccess-list { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 
> 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

> acl slave { 130.1.2.4; };

> controls {
>         inet 127.0.0.1 port 953
>         allow { 127.0.0.1; } ;
> };

> options {
>         version "DNS Server";
>         directory "/usr/local/named/log";
>         pid-file "/usr/local/named/named.pid";
>         allow-query { any; };
>         listen-on-v6 { none; };
>         listen-on { 130.1.2.3; };
>         notify yes;
>         provide-ixfr yes;
>         blackhole { noaccess-list; };
> };

> zone "." {
>         type hint;
>         file "root.hint";
> };

> // IPv4 localhost and localhost reverse.
> zone "localhost" {
>         type master;
>         file "db.localhost";
> };

> zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "db.127.0.0";
>         notify no;
> };

> zone "2.1.130.in-addr.arpa" {
>         type master;
>         file "db.130.1.2";
>         notify yes;
>         allow-transfer { slave; };
> };


> zone "company.def.com" {
>         type master;
>         file "db.company.def.com";

Where is this file ??

>         notify yes;
>         allow-transfer { slave; };
> };

> zone "company.abc.com" {
>         type master;
>         file "db.company.abc.com";
>         notify yes;
>         forwarders { };
>         allow-transfer { slave; };
> };

> //End of named.conf for Pri DNS
> ------------------------------------------------

> // root.hint

> .	3600000	IN	NS	A.ROOT-SERVERS.NET.
> A-ROOT-SERVERS.NET.	3600000	A	130.1.2.3

> //End of root.hint

Ok, you are running internal-roots with a single server, this 
might fail ( you should need 3 )

> -------------------------------------------------
> // db.localhost
> @	4h	IN	SOA	pridns.company.def.com.	postmaster.company.def.com.	(
> 				2001051701	// Serial Number
> 				28800		// Refresh (8 hrs.)
> 				7200		// Retry (2 hrs.)
> 				604800		// Expire (7 days)
> 				86400)		// Minimum (1 day)
> 	IN	NS	pridns.company.def.com.
> $TTL 1h
> 	IN	A	127.0.0.1

> // End of db.localhost

> ------------------------------------------------
> // db.127.0.0
> @	4h	IN	SOA	pridns.company.def.com.		postmaster.company.def.com.	(
> 	2001051700	// Serial number
> 	28800		// Refresh (8 hrs.)
> 	7200		// Retry (2 hrs.)
> 	604800		// Expire (7 days)
> 	86400)		// Minimum (1 day)

> 	IN	NS	pridns.company.def.com.
> 1	IN	PTR	localhost.

> //End of db.127.0.0

> ------------------------------------------------
> // db.company.abc.com
> @	4h	IN	SOA	pridns.company.def.com.		postmaster.company.def.com.	(
> 	200105171	// Serial number
> 	28800		// Refresh (8 hrs.)
> 	7200		// Retry (2 hrs.)
> 	604800		// Expire (7 days)
> 	86400)		// Minimum (1 day)

> 	IN	NS	pridns.company.def.com.
> 	IN	NS	slavedns.company.def.com.

if this is the zonefile for "company.def.com." you cannot 
say anything about "def.com." here.   it should be done at '.' or
'.com' level ( probably in your root-server )


> pridns.company.def.com.		IN	A	130.1.2.3
> slavedns.company.def.com.	IN	A	130.1.2.4

> xyz.company.abc.com.	IN	NS	pridns.xyz.company.abc.com.
> pridns.xyz.company.abc.com.	IN	A	172.7.8.9


> intranet.company.abc.com	IN	A	130.1.2.10


> // End of db.company.abc.com

> -------------------------------------------------
> // db.130.1.2
> @	4h	IN	SOA	pridns.company.def.com.		postmaster.company.def.com.	(
> 		200105173	// Serial number
> 		28800		// Refresh (8 hrs.)
> 		7200		// Retry (2 hrs.)
> 		604800		// Expire (7 days)
> 		86400)		// Minimum (1 day)

> 	IN	NS	pridns.company.def.com.	// master nameserver
> 	IN	NS	slavednsdns.company.def.com.	// slave nameserver

> 3	IN	PTR	pridns.company.def.com.
> 4	IN	PTR	slavedns.company.def.com.

> // End of db.130.1.2
> ------------------------------------------------

> //etc/resolv.conf
> domain	company.def.com
> nameserver	130.1.2.3
> nameserver	130.1.2.4

> Pls advise what went wrong.
> ------------------------------------------------



>>From: phn at icke-reklam.ipsec.nu
>>To: comp-protocols-dns-bind at isc.org
>>Subject: Re: Sub-domain delegation for BIND 9.2.3
>>Date: Fri, 3 Sep 2004 17:53:16 +0000 (UTC)
>>
>>Apache Apache <apacheusr at hotmail.com> wrote:
>> > Hi,
>>
>> > Have done as advised but when I performed a nslookup, I can only get
>> > non-existent host/domain and not able to resolve 
>>host.xyz.company.abc.com.
>> > Pls advise is there anything that I missed out. Thank you.
>>
>>
>> >>From: phn at icke-reklam.ipsec.nu
>> >>To: comp-protocols-dns-bind at isc.org
>> >>Subject: Re: Sub-domain delegation for BIND 9.2.3
>> >>Date: Thu, 2 Sep 2004 16:52:18 +0000 (UTC)
>> >>
>> >>Apache Apache <apacheusr at hotmail.com> wrote:
>> >> > I have a server (ie. serverA) running BIND 9.2.3 and is a master DNS 
>>fo=
>> >>r=20
>> >> > parent domain company.abc.com. Users are pointing to this server for 
>>na=
>> >>me=20
>> >> > resolution.
>> >>
>> >> > I have another server (ie. serverB using F5 DNS) and I would like
>> >>this=20
>> >> > server to serve the domain xyz.company.abc.com.
>> >>
>> >> > What are the changes required on my named.conf and db.company.abc.com 
>>f=
>> >>or=20
>> >> > serverA in order for users to be able to resolve 
>>host.xyz.company.abc.c=
>> >>om???
>> >>
>> >>A proper delagation. ( a couple of NS records in xyz.company.abc.com. )
>> >>
>> >> > Thank you.
>> >>
>> >> > _________________________________________________________________
>> >> > Get MSN Hotmail alerts on your mobile.=20
>> >> > http://mobile.msn.com/ac.aspx?cid=3Duuhp_hotmail
>> >>
>> >>
>> >>
>> >>--=20
>> >>Peter H=E5kanson        =20
>> >>         IPSec  Sverige      ( At Gothenburg Riverside )
>> >>            Sorry about my e-mail address, but i'm trying to keep spam 
>>out=
>> >>,
>> >>	   remove "icke-reklam" if you feel for mailing me. Thanx.
>> >>
>>
>> > _________________________________________________________________
>> > Get MSN Hotmail alerts on your mobile.
>> > http://mobile.msn.com/ac.aspx?cid=uuhp_hotmail
>>
>>Proper delegation is to add a 'NS' records where LHS is the sibdomain name
>>and RHS is the FQDN of the nameserver(s) configured as servers for the 
>>zone.
>>
>>nslookup is a tool that is broken in most hands. The symptoms you tell 
>>about
>>might be problems with nslookup.
>>
>>Why don't you publish the name of the zone , the contents ( at least the 
>>relevant parts)
>>of the zonefile(s) and configfiles ? That way we don't have to guess
>>
>>
>>--
>>Peter Håkanson
>>         IPSec  Sverige      ( At Gothenburg Riverside )
>>            Sorry about my e-mail address, but i'm trying to keep spam out,
>>	   remove "icke-reklam" if you feel for mailing me. Thanx.
>>

> _________________________________________________________________
> Fast. Clear. Easy. The new MSN Search. http://search.msn.com.sg/



-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list