Delegation (to Active Directory DNS) woes

Joost De Cock Joost.DeCock at astrid.be
Tue Oct 11 15:08:29 UTC 2005


On Tuesday 11 October 2005 16:50, Mark Andrews hurled the following on the 
wire:
> > I'm setting up a hybrid DNS in which all ip to name resolving is done in
> > BIND
> >
> > on linux, and the specific Active Directory stuff is delegated to our
> > domain controllers. What I'm trying to do is a simple delegation of the
> > microsoft specific subdomains (for example _tcp) to another machine.
> >
> > I've got a BIND server (linda) who's auth. for:
> > company.be
> > site1.company.be
> > site2.company.be
> >
> > I want to delegate _tcp.company.be to another server (willow) who is in
> > the comapny.be namespace.
> >
> > Here's part of the zone file on linda for the company.be zone:
> >
> > $TTL 3D
> > @                       IN              SOA             linda.company.be.
> > hostmaster.company.be. (
> >                         1126260125      ;
> >                         8H              ;
> >                         1H              ;
> >                         4W              ;
> >                         1D )            ;
> > ;
> >         NS      linda.company.be.  ;
> > 	MX      10 mx.company.be.        ;
> > ;
> > localhost		A               127.0.0.1
> > ;
> > willow               A               10.10.1.220
> > linda                A               10.10.1.221
> > hostmaster     CNAME           linda
> > frank                A               10.10.1.24
> > _tcp.company.be                  NS              willow.company.be.
> >
> >
> > This doesn't work. I've added the following in the named.conf file since
> > that
> >
> > was suggested in some earlier posts about delegation.:
> >
> > zone "company.be" {
> >         type master;
> >         notify no;
> >         file "db.company";
> >         forwarders { /* empty */ };
> > };
> > zone "_tcp.company.be" {
> > type forward;
> > forwarders { 10.1001.220; };
> > };
> >
> >
> > But when if do `dig -t ns _tcp.company.be` it doesn't find an answer and
> > the delegation is not working.
> > I just can't see why it doesn't. Maybe someone else does?
> >
> > Kind regards,
> >
> > Joost
>
> 	You are testing the complete system with the query above.
> 	You need to break things down and test each part.
>
> 	First thing make sure the server for the delegated zone
> 	is properly configured. Use
> 	"dig -t ns _tcp.company.be @10.10.1.220 +norec" to test.

That does work as expected. The server answers that he is the man for the _tcp 
subdomain.

> 	Next remove the zone declaration for _tcp.company.be
> 	as it is not needed.
ok
> 	Then test the delegation information with
> 	"dig -t ns _tcp.company.be +norec".
Nope, doesn't work. As if the delegation line isn't even there.

> 	Then test that you can follow the delegation with
> 	"dig -t ns _tcp.company.be".
I assume that that would work if I could get to the delegation info.

Any idea why it doesn't come up with the delegation info? (I did change the 
serial, and the zone file is loaded)
Note that in the zonefile I pasted above, I believe a '.' is missing on the 
last line (after _tcp.company.be) but I fixed that, yet no change.

Thanks anyway for the info, it does make more sense to take it step by step :) 
No if only I could fix step 3

joost



More information about the bind-users mailing list