Delegation (to Active Directory DNS) woes
Mark Andrews
Mark_Andrews at isc.org
Tue Oct 11 20:57:23 UTC 2005
> On Tuesday 11 October 2005 16:50, Mark Andrews hurled the following on the
> wire:
> > > I'm setting up a hybrid DNS in which all ip to name resolving is done in
> > > BIND
> > >
> > > on linux, and the specific Active Directory stuff is delegated to our
> > > domain controllers. What I'm trying to do is a simple delegation of the
> > > microsoft specific subdomains (for example _tcp) to another machine.
> > >
> > > I've got a BIND server (linda) who's auth. for:
> > > company.be
> > > site1.company.be
> > > site2.company.be
> > >
> > > I want to delegate _tcp.company.be to another server (willow) who is in
> > > the comapny.be namespace.
> > >
> > > Here's part of the zone file on linda for the company.be zone:
> > >
> > > $TTL 3D
> > > @ IN SOA linda.company.be.
> > > hostmaster.company.be. (
> > > 1126260125 ;
> > > 8H ;
> > > 1H ;
> > > 4W ;
> > > 1D ) ;
> > > ;
> > > NS linda.company.be. ;
> > > MX 10 mx.company.be. ;
> > > ;
> > > localhost A 127.0.0.1
> > > ;
> > > willow A 10.10.1.220
> > > linda A 10.10.1.221
> > > hostmaster CNAME linda
> > > frank A 10.10.1.24
> > > _tcp.company.be NS willow.company.be.
> > >
> > >
> > > This doesn't work. I've added the following in the named.conf file since
> > > that
> > >
> > > was suggested in some earlier posts about delegation.:
> > >
> > > zone "company.be" {
> > > type master;
> > > notify no;
> > > file "db.company";
> > > forwarders { /* empty */ };
> > > };
> > > zone "_tcp.company.be" {
> > > type forward;
> > > forwarders { 10.1001.220; };
> > > };
> > >
> > >
> > > But when if do `dig -t ns _tcp.company.be` it doesn't find an answer and
> > > the delegation is not working.
> > > I just can't see why it doesn't. Maybe someone else does?
> > >
> > > Kind regards,
> > >
> > > Joost
> >
> > You are testing the complete system with the query above.
> > You need to break things down and test each part.
> >
> > First thing make sure the server for the delegated zone
> > is properly configured. Use
> > "dig -t ns _tcp.company.be @10.10.1.220 +norec" to test.
>
> That does work as expected. The server answers that he is the man for the _tc
> p
> subdomain.
>
> > Next remove the zone declaration for _tcp.company.be
> > as it is not needed.
> ok
> > Then test the delegation information with
> > "dig -t ns _tcp.company.be +norec".
> Nope, doesn't work. As if the delegation line isn't even there.
Be consistant with fully qualified and unqalified domain names.
_tcp.company.be NS willow.company.be.
is
_tcp.company.be.company.be. NS willow.company.be.
You need
_tcp.company.be. NS willow.company.be.
or
_tcp NS willow.company.be.
> > Then test that you can follow the delegation with
> > "dig -t ns _tcp.company.be".
> I assume that that would work if I could get to the delegation info.
>
> Any idea why it doesn't come up with the delegation info? (I did change the
> serial, and the zone file is loaded)
> Note that in the zonefile I pasted above, I believe a '.' is missing on the
> last line (after _tcp.company.be) but I fixed that, yet no change.
>
> Thanks anyway for the info, it does make more sense to take it step by step :
> )
> No if only I could fix step 3
>
> joost
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list