Delegation doesn't seem to be working
Kevin Darcy
kcd at daimlerchrysler.com
Fri May 26 00:28:01 UTC 2006
Curt Shaffer wrote:
>I am trying to delegate a sub domain abc.domain.com so the admin at
>that site can have responsibility. I would also like the domain.com NS
>server to be a slave for the sub domain abc.domain.com and the sub
>domain NS server be a slave for the root domain.
>
>Here are my configs:
>
>domain.com
>################
>master/domain.com
>################
>$TTL 86400
>domain.com. IN SOA NS1.domain.com.
>root.domain.com. (
> 2006052302 ;
>Serial
> 10800 ;
>Refresh
> 3600 ; Retry
> 1209600 ;
>Expire
> 86400 ) ;
>Minimum TTL
>
>
>;DNS Servers
> IN NS NS1.domain.com.
> IN NS NS2.domain.com.
>abc IN NS NS3.abc.domain.com.
>abc IN NS NS1.domain.com.
>
>#################
>named.conf on domain.com
>##################
>zone "domain.com"{
> type master;
> file "master/domain.com";
> allow-transfer {IP of sub NS server;};
> };
>zone "abc.domain.com"{
> type slave;
> file "slave/slave.abc.domain.com";
> masters {IP of sub NS server;};
> };
>
>
>#######################
>master/abc.domain.com on abc.domain.com
>#######################
>$TTL 86400
>abc.domain.com. IN SOA NS3.abc.domain.com. root.abc.domain.com. (
> 2006052301 ; serial
> 10800 ; refresh
> 3600 ; retry
> 1209600 ; expire
> 86400 ; minimum
> )
> NS NS3.abc.domain.com.
> NS NS1.domain.com.
>########################
>named.conf on abc.domain.com
>########################
>zone "abc.domain.com"{
> type master;
> file "master/abc.domain.com";
> allow-transfer {IP of root NS server;};
> };
>zone "domain.com"{
> type slave;
> file "slave/slave.domain.com";
> masters {IP of root NS server;};
> };
>
>When I do an nslookup for a www record in the abc.domain.com domain I
>get the following error:
>
>** server can't find www.abc.domain.com: NXDOMAIN
>
My guess would be that this is a classic case of nslookup misreporting
an error. My speculation would be that the initial www.abc.domain.com
query is getting a SERVFAIL response, so nslookup proceeds through its
searchlist, e.g. appending the local domain example.com, querying
www.abc.domain.com.example.com, getting an NXDOMAIN response (since
obviously no such name exists), and then reporting that as the error
instead of the original SERVFAIL.
You can turn on the debug mode of nslookup to verify if my speculation
is correct.
Or, just save yourself a lot of grief, stop using nslookup (which
sucks), and use a real DNS lookup tool like "dig".
>
>After I reload the domain on domain.com I get the following in my
>/var/log/messages:
>
> client IP.OF.ROOT.NS#53884: received notify for zone 'abc.domain.com':
>not authoritative
>
This is why I think you're actually getting a SERVFAIL for the
www.abc.domain.com query. The slave for abc.domain.com doesn't seem to
be loading and/or serving the zone properly. A slave for a given zone
should always be authoritative for the zone as long as the master is
authoritative and replication is occurring between them (or at least
serial-number checking, if the zone isn't changing). But the log message
above indicates that the slave is *not* authoritative for the zone,
implying either that the master has stopped being authoritative for the
zone (which seems unlikely since it's still sending out NOTIFYs), or
that there is a lack of master/slave connectivity, at least with respect
to serial-number checks or zone transfers. My money would be on the zone
transfers failing. You need to find out why. Could be a file-permissions
problem on the slave, network problems, possibly an errant
allow-transfer on the master. There are number of possible causes.
Looking more closely at the logs on both servers might be instructive.
>If I do the lookups on the local server (the NS of the sub domain)
>everything seems to work fine, but it does not seem to work top down.
>
That's expected. When you query the master nameserver for a zone, then
assuming the zone is loading properly, it can answer your query without
needing to rely on any other nameserver, since it's just answering from
its own authoritative data.
- Kevin
More information about the bind-users
mailing list