Can't create & delegate subdomains on internal view

Tue Nov 14 20:26:33 UTC 2006

> Hello,
> 
> I have been trying to track down a problem I've been having while trying
> to delegate authority for a subdomain to another server. I created the
> appropriate NS record and glue record for the machine hosting the
> subdomain (incremented the serial too). However, when I try to query the
> parent server for the NS of the subdomain I get a SERVFAIL or NXDOMAIN
> response from dig. I tracked this down for two hours, wondering if I had
> gone crazy. Out of frustration I then created the subdomain in my public
> zone and it works perfectly. I am using a view statement to maintain
> seperate internal and external zone information. Here are the relevant
> pieces of my configuration files.
> 
> >From named.conf...
> 
> // Define our internal networks, they should use the internal (private)
> zone // information
> acl "internal" {
>         127/8; 192.168.0/24; 10.8.0.0/16;
> };
> 
> // Zones that internal clients have access to
> view "internal" {
>         match-clients { internal; };
>         recursion yes;
> 
>         // prime the server with knowledge of the root servers
>         zone "." {
>                 type hint;
>                 file "/etc/bind/db.root";
>         };
> 
>         // be authoritative for the localhost forward and reverse zones,
> and for
>         // broadcast zones as per RFC 1912
> 
>         zone "localhost" {
>                 type master;
>                 file "/etc/bind/db.local";
>         };
> 
>         zone "127.in-addr.arpa" {
>                 type master;
>                 file "/etc/bind/db.127";
>         };
> 
>         zone "0.in-addr.arpa" {
>                 type master;
>                 file "/etc/bind/db.0";
>         };
> 
>         zone "255.in-addr.arpa" {
>                 type master;
>                 file "/etc/bind/db.255";
>         };
> 
>         // blissfulidiot.com Internal domain
>         zone "blissfulidiot.com" {
>                 type master;
>                 notify no;
>                 file "/etc/bind/db.internal.blissfulidiot.com";
>         };
> };
> 
> view "external" {
>         // Match Internet queries
>         match-clients {any;};
>         // Do not do recursive lookups for non-authoritative queries
> recursion no;
> 
>         zone "blissfulidiot.com" {
>                 type master;
>                 notify no;
>                 file "/etc/bind/db.blissfulidiot.com";
>         };
> };
> 
> 
> 
> And from the actual zone files for blissfulidiot.com, I used the identical
> records in both the internal and external views, works fine on the
> external, but not the internal.....
> 
> sub     30      IN      NS      ns.sub.blissfulidiot.com.
> ns.sub  30      IN      A       1.2.3.4
> 
> 
> 
> I also turned on query logging to see if there was something strange going
> on, it looks to me like bind is trying to resolve the subdomain from my
> ISP DNS servers, though when I do lookups for other hosts on the internal
> zone they get returned fine....
> 
> Nov 13 13:59:17 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:17 yura named[26025]: client 209.98.98.98#1618: view
> external: query: sub.blissfulidiot.com IN NS -E
> Nov 13 13:59:18 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'sub.blissfulidiot.com/NS/IN': 209.98.98.98#53
> Nov 13 13:59:18 yura named[26025]: client 208.42.42.42#2020: view
> external: query: sub.blissfulidiot.com IN NS -E
> Nov 13 13:59:18 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'sub.blissfulidiot.com/NS/IN': 208.42.42.42#53
> Nov 13 13:59:20 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'ns.sub.blissfulidiot.com/AAAA/IN': 208.42.42.42#53
> Nov 13 13:59:22 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:27 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:31 yura named[26025]: client 211.202.2.3#34091: view
> external: query: blissfulidiot.com IN MX -E
> Nov 13 13:59:37 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:42 yura named[26025]: client 127.0.0.1#33853: view internal:
> query: sub.blissfulidiot.com IN NS +
> Nov 13 13:59:44 yura named[26025]: unexpected RCODE (SERVFAIL) resolving
> 'ns.sub.blissfulidiot.com/AAAA/IN': 209.98.98.98#53
> 
> I really appreciate any help you folks can give me.
> 
> Regards,
> 
> Tom Johnson

	If you want to see the delegation make a non recursive query.

	Note: it is good practice to have the sub-zone established
	*before* you make the delegation.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org