Forwarding problem; Forward Last?

Gabriel.Quennesson at fr.michelin.com Gabriel.Quennesson at fr.michelin.com
Fri Feb 8 10:44:40 UTC 2008


Right again, damn.
My second set of test suffered a misconfiguration of my zonefile.
I really don't see, however, what the subtle difference is between 
forwarding first and disabling forwarding alltogether for that zone when 
it comes to subzone nameservers lookup.
If I understand correctly, the query should forward first, recieve no 
answers, then lookup it's own zone file for a matching NS record, then ask 
that server...

And the answer is nowhere to be seen, but in the mouths of "those who 
know" it seems.

bind-users-bounce at isc.org wrote on 08/02/2008 11:20:08:

> 
> > You are right, I didn't apply it to the zone you specified;
> > I first disabled forwarding in the ad.sub.company.com zone by setting 
> > forwarders to an empty list, which did not work.
> > 
> > I then did the same with the sub.company.com zone, as you specified. I 

> > can't get it to work neither...
> > 
> > As for made up names, there are rather strong confidentiality issues 
with 
> > my company. Let me put here a translation of my configurations files :
> > 
> > 
> > /* named.conf */
> > 
> > forwarders { 10.0.0.1; 10.0.0.2; };
> > 
> > zone sub.company.com {
> >         type master;
> >         forwarders { }; #because you asked it
> >         file "master/myzonefile";
> > };
> 
>    Which will work.  Your testing methods must be flawed or there
>    is something else you are not telling us.
> 
>    Mark
> 
> > # note that the ad.sub.company.com isn't defined as such. I defined it 
to 
> > put the empty forwarder list when I read your above mail.
> > 
> > /* myzonefile */
> > /* skipping SOA block */
> > 
> > ad.sub.company.com.     IN NS   ns1.ad.sub.company.com.
> > ns1.ad.sub.company.com. IN A 192.168.0.1
> > 
> > 
> > This setup seems, as far as literature goes, a state of the art setup 
for 
> > delegation of a zone.
> > And btw yes I am probably "not applying [something] correctly". I have 

> > read through many mailing list, docs, books and couldn't find an 
answer, 
> > hence why I am posting her.
> > 
> > bind-users-bounce at isc.org wrote on 07/02/2008 23:03:01:
> > 
> > > 
> > > > I was pretty sure I tested that, but I double checked anyway.
> > > > It doesn't work; Or at least, it forces me to define the zone as a 

> > slave 
> > > > (or forward only) zone in named.conf, wich is not the solution I 
> > > > envisioned.
> > > > I just want to define a NS record and the corresponding A record 
for 
> > > > delegation, wich works well as long as I can't forward to my main 
> > > > forwarders.
> > > 
> > >    It does work.  You are just not applying it correctly.
> > >    Please look at the example below and apply it to the
> > >    corresponding zone in you heirachy.
> > > 
> > >    This is a perfect example of why one should not hide zone
> > >    names etc. when asking for help.  It makes it hard to
> > >    do the examples when one is using made up names.
> > > 
> > >    Mark
> > > 
> > > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:
> > > > 
> > > > > 
> > > > > > Hi,
> > > > > > (needless to say I have been looking for the answer for days 
> > before 
> > > > > > posting here).
> > > > > > 
> > > > > > I am in the process of replacing Novell Netware's repackaged 
Bind 
> > by a 
> > > > 
> > > > > > standard Linux Bind build.
> > > > > > My setup is quite simple :
> > > > > > 
> > > > > > Bind is authoritative for sub.company.com. It uses 2 
company.com 
> > > > > > forwarders (which doesn't know anything about our zone and/or 
> > network 
> > > > > > apart from a couple A records it holds for external 
> > sub.company.com 
> > > > > > access. That's stupid but that's how they do.)
> > > > > > There is an active directory, which is named -you guessed it 
> > allready- 
> > > > 
> > > > > > ad.sub.company.com. Bind is not a slave for that zone, it just 

> > holds a 
> > > > NS 
> > > > > > and it's glue record, as follow
> > > > > > ad      NS      ns.ad.sub.company.com.
> > > > > > ns.ad.sub.company.com.  A       192.168.0.1
> > > > > > 
> > > > > > My problem is the following: when my forwarders are down or 
> > undefined 
> > > > and 
> > > > > > I query Bind for a record in ad.company.com, it asks 
> > > > ns.ad.sub.company.com 
> > > > > > and answer with the right answer. (read : if the forwarders 
are 
> > > > defined 
> > > > > > but not reachable for some reasons, like FW blocking access, 
the 
> > > > cascading 
> > > > > > works).
> > > > > > However when Bind can reach the forwarders, it just asks them 
for 
> > > > records 
> > > > > > in ad domain; they answer with a no such domain and resolution 

> > stops 
> > > > > > there.
> > > > > > 
> > > > > > Reading Bind's documentation (and O'reilly's book, 5th 
edition) I 
> > am 
> > > > not 
> > > > > > missing anything obvious about delegation. It might have to do 

> > with my 
> > > > 
> > > > > > forwarder being unaware of my setup but I don't see quite how 
(and 
> > I 
> > > > can't 
> > > > > > do anything about it).
> > > > > > I have not tried to make bind a slave for the AD zone. I would 

> > like 
> > > > the 
> > > > > > above setup to work before trying other setups.
> > > > > > 
> > > > > > Any help would be apreciated,
> > > > > 
> > > > >    turn forwarding off for the sub zone.
> > > > > 
> > > > >    zone sub.company.com {
> > > > >       ....
> > > > >       forwarders { /* empty */ };
> > > > >    };
> > > > > > 
> > > > > > 
> > > > > -- 
> > > > > Mark Andrews, ISC
> > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > > PHONE: +61 2 9871 4742                 INTERNET: 
> > Mark_Andrews at isc.org
> > > > > 
> > > > > 
> > > > 
> > > > 
> > > > 
> > > -- 
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742                 INTERNET: 
Mark_Andrews at isc.org
> > > 
> > > 
> > 
> > --=_alternative 0035C92DC12573E9_=
> > Content-Type: text/html; charset="US-ASCII"
> > 
> > 
> > <br><font size=2 face="sans-serif">You are right, I didn't apply it to
> > the zone you specified;</font>
> > <br><font size=2 face="sans-serif">I first disabled forwarding in 
> the ad.sub.
> > company.com
> > zone by setting forwarders to an empty list, which did not 
work.</font>
> > <br>
> > <br><font size=2 face="sans-serif">I then did the same with the 
> sub.company.c
> > om
> > zone, as you specified. I can't get it to work neither...</font>
> > <br>
> > <br><font size=2 face="sans-serif">As for made up names, there are 
rather
> > strong confidentiality issues with my company. Let me put here a 
translation
> > of my configurations files :</font>
> > <br>
> > <br>
> > <br><font size=2 face="sans-serif">/* named.conf */</font>
> > <br>
> > <br><font size=2 face="sans-serif">forwarders { 10.0.0.1; 10.0.0.
> 2; };</font>
> > <br>
> > <br><font size=2 face="sans-serif">zone sub.company.com {</font>
> > <br><font size=2 face="sans-serif">        type
> > master;</font>
> > <br><font size=2 face="sans-serif">        
forwarders
> > { }; #because you asked it</font>
> > <br><font size=2 face="sans-serif">        file
> > "master/myzonefile";</font>
> > <br><font size=2 face="sans-serif">};</font>
> > <br>
> > <br><font size=2 face="sans-serif"># note that the ad.sub.company.com 
isn't
> > defined as such. I defined it to put the empty forwarder list when I 
read
> > your above mail.</font>
> > <br>
> > <br><font size=2 face="sans-serif">/* myzonefile */</font>
> > <br><font size=2 face="sans-serif">/* skipping SOA block */</font>
> > <br>
> > <br><font size=2 face="sans-serif">ad.sub.company.com.     
 
> >  IN NS        ns1.ad.sub.company.com.</font>
> > <br><font size=2 face="sans-serif">ns1.ad.sub.company.com.   
 
> >    IN A 192.168.0.1</font>
> > <br>
> > <br>
> > <br><font size=2 face="sans-serif">This setup seems, as far as 
literature
> > goes, a state of the art setup for delegation of a zone.</font>
> > <br><font size=2 face="sans-serif">And btw yes I am probably "not
> > applying [something] correctly". I have read through many mailing
> > list, docs, books and couldn't find an answer, hence why I am 
> posting her.</f
> > ont>
> > <br>
> > <br><tt><font size=2>bind-users-bounce at isc.org wrote on 
07/02/200823:03:01:<
> > br>
> > <br>
> > > <br>
> > > > I was pretty sure I tested that, but I double checked 
anyway.<br>
> > > > It doesn't work; Or at least, it forces me to define the 
zone
> > as a slave <br>
> > > > (or forward only) zone in named.conf, wich is not the 
solution
> > I <br>
> > > > envisioned.<br>
> > > > I just want to define a NS record and the corresponding A 
record
> > for <br>
> > > > delegation, wich works well as long as I can't forward to my
> > main <br>
> > > > forwarders.<br>
> > > <br>
> > >    It does work.  You are just not applying 
itcorrectly.
> > <br>
> > >    Please look at the example below and apply it to 
the<br>
> > >    corresponding zone in you heirachy.<br>
> > > <br>
> > >    This is a perfect example of why one should not hide
> > zone<br>
> > >    names etc. when asking for help.  It makes it 
hard
> > to<br>
> > >    do the examples when one is using made up names.<br>
> > > <br>
> > >    Mark<br>
> > > <br>
> > > > bind-users-bounce at isc.org wrote on 07/02/2008 14:09:38:<br>
> > > > <br>
> > > > > <br>
> > > > > > Hi,<br>
> > > > > > (needless to say I have been looking for the 
answer
> > for days before <br>
> > > > > > posting here).<br>
> > > > > > <br>
> > > > > > I am in the process of replacing Novell 
> Netware's repacka
> > ged
> > Bind by a <br>
> > > > <br>
> > > > > > standard Linux Bind build.<br>
> > > > > > My setup is quite simple :<br>
> > > > > > <br>
> > > > > > Bind is authoritative for sub.company.com. It uses
> > 2 company.com <br>
> > > > > > forwarders (which doesn't know anything about our 
zone
> > and/or network <br>
> > > > > > apart from a couple A records it holds for 
external
> > sub.company.com <br>
> > > > > > access. That's stupid but that's how they do.)<br>
> > > > > > There is an active directory, which is named -
> you guessed
> > it allready- <br>
> > > > <br>
> > > > > > ad.sub.company.com. Bind is not a slave for that 
zone,
> > it just holds a <br>
> > > > NS <br>
> > > > > > and it's glue record, as follow<br>
> > > > > > ad      NS      
> ns.ad.sub.c
> > ompany.com.<br>
> > > > > > ns.ad.sub.company.com.  A     
 
> > 192.168.0.1<br>
> > > > > > <br>
> > > > > > My problem is the following: when my forwarders 
are
> > down or undefined <br>
> > > > and <br>
> > > > > > I query Bind for a record in ad.company.com, it 
asks
> > <br>
> > > > ns.ad.sub.company.com <br>
> > > > > > and answer with the right answer. (read : if 
> the forwarde
> > rs
> > are <br>
> > > > defined <br>
> > > > > > but not reachable for some reasons, like FW 
blocking
> > access, the <br>
> > > > cascading <br>
> > > > > > works).<br>
> > > > > > However when Bind can reach the forwarders, it 
just
> > asks them for <br>
> > > > records <br>
> > > > > > in ad domain; they answer with a no such domain 
and
> > resolution stops <br>
> > > > > > there.<br>
> > > > > > <br>
> > > > > > Reading Bind's documentation (and O'reilly's book,
> > 5th edition) I am <br>
> > > > not <br>
> > > > > > missing anything obvious about delegation. It 
might
> > have to do with my <br>
> > > > <br>
> > > > > > forwarder being unaware of my setup but I don't 
see
> > quite how (and I <br>
> > > > can't <br>
> > > > > > do anything about it).<br>
> > > > > > I have not tried to make bind a slave for the AD 
zone.
> > I would like <br>
> > > > the <br>
> > > > > > above setup to work before trying other 
setups.<br>
> > > > > > <br>
> > > > > > Any help would be apreciated,<br>
> > > > > <br>
> > > > >    turn forwarding off for the sub zone.<br>
> > > > > <br>
> > > > >    zone sub.company.com {<br>
> > > > >       ....<br>
> > > > >       forwarders { /* empty */ };<br>
> > > > >    };<br>
> > > > > > <br>
> > > > > > <br>
> > > > > -- <br>
> > > > > Mark Andrews, ISC<br>
> > > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > > > PHONE: +61 2 9871 4742         
 
> >       INTERNET: Mark_Andrews at isc.org<br>
> > > > > <br>
> > > > > <br>
> > > > <br>
> > > > <br>
> > > > <br>
> > > -- <br>
> > > Mark Andrews, ISC<br>
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> > > PHONE: +61 2 9871 4742             
 
> >   INTERNET: Mark_Andrews at isc.org<br>
> > > <br>
> > > <br>
> > </font></tt>
> > --=_alternative 0035C92DC12573E9_=--
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> 
> 




More information about the bind-users mailing list