Subdomain delegation not working for external view

Kevin Darcy kcd at chrysler.com
Tue Jul 15 22:59:26 UTC 2008


Tom Mikelson wrote:
> Problem: Delegations of subdomains do not work in the "external" view.  They
> do work in the "internal" view.  For example
> the subdomain "bis.mydomain.edu" has been properly delegated to another DNS
> in the publicly reachable IP address space of mydomain.edu.
> The "internal" clients receive the correct response to a query for "
> some-server.bis.mydomain.edu".  The "external" clients receive
> "Can't find some-server.bis.mydomain.edu: No answer".  If views are not
> implemented all clients receive the correct response.  I am
> trying to implement views in order to prevent recursion for clients that are
> not part of my domain.
> options
> {
>         version "";
>         notify no;
>         allow-query { any; };
>         listen-on { <public IP address>; };
>         directory "/var/named";
> };
>
> logging
> {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
>
> view "internal" {
>         match-clients { <IP address range of internal clients>; localnets;
> };
>         recursion yes;
>         include "/etc/named.rfc1912.zones";
>
>         //
>         // ROOT SERVERS
>         //
>         zone "." IN {
>                 type hint;
>                 file "named.ca";
>         };
>
>         zone "mydomain.edu" {
>                 type slave;
>                 file "internal/mydomain.db";
>                 masters { <internal DNS server>; };
>                 allow-transfer { none; };
>         };
>
>         zone "<reverse zone for mydomain.edu>.in-addr.arpa" {
>                 type slave;
>                 file "internal/mydomain.rev";
>                 masters { <internal DNS server>; };
>                 allow-transfer { none; };
>         };
>
> };
>
> view "external" {
>         match-clients { any; };
>         recursion no;
>
>         zone "mydomain.edu" {
>                 type slave;
>                 file "internal/mydomain.db";
>                 masters { <internal DNS server>; };
>                 allow-transfer { none; };
>         };
>
>         zone "<reverse zone for mydomain.edu>.in-addr.arpa" {
>                 type slave;
>                 file "internal/mydomain.rev";
>                 masters { <internal DNS server>; };
>                 allow-transfer { none; };
>         };
> };
>   
Your basic problem here is you're trying to serve stub resolvers from a 
view that has recursion turned off -- they get referral responses and 
don't know what to do with them (hence the "No answer" error you cite).

If your only requirement is "to prevent recursion for clients that are 
not part of my domain", where "domain" is defined by address ranges, I 
probably wouldn't use views at all, just use "allow-recursion". With a 
sufficiently-modern version of BIND, that will, by default, take care of 
cache snooping as well, or you can exercise finer-grained control of 
that with some combination of allow-recursion/allow-query/allow-query-cache.

                                                                         
         - Kevin



More information about the bind-users mailing list