Delegation question

Torinthiel torinthiel at data.pl
Fri Feb 4 13:42:13 UTC 2011 

Dnia 2011-02-04 23:16 Jean-Yves Avenard napisał(a):

>Hi
>
>On 4 February 2011 22:54, Eivind Olsen <eivind at aminor.no> wrote:
>
>> Unless I'm misunderstanding something, it should work. Here's an extract
>> from the BIND 9.7 ARM, section 6.2.16.2:
>>
>> "Forwarding occurs only on those queries for which the server is not
>> authoritative and does not have the answer in its cache."
>>
>> How exactly had you configured forwarding in your named.conf file?
>
>I use bind that comes with mac os 10.6 server (9.6.0-APPLE-P2);
>
>named.conf at the beginning includes a file options.conf.apple like so:
>options  {
>        include "/etc/dns/options.conf.apple";
>};
>
>options.conf.apple contains:
>directory "/var/named";
>
>forwarders { 203.59.24.3; 203.0.178.191; 203.134.24.70; };
>
>allow-transfer { none; };
>
>in named.conf I then have:
>include "/etc/dns/privateView.conf";
>
>which contains:
>view "intranet_view" {
>
>match-clients { 127.0.0.0/8; 192.168.0.0/23; };
>
>	allow-recursion { "internal"; };
>
>zone "." {
>        type hint;
>	file "named.ca";
>};
>
>zone "domain.com" {
>        type master;
>	file "internal/db.domain.com";
>	check-names ignore;
>        notify TRUE;
>	allow-update { key "rndc-key"; };
>        // Cancel the forwarding for this authoritative domain.
>        forwarders {
>        };
>};
>
>On the other hand ; is the server authoritative for the sub-domain
>mel.domain.com provided I added the delegation ?
>digg shows something like:
>;; AUTHORITY SECTION:
>mel.domain.com.		7200	IN	NS	ad.domain.com.

This answer is not stating that it's authorative, but only that authorities 
are below.
My wild guess ont what's happening, and why disabling forwarders fix this:
without NS m.domain.com is authorative for mel.domain.com, so it answers for 
A mel.domain.com without issues.
Now, with NS, it's not authorative, as you've just set up a delegation. So, 
when it receives the question it forwards it to one of three forwarding 
servers. And they probably don't know how to access ad.domain.com (as it has 
private IP adress, and these are public - that's one part of guess), they 
end up not resolving the name.

Can verify that 203.59.24.3; 203.0.178.191; 203.134.24.70; can call 
192.168.0.3, on that address?

Also, keep in mind that normally you should not use only one NS per 
delegation, but a minimum of two. Here, for a testing environment (I guess) 
it'll work, but don't do it on production environment.

Torinthiel

More information about the bind-users mailing list