subdomain delegation question

Kevin Oberman oberman at es.net
Sun May 22 21:44:41 UTC 2011 

> Date: Sun, 22 May 2011 13:36:43 -0700
> From: dalton stickney <daltons.stickney at gmail.com>
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
> 
> Hello all
> ,
> I have what may be an easy question here, but it's been a while since I did
> much with Bind, so I'm not entirely sure if I'm doing something wrong here.
> 
> What I'm trying to do, should be relatively simple i think, but for some
> reason i cannot get it to work. I'm trying to delegate a subdomain to a
> separate nameserver.
> 
> My zone file looks like this:
> 
> $TTL 86400
> 
> 
> ; Start of Authority
> 
> stor.company.com.            86400      IN SOA   ns1.company.com.
>   hostmaster.company.com. (
> 
>                                                   2011052000 ; Serial
> 
>                                                   3600       ; Refresh
> 
>                                                   900        ; Retry
> 
>                                                   864000     ; Expire
> 
>                                                   86400      ; Min TTL
> 
>                                                   )
> 
> ; Host
> 
> 
> sip.stor.company.com.                    IN A 10.10.10.10
> 
> 
> ; Nameserver
> 
> 
> subdomain.stor.company.com.                IN NS sip.stor.company.com.
> 
> 
> stor.company.com.                        IN NS ns2.company.com.
> 
> stor.company.com.                        IN NS ns1.company.com.
> 
> 
> I have the appropriate entry for stor.company.com in named.conf.
> 
> 
> I can resolve the nameserver for the subdomain: sip.stor.company.com.
> 
> 
> But i cannot dig for ns for subdomain.stor.company.com, it times out.
> 
> 
> Am I missing something obvious in my config?

Several questions come to mind:
1. Do you have a glue record for sip.stor.company.com? If not, you will get
   timeouts.

2. You wrote "I have the appropriate entry for stor.company.com in
   named.conf.", but you don't give us an idea of what you mean by
   appropriate.

I think the first item is the real problem. Glue records often confuse
people. 

Also, the SOA has a Min TTL of 1 day. This is seriously long, but people
often don't understand what this value means in modern DNS servers. It
does not mean the minimum TTL for a record in the zone. It ie really the
TTL for negative cache entries and is usually a few minutes, not hours
or days.

If you get a NXDOMAIN for a domain that is not QUITE on line, you will
continue to get that answer for a full day before it will actually be
checked again. This is a fail-safe mechanism to control load on servers,
but checking every 10 or 15 minutes is not a serious load.

Fortunately, BIND has a sanity check that limits min TTL to 3 hours, so
yours is not as bad as it seems, but I'd really suggest changing it. (See
the ARM Chapter 6
"Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" 
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the bind-users mailing list