"Short" domains...

Kevin Darcy kcd at chrysler.com
Tue Dec 18 17:32:51 UTC 2012


On 12/17/2012 11:04 AM, Ray Van Dolson wrote:
> I'm not sure quite how to properly describe this, and as a result my
> searches aren't turning up much....
>
> To support a legacy app, I need to have a domain defined called
> "selfservice" so I can support resolution of "www.selfservice".  Yes,
> no trailing .com, .net, etc.... ugly, but I need it for now.
>
> This domain actually lives on our AD servers,
Why? Is there anything inherently "AD-ish" about the zone? If not, why 
not just take it over and maintain it in the central DNS infrastructure?

> so I thought I'd do the
> following:
>
> zone "selfservice" {
>      type forward;
>      forwarders { adserver....; };
> };
As a general rule, I prefer the use of "type stub" over "type forward" 
in such situations: it optimizes/scales better and is more resilient 
when there are descendant zones being served by geographically- and/or 
topologically-diverse nameservers.
> However, this doesn't work.  Queries just return the TLD servers for .
> as the SOA.
Is the "Recursion Available" (RA) flag set in the response?

> Querying the AD servers directly works fine.
>
> However, if I actually define a master zone:
>
> zone "selfservice" {
>      type master;
>      file "selfservice.zone";
>      notify yes;
>      allow-transfer { secondary; };
> };
>
> And explicitly define the A record I need, then queries for
> www.selfservice respond correctly.
>
> It's almost as if BIND prefers the less specific hint zone for "." over
> my forward zone definition for "selfservice" -- but not if I make it a
> master zone...
Authoritative data always takes precedence over data obtained indirectly 
from some other authoritative source, so it shouldn't surprise you that 
defining the zone as "master" forces it to work. But you probably don't 
want to have to sync that data manually with the authoritative source 
every time it changes, so I'd go with a "type stub", or, define it as 
"type slave", if you want the added redundancy and performance of having 
the zone data local at all times, at the expense of some extra overhead 
and the potential hassle of convincing some Windows admins to open up 
zone transfers to you (which they tend to be skittish about since 
Microsoft preaches to them that the only "safe" zone-transfer partners 
are the ones that happen to be published for the zone). Note that "type 
slave" or "type master" are your only real options if -- as I speculate 
above -- your nameserver has recursion disabled, and assuming you want 
to keep it that way. A non-recursive nameserver only serves data from 
its authoritative zones and gives a mostly-useless "upwards" or 
root-zone referral for everything else (the symptom you describe above).

If you're up for somewhat of a configuration challenge, you could even 
set up GSS-TSIG such that your communication with the MS-DNS servers is 
crytographically secure. That will require very close co-ordination with 
the AD folks though, at least for the initial setup.

                                                         - Kevin



More information about the bind-users mailing list