BIND 9.8.2: forward zone not working

Mark Andrews marka at isc.org
Wed Mar 20 01:42:39 UTC 2013 

In message <514911CF.5060400 at verizon.net>, Gerry Reno writes:
> On 03/19/2013 09:26 PM, btb at bitrate.net wrote:
> > On Mar 19, 2013, at 20.30, Gerry Reno <greno at verizon.net> wrote:
> >
> >> On 03/19/2013 08:10 PM, btb at bitrate.net wrote:
> >>> On Mar 18, 2013, at 23.04, Gerry Reno <greno at verizon.net> wrote:
> >>>
> >>>> On 03/18/2013 10:25 PM, btb at bitrate.net wrote:
> >>>>> On Mar 18, 2013, at 20.27, Gerry Reno <greno at verizon.net> wrote:
> >>>>>
> >>>>>> Using BIND 9.8.2
> >>>>>>
> >>>>>> When you setup Samba 4 AD DC using BIND9_DLZ and your domain has exter
> nal servers (eg: www,mail) at external providers
> >>>>>> this means that the ISP and the internal network nameservers will both
>  have SOA record for the domain.
> >>>>> it's not really anything particularly related to samba or dlz.  it's ju
> st two different computers serving the same zone.  you're just "hijacking" or
>  overloading that particular label.  in addition to declaring the zone in you
> r config, you'll need to delegate that new zone from the parent.
> >>>>>
> >>>>> it's worth noting that this scales poorly.  having to add delegations a
> nd zone declarations for every label for which this is desired becomes quickl
> y prohibitive.  instead, i'd suggest using a subdomain for samba - e.g. somet
> hing like ad.example.com.  there are a number of other solutions as well whic
> h would likely be more sensible than hijacking labels.
> >>>>>
> >>>>> -ben
> >>>>>
> >>>> If it was more than just a few labels I would do it another way.
> >>>>
> >>>> But this will suffice, if I can only get bind to actually get the forwar
> d zone working.
> >>>>
> >>>> I don't need any delegation.  I'm not looking to slave the zone.
> >>> as i said, you'll need to delegate that new zone from the parent.  i'm no
> t sure what slaves zones would have to do with that.
> >>>
> >>> -ben
> >>>
> >> As I said, if I was going to do this for a bunch of labels I would add an 
> external view and just slave it from the ISP
> >> which holds the SOA for the external answers.
> > i don't know what the point of that would be.  you'd still have to overload
>  your other zone.
> >
> > all i can do at this point is suggest you simply try what has been suggeste
> d [by multiple people].
> >
> > -ben
> >
> >
> It's called Split-DNS.
> 
> And delegation was implemented yesterday.
> 
> Still no answer about what is the use case for this forward zone.   And why m
> any people have posted that they have not
> been able to get it to work for years.

Forward zones affect where recursive queries are sent.

They have 2 purposes:
1. work around firewalls blocking direct access to the authoritative servers
	 (forward only).
2. allow access to central caches (forward first).

They do not and never have instantiated delegations.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list