Delegation questions

Bob McDonald bmcdonaldjr at
Thu Aug 11 17:14:23 UTC 2016

Let me be a bit more clear...

This is strictly internal. There are no external clients or servers
involved. All three of the servers have recursion turned ON.

Server A has a domain ( has an NS record that points to server B and delegate (yes there's really two, this is just an example)

Server B is at another company. (probably connected via some sort of IPSEC

Server C has a slave copy of from server A (and the associated
NS record delegating to server B)
Server C is at another site at the same company as server A

Currently, clients sending queries for domain to server
A get good results.
However, clients sending queries for domain to server C
get SERVFAIL because server C has no access to server B. (I'm guessing
there is a firewall issue)

The question is if I get rid of the delegation and put in a stub zone on
server A pointing to on server B, can I use forwarders
for on server C to point at server A for resolution of (Will server A get answers directly from server B or
will server A simply refer me to server B?)

Hope that's clearer.


On Thu, Aug 11, 2016 at 11:52 AM, Matthew Pounsett <matt at>

> On 11 August 2016 at 09:13, Bob McDonald <bmcdonaldjr at> wrote:
>> I have a child domain that is delegated to a second site. Pretty
>> straightforward situation. In the parent zone I have NS records that point
>> to the DNS servers at the second site.
>> The issue comes up when a slaved copy of the parent domain is running at
>> a third site and that third site doesn't have a rule in their firewall
>> allowing DNS access to the second site (where the child domain is
>> delegated).
>> The question is this; can I use stub zones to reference the child domain
>> on the master server (instead of delegation) and the use forwarding at the
>> third site to direct queries for the child domain through the master
>> server?
>> I hope the picture I've tried to describe is somewhat clear.
> If the setup is exactly as you describe, then there's probably no reason
> for a name server authoritative for the parent zone to ever need to contact
> a server authoritative for the child zone.  Delegation from A to B doesn't
> imply direct communication between A and B.
> That said, you never know where on the Internet queries for a zone will
> arrive from.  If you want the Internet at large to be able to resolve names
> in your zone, then you can't firewall yourself off from parts of the
> Internet.
> If any of the servers in this scenario are also acting as recursive
> servers, then you have the same problem;  you never know where on the
> Internet an authoritative server you need to speak to is going to be, so
> you can't firewall your recursive server off from speaking to parts of the
> Internet and expect it to work reliably.
>> Regards,
>> Bob
>> _______________________________________________
>> Please visit to
>> unsubscribe from this list
>> bind-users mailing list
>> bind-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list