Can we provide recursion for forward zones in response to iterative queries?
bind-lists at iano.org
bind-lists at iano.org
Fri Apr 3 16:06:25 UTC 2020
In summary, my question is whether there is a way to configure a bind caching server to provide recursion in response to iterative queries for records in a forward type zone.
The background is that we have:
- AD domain controllers that are authoritative for all of 10.in-addr.arpa. in our data centers - most clients point to these for DNS resolution.
- Linux bind caching resolvers in our data centers - domain controllers forward to these for anything they don’t own.
- Some AWS VPCs which have been allocated subdomains of 10.in-addr.arpa. and are routable from our data centers. These have Route53 inbound endpoints which answer queries for those subdomains.
- The bind caching resolvers have forwarding rules for those subdomains to the AWS inbound endpoints.
The subdomains in our AWS VPCs have NS records, but the servers those point to refuse queries for records in the subdomains. The zone resolution is taken care of by the Route53 resolver service. The Route53 inbound endpoints successfully resolve queries from our data centers for those subdomains as long as the recursion desired flag is set to 1 in the query. If recursion desired is set to 0 they do not send any reply at all.
We want to be able to resolve PTR records in the subdomains in the AWS VPCs from our data centers where, as I said above, the clients point to the domain controllers for DNS resolution.
Because the AD domain controllers already own 10.in-addr.arpa, they refuse to allow us to configure conditional forwarding for its subdomains. So we delegated the subdomains to the inbound endpoints. Because they are delegations, the domain controllers set the recursion desired flag to 0 on the queries they send to the endpoints, and we are not getting replies from the endpoints.
As a workaround we tried delegating to our linux bind caching resolvers but we ran into the same issue, that the domain controllers set recursion desired to 0. As a result, when our linux caching servers have the result in cache, the lookup is successful, but when it would require a fresh lookup it gets a reply with no answers. Hence my question, is there a way to tell our bind caching resolvers to ignore the recursion desired flag and provide recursion anyway?
More information about the bind-users