<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
On 5/6/2011 6:40 AM, <a class="moz-txt-link-abbreviated" href="mailto:iharrathi.ext@orange-ftgroup.com">iharrathi.ext@orange-ftgroup.com</a> wrote:
<blockquote
cite="mid:6490_1304678418_4DC3D012_6490_258141_1_4FA354E0A9360042BED13414F9559F7108DDB30148@PUEXCB1B.nanterre.francetelecom.fr"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta content="MSHTML 6.00.6000.21297" name="GENERATOR">
<div dir="ltr" align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">Thanks for the answer
but:</font></span></div>
<ul dir="ltr">
<li>
<div align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">In the example i
post yesterday: on my server1 the recursion is enabled
(recursion yes), but the server1 can't recurse because i
stop it on firewall and it can't contact the outside.</font></span></div>
</li>
<li>
<div align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">You say "<font
color="#000000" face="Times New Roman" size="3">Don't
use forwarding from a recursive server to a
non-recursive server</font>" but when my server1 is
recursive (and the firewall allow it to contact the
outside), and server2 don't recurse because in it's conf
recursion is set to no, when i ask my server1 about <a
moz-do-not-send="true" href="ftp://ftp.example.com">ftp.example.com</a> (dig
@0 <a moz-do-not-send="true"
href="ftp://ftp.example.com">ftp.example.com</a>) ,
server1 forward the query to server2 which answer by the
CNAME <a moz-do-not-send="true"
href="http://www.abc.com">www.abc.com</a> and then
server1 recurse to find the IP of <a
moz-do-not-send="true" href="http://www.abc.com">www.abc.com</a>.
and everything works fine. <br>
</font></span></div>
</li>
</ul>
</blockquote>
<blockquote
cite="mid:6490_1304678418_4DC3D012_6490_258141_1_4FA354E0A9360042BED13414F9559F7108DDB30148@PUEXCB1B.nanterre.francetelecom.fr"
type="cite">
<ul dir="ltr">
<li>
<div align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">you say "<font
color="#000000" face="Times New Roman" size="3">If
server 2 is auth-only or otherwise can't resolve the
address of </font><a moz-do-not-send="true"
href="http://www.abc.com/"><font face="Times New
Roman" size="3">www.abc.com</font></a><font
color="#000000" face="Times New Roman" size="3">, then
forwarding a query to it is not going to work.</font>"
No as i say when server1 really recurse ( recursion yes,
and the firewall allow the server1 to contact outside)
and server2 don't recurse (recursion no) all is ok:
server1 forward the query to server2 which answer by the
CNAME <a moz-do-not-send="true"
href="http://www.abc.com/">www.abc.com</a> and then
server1 recurse to find the IP of <a
moz-do-not-send="true" href="http://www.abc.com/">www.abc.com</a>.
and everything works fine. </font></span></div>
</li>
<li>
<div align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">You say "<font
color="#000000" face="Times New Roman" size="3">then
using a stub zone for </font><a
moz-do-not-send="true" href="http://example.com/"><font
face="Times New Roman" size="3">example.com</font></a><font
color="#000000" face="Times New Roman" size="3"> will
work</font>", why i will use a stub zone since a
forward do the same thing expected.</font></span></div>
</li>
</ul>
<div dir="ltr" align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">And my question is
always this:</font></span></div>
<div dir="ltr" align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">forward only; as i
read means a recursive query, in other term a query with the
RD bit is enabled. which means that when my server1 (which
has recursion yes but can't recurse because the firewall
don't allow it to contact the outside, which finally
means server1 can't recuse) ask server2 about <a
moz-do-not-send="true" href="ftp://ftp.example.com">ftp.example.com</a>,
server2 will normally make all the work means he read on
it's zone, then find the CNAME, then make a recursion to
resolve the CNAME and finally send the IP to server1.</font></span></div>
<div dir="ltr" align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">why server2 don't
recurse to find the IP of <a class="moz-txt-link-abbreviated" href="http://www.abc.com">www.abc.com</a>?</font></span></div>
</blockquote>
According to your own words: "server2 don't [sic] recurse because in
it's [sic] conf recursion is set to no". There's your answer.<br>
<br>
Why are you dealing with such screwy configs anyway? If you need to
resolve things from the Internet, then you need to have a resolution
path to the Internet (either directly talking to Internet
nameservers, or some forwarding chain -- hopefully as short as
possible, preferably 0-length -- to something that can query
Internet nameservers directly). If, on the other hand, you need to
resolve something internal, then you only need to have an
authoritative source of that information internally. Why are you
complicating things more than they need to be? Setting recursion and
then blocking it via a firewall? What purpose does that serve?<br>
<br>
- Kevin<br>
<blockquote
cite="mid:6490_1304678418_4DC3D012_6490_258141_1_4FA354E0A9360042BED13414F9559F7108DDB30148@PUEXCB1B.nanterre.francetelecom.fr"
type="cite">
<div dir="ltr" align="left"><span class="338120809-06052011"></span> </div>
<div dir="ltr" align="left"><span class="338120809-06052011"><font
color="#0000ff" face="Arial" size="2">thanks for your help.</font></span></div>
<div dir="ltr" align="left"><span class="338120809-06052011"></span> </div>
<br>
<blockquote style="margin-right: 0px;">
<div class="OutlookMessageHeader" dir="ltr" align="left"
lang="fr">
<hr tabindex="-1"> <font face="Tahoma" size="2"><b>De :</b>
Chris Buxton [<a class="moz-txt-link-freetext" href="mailto:chris.p.buxton@gmail.com">mailto:chris.p.buxton@gmail.com</a>] <br>
<b>Envoyé :</b> jeudi 5 mai 2011 19:47<br>
<b>À :</b> HARRATHI Issam Ext OLNC/DPS<br>
<b>Cc :</b> <a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<b>Objet :</b> Re: forward first: iterative or recursive
query<br>
</font><br>
</div>
<div>If recursion is disabled, forwarding doesn't happen. I
think you've confused some terms and configurations.</div>
<div><br>
</div>
<div>Don't use forwarding from a recursive server to a
non-recursive server. Use a stub zone instead, if you can't
rely on the recursion process to find the correct server to
query.</div>
<div><br>
</div>
<div>If server 2 is auth-only or otherwise can't resolve the
address of <a moz-do-not-send="true"
href="http://www.abc.com">www.abc.com</a>, then forwarding a
query to it is not going to work. However, if server 1 is a
caching server and is able to resolve <a
moz-do-not-send="true" href="http://www.abc.com">www.abc.com</a>,
then using a stub zone for <a moz-do-not-send="true"
href="http://example.com">example.com</a> will work; server
2 will send the CNAME record to server 1, and then server 1
will resolve the final address record on its own.</div>
<div><br>
</div>
<div>Chris Buxton</div>
<div>BlueCat Networks</div>
<br>
<div>
<div>On May 5, 2011, at 2:15 AM, <<a moz-do-not-send="true"
href="mailto:iharrathi.ext@orange-ftgroup.com">iharrathi.ext@orange-ftgroup.com</a>>
<<a moz-do-not-send="true"
href="mailto:iharrathi.ext@orange-ftgroup.com">iharrathi.ext@orange-ftgroup.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="word-wrap: break-word;">
<div dir="ltr" align="left"><span
class="144575708-05052011"><font color="#0000ff"
face="Arial" size="2">Hi,</font></span></div>
<div dir="ltr" align="left"><span
class="144575708-05052011"><font color="#0000ff"
face="Arial" size="2">i have a server called
server1 that is acting as a cache server( recursion
none). And i forward the zone <a
moz-do-not-send="true" href="http://example.com">example.com</a>
to server2 which has recursion enabled and master on
some zone like <a moz-do-not-send="true"
href="http://example.com">example.com</a>.</font></span></div>
<div dir="ltr" align="left"><span
class="144575708-05052011"> <font color="#0000ff"
face="Arial" size="2">this is the forwarding zone on
server1:</font></span></div>
<div dir="ltr" align="left"><span
class="144575708-05052011"><font color="#0000ff"
face="Arial" size="2">zone "<a
moz-do-not-send="true" href="http://example.com">example.com</a>"
{<br>
type forward;<br>
forward only;<br>
forwarders { IP_of server2; };<br>
};<br>
</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">and server2 is
master of the zone <a moz-do-not-send="true"
href="http://example.com">example.com</a>:</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2"><br>
zone "<a moz-do-not-send="true"
href="http://example.com">example.com</a>" {<br>
type master;<br>
file "master/db.example.com";<br>
};</font></span></div>
<div> </div>
<div> </div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">BUT the
problem is here:</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2"><a
moz-do-not-send="true"
href="http://db.example.com">db.example.com</a>:</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">....</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">$ORIGIN <a
moz-do-not-send="true" href="http://example.com">example.com</a>.</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">www
A 1.2.3.4</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">ftp
CNAME <a moz-do-not-send="true"
href="http://www.abc.com/">www.abc.com</a></font></span></div>
<div><span class="144575708-05052011"></span> </div>
<div><span class="144575708-05052011"></span> </div>
<div><span class="144575708-05052011"></span> </div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">server1 can
resolve <a moz-do-not-send="true"
href="http://www.example.com/">www.example.com</a>,
but can't resolve <a moz-do-not-send="true"
href="ftp://ftp.example.com">ftp.example.com</a>
since the server2 sends the answer which is <a
moz-do-not-send="true" href="http://www.abc.com/">www.abc.com</a>
and not the IP, and my server1 can't make recursion
to resolve <a moz-do-not-send="true"
href="http://www.abc.com/">www.abc.com</a>.</font></span></div>
<div><span class="144575708-05052011"></span> </div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">why?</font></span></div>
<div><span class="144575708-05052011"><font
color="#0000ff" face="Arial" size="2">from server1
when i dig on server2: dig @IP-server2 <a
moz-do-not-send="true"
href="http://www.example.com/">www.example.com</a>
it sends to me the IP, all is OK!!! but with a
forwarding statement it sends only the CNAME</font></span></div>
<div><span class="144575708-05052011"></span> </div>
<div><font color="#0000ff" face="Arial" size="2"><span
class="144575708-05052011">server1 is
bind9.6-ESV-R4 et server2 bind-9.4.2</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span
class="144575708-05052011"></span></font> </div>
<div><font color="#0000ff" face="Arial" size="2"><span
class="144575708-05052011">Thanks.</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"><span
class="144575708-05052011">Issam HARRATHI</span></font></div>
<div><br>
</div>
<blockquote style="margin-right: 0px;">
<div class="OutlookMessageHeader" dir="ltr" align="left"
lang="fr">
<hr tabindex="-1"> <font face="Tahoma" size="2"><b>De :</b>
Chris Buxton [<a class="moz-txt-link-freetext" href="mailto:chris.p.buxton@gmail.com">mailto:chris.p.buxton@gmail.com</a>] <br>
<b>Envoyé :</b> mercredi 4 mai 2011 08:49<br>
<b>À :</b> HARRATHI Issam Ext OLNC/DPS<br>
<b>Cc :</b> <a moz-do-not-send="true"
href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<b>Objet :</b> Re: forward first: iterative or
recursive query<br>
</font><br>
</div>
<div>With a static-stub zone, you would get an iterative
query. Forwarding always results in a recursive query.</div>
<div><br>
</div>
<div>How are you determining that your server is sending
an iterative query?</div>
<div><br>
</div>
<div>Can we (the list) see your named.conf?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Chris Buxton</div>
<div>BlueCat Networks</div>
<br>
<div>
<div>On May 3, 2011, at 5:21 AM, <<a
moz-do-not-send="true"
href="mailto:iharrathi.ext@orange-ftgroup.com">iharrathi.ext@orange-ftgroup.com</a>>
<<a moz-do-not-send="true"
href="mailto:iharrathi.ext@orange-ftgroup.com">iharrathi.ext@orange-ftgroup.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">Hi</span></font></div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">from the book DNS
and Bind 5th edition [french] (o'reilly)</span></font></div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">I read that
the forward with the mode first sends a
recursive query to the servers on the
forwarders list, but as i see it only sends
an iterative query. Also with forward only
it send an itérative query.</span></font></div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">So forward first
send an itérative or recursive query?</span></font></div>
<div><font face="Arial" size="2"><span
class="410301012-03052011"></span></font> </div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">And how i can
send a recursive query with the statement
forward ( without using static-stub)</span></font></div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">I'm using
bind-9.6-ESV-R4</span></font></div>
<div><font face="Arial" size="2"><span
class="410301012-03052011"></span></font> </div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">Thanks.</span></font></div>
<div><font face="Arial" size="2"><span
class="410301012-03052011">Issam HARRATHI.</span></font></div>
<pre>********************************************************************************
IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
********************************************************************************
</pre>
</div>
_______________________________________________<br>
bind-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a moz-do-not-send="true"
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></blockquote>
</div>
<br>
</blockquote>
<pre>********************************************************************************
IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
********************************************************************************
</pre>
</div>
</blockquote>
</div>
<br>
</blockquote>
<pre>********************************************************************************
IMPORTANT.Les informations contenues dans ce message electronique y compris les fichiers attaches sont strictement confidentielles
et peuvent etre protegees par la loi.
Ce message electronique est destine exclusivement au(x) destinataire(s) mentionne(s) ci-dessus.
Si vous avez recu ce message par erreur ou s il ne vous est pas destine, veuillez immediatement le signaler a l expediteur et effacer ce message
et tous les fichiers eventuellement attaches.
Toute lecture, exploitation ou transmission des informations contenues dans ce message est interdite.
Tout message electronique est susceptible d alteration.
A ce titre, le Groupe France Telecom decline toute responsabilite notamment s il a ete altere, deforme ou falsifie.
De meme, il appartient au destinataire de s assurer de l absence de tout virus.
IMPORTANT.This e-mail message and any attachments are strictly confidential and may be protected by law. This message is
intended only for the named recipient(s) above.
If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
Any unauthorized view, usage or disclosure ofthis message is prohibited.
Since e-mail messages may not be reliable, France Telecom Group shall not be liable for any message if modified, changed or falsified.
Additionally the recipient should ensure they are actually virus free.
********************************************************************************
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>