<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi!<br>
</p>
<div class="moz-cite-prefix">On 1/17/22 11:46, ONRUBIA AVILES Carlos
(CCS/MST) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:AM8PR08MB65321D4A1E07ECB374AD735FCA579@AM8PR08MB6532.eurprd08.prod.outlook.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Maybe someone can help me with the
following problem:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">My name server is authoritative with the
following domain “toto.be”:</p>
<p class="MsoNormal">zone "toto.be." {</p>
<p class="MsoNormal"> type master;</p>
<p class="MsoNormal"> file "/etc/masterdns.db";</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">But I would like that a subdomain
“titi.toto.be” is not searched in my masterdns.db file but via
the normal process via internet.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I have tried to 2 solutions but it do not
work:</p>
<p class="MsoNormal"> </p>
<ol type="1" start="1">
<li class="MsoListParagraph">Adding a forward for this
subdomain:</li>
</ol>
<p class="MsoNormal"> </p>
<p class="MsoNormal">zone "titi.toto.be." {</p>
<p class="MsoNormal">type forward;</p>
<p class="MsoNormal">forwarders {1.2.3.4; 5.6.7.8;}; (ip’s
from dsn cache servers)</p>
<p class="MsoNormal">forward only;</p>
<p class="MsoNormal">};</p>
<p class="MsoNormal"> </p>
<ul type="disc">
<li class="MsoListParagraph">Seems not to work. Not possible
to add a subdomain forwarding?</li>
</ul>
</div>
</blockquote>
<p>No, because authoritative zone knows what is inside the zone and
what is not there. If titi.toto.be is not in the zone, it would
respond NXDOMAIN on any name under it. Regardless of forwarders
specified. If specified forwarders are authoritative for the
titi.toto.be zone, just direct any server there. Note those cache
servers would be contacted by any recursive servers from the
internet, they have to be reachable and allow queries to that zone
from anyone.</p>
<br>
<blockquote type="cite"
cite="mid:AM8PR08MB65321D4A1E07ECB374AD735FCA579@AM8PR08MB6532.eurprd08.prod.outlook.com">
<div class="WordSection1"> <br>
<ol type="1" start="2">
<li class="MsoListParagraph">Using directly the cache servers
as NS:</li>
</ol>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Cache.proximus.be. IN A 1.2.3.4
</p>
<p class="MsoNormal">Cache.proximus.be. IN A 5.6.7.8
</p>
<p class="MsoNormal">Titi.toto.be. IN
NS cache.proximus.be.</p>
<p class="MsoNormal"> </p>
<ul type="disc">
<li class="MsoListParagraph">Not always working as if
“titi.toto.be” is not at this moment in the cache, the cache
will answer SERVFAIL and not do the recursion. (I guess the
query via this method is done with flag “Recursion Desired”
set to false)</li>
</ul>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">So my question is: Is it possible to
configure what I am trying to do?</p>
</div>
</blockquote>
<p>Recursive servers which queries your authoritative server want to
do the recursion themselves. They send queries without recursion
ok bit, meaning they want to speak authoritative server only.
cache.proximus.be would have to be authoritative for titi.toto.be
zone and answer everyone from the internet. It cannot be hidden
behind your authoritative server.</p>
<p>"dig @cache.proximus.be +norec titi.toto.be" command should
contain aa flag. If that cache does not know how to be
authoritative, it has to serve zone not under primary or secondary
zones of your server. dnsmasq knows --auth-zone for similar
queries, for example.<br>
</p>
<blockquote type="cite"
cite="mid:AM8PR08MB65321D4A1E07ECB374AD735FCA579@AM8PR08MB6532.eurprd08.prod.outlook.com">
<div class="WordSection1">
<p class="MsoNormal">
</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks in advance for your feedback,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Carlos,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><b><span>Carlos Onrubia Aviles</span></b><span><br>
Solution Engineer | </span><span>WIFI @ INTERNET
TECHNOLOGIES<a href="http://www.proximus.be"
moz-do-not-send="true"><span><br>
<br>
</span><span><img id="Picture_x0020_1"
src="cid:part1.iKeS9U4K.Cw0EBmJR@redhat.com"
alt="Proximus" class="" width="140" height="30"></span></a></span><span><br>
<br>
Discover a world of possibilities on </span><span><a
href="http://www.thinkpossible.be" moz-do-not-send="true"><span>Thinkpossible.be</span></a></span></p>
<br>
</div>
</blockquote>
Cheers,<br>
Petr<br>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>