Re: Single Zone Forwarding Dilema
If you want to force forwarding you will probably want to add the forward only; directive. By default your server will try to follow NS delegations and then forward if it can't follow them Forward only; tells it to not even bother trying to follow NS delegations. -- -Ben Croswell On Fri, Jun 5, 2009 at 11:00 PM, Mark S. Turczan wrote: > Folks, > > I'm trying to understand the behavior of a single zone that I'm forwarding > queries for. > > Essentially, when I do a dig fwd.zone.net SOA the request seems to be > properly forwarded to the nameservers in the forward statement. I've > verified this with tcpdump running on my primary nameserver. > > But when I attempt to resolve a host record in fwd.zone.net it doesn't > seem to be forwarded to the proper nameservers and instead goes out to the > Internet. > > I've verified that the host record exists on the remote nameservers to > which I am forwarding by looking up the record directly from the remote > nameserver. > > This is what the forwarded zone's configuration looks like: > > // zone: fwd.zone.net > zone "fwd.zone.net" > { >type forward; >forwarders { ; ; }; > }; > > Am I correct in understanding that each and every query for any record in > the forwarded zone should be forwarded to the specified nameservers and not > go out to the Internet? BTW, I'm running BIND 9.3.5-P1. > > Regards, > > Mark > > > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Single Zone Forwarding Dilema
Folks, I'm trying to understand the behavior of a single zone that I'm forwarding queries for. Essentially, when I do a dig fwd.zone.net SOA the request seems to be properly forwarded to the nameservers in the forward statement. I've verified this with tcpdump running on my primary nameserver. But when I attempt to resolve a host record in fwd.zone.net it doesn't seem to be forwarded to the proper nameservers and instead goes out to the Internet. I've verified that the host record exists on the remote nameservers to which I am forwarding by looking up the record directly from the remote nameserver. This is what the forwarded zone's configuration looks like: // zone: fwd.zone.net zone "fwd.zone.net" { type forward; forwarders { ; ; }; }; Am I correct in understanding that each and every query for any record in the forwarded zone should be forwarded to the specified nameservers and not go out to the Internet? BTW, I'm running BIND 9.3.5-P1. Regards, Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: publish bind9 server
Hello, On 05.06.09 14:07, Javier Martinez wrote: > In my current project, we are using a bind9 server to assign web requests > to different amazon ec2 computers. When a request is incoming, bind server > (A) resolves the computer that has the specified subdomain and redirects > the request to that computer (B). please configure your mailer to wrap lines below 80 characters per line. 72 to 75 is usually OK. Thank you. > For example, we have a computer that host the domain "test.midomain.com". > The bind server is where the "midomain.com" goes. So, the service must > redirect the request "test.midomain.com" to another computer. > Now I don't know what I have to do to publish this server to work outside. > If I try to go in my local browser to "test.midomain.com" I don't get > response. There's nothing like "publish a server". You must delegate the test.midomain.com to your server in the midomain.com, which means, that a midomain.com maintainer must put there NS records for "test.midomain.com" pointing to your server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Newbie setup help
On Friday 05 June 2009 12:04:28 pm you wrote: > > we are using a combination of host files and > > DNS from our AD system currently. > > I'm not the final authority at all of this, but > I maintain a similar arrangement for my > company, so let me see if I can assist. First > off, probably best to minimize or eliminate the > host files, as they are simply likely to cause > confusion down the line. It's best to > centralize name services under one model > whenever possible. Do so once you have bind > configured the way you want it to be. > > > Our internal > > domain is "intdomain", our (primary) external > > domains are "external.com" & > > "externalinfo.com". > > > > Our internal windows machines need to > > point "externalinfo.com" to our outside > > production IPs at the colo but our linux > > machines need the names to resolve to their > > inside IPs. So I would like to have a DNS > > server at the COLO that the RH machines can > > get internal addresses from for > > "externalinfo"/"external" outside and relay > > requests for internal to the AD server. > > > > Would someone be kind enough to help me flesh > > out how to set this up or, if there are > > example setup scenarios out there, where I > > might find them. > > You didn't specify clearly whether 'intdomain' > is actually a real and separate domain, as in > 'intdomain.com', or if it is a different 'view' > from 'external.com', as defined by bind's > 'views' capabilities. Clarifying that would be > helpful in any assistance we might be able to > provide. > > Next, it would be helpful to clarify whether > you wish, or have any intention of running > nameservers at your office location, or want to > have them only running at your colo. It sounds > like you are equipped to provide service for > you office internally, and if that is the > intention, we can steer you appropriately. From > the look of your goals regarding your local > linux boxes, this is probably the best plan, > though it is actually possible (though not > terribly logical) to have these computers > seeing internal records from a remote server. > > Your goals are lofty enough to warrant picking > up the O'Reilly DNS & BIND book, and spending > an evening inside it, or by reading the BIND > documentation, which is more up-to-date, though > a hair less personable a read. > > Get back on these matters, and we can go from > there. > > Steven Steven, Thanks for the great reply! The project was just passed along to me (and so I jumped on the list immediately to get help), so I still need to pull together details. Your post is helpful in allowing me to ask the right questions. More details to follow as I get them. And, boy, do I appreciate the help, as unemployment is not an option! Also, I'll get a copy of the O'Reilly book. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Newbie setup help
Hello to all. While I'm a seasoned sysadmin, I must admit that I've never worked with BIND ... until now. I'm tasked with setting up DNS on a colocated Linux server. Here's more info., as provided by a manager, who thinks I know all about BIND (no, I didn't lie to him. He ASSumed, and I wasn't about to tell him I couldn't do it): DNS, we are using a combination of host files and DNS from our AD system currently. Our internal domain is "intdomain", our (primary) external domains are "external.com" & "externalinfo.com". Our internal windows machines need to point "externalinfo.com" to our outside production IPs at the colo but our linux machines need the names to resolve to their inside IPs. So I would like to have a DNS server at the COLO that the RH machines can get internal addresses from for "externalinfo"/"external" outside and relay requests for internal to the AD server. Would someone be kind enough to help me flesh out how to set this up or, if there are example setup scenarios out there, where I might find them. I would be most grateful! Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Trying to understand DNSSEC and BIND versions better
BIND versions on RHEL (e.g. 9.3.4-6.0.3.P1.el5_2) have backported patches from later BIND versions so it isn't exactly the same animal as the EOL 9.3 which is why it isn't listed simply as 9.3 -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Andrews Sent: Friday, June 05, 2009 12:23 AM To: Chris Adams Cc: comp-protocols-dns-b...@isc.org Subject: Re: Trying to understand DNSSEC and BIND versions better In message , Chris Adams write s: > Since I read that the root is supposed to be signed by the end of the > year, I am just trying to understand DNSSEC support and the various > versions of BIND a little better here, so please don't throw too many > rocks if I ask something stupid... > > I run the nameservers for an ISP. For the recursive servers, what are > the hazzards in enabling DNSSEC (once the root is signed, so no DLV > necessary I guess)? Once the root is signed you will be able to validation answers where there is a unbroken chaing of trust. DLV will still be useful for zones were the TLD isn't yet signed or there is another break in the chain of trust. > I know the things that generally break with > "regular" DNS, but I don't know that with DNSSEC (I know there have been > DLV troubles but that's it). Not having a clean EDNS path between the validator and authoritative server can result in validation failures. EDNS responses are bigger that plain DNS and may result in fagmented responses. You need to ensure that any NAT's and firewalls are configured to handle fragments UDP responses up 4096 bytes with a modern BIND. Any forwarders used should also support EDNS and preferably be performing validation as well. Failure to re-sign a zone will cause lookups to fail. Failure to update DS records on DNSKEY changes will cause lookups to fail. Failure to update DLV records on DNSKEY changes will cause lookups to fail. "dig +cd +dnssec " is your friend. This will let you see what is failing to validate. "dig +cd +multi DNSKEY " will provide you with the keyids necessary to check the signatures. "dig +cd +multi DS " will provide you with the DS records so you can check the linkage between parent and child. Look at the key id field. "dig +cd +multi DLV ." will provide you with the DS records so you can check the linkage between parent and child. Look at the key id field. If the zone is using NSEC3 then nsec3hash can be used to check workout in the NSEC3 records are sane. "date -u +%Y%m%d%H%M%S" returns the system date in a form that is easy to comare to the dates in the RRSIG records. A understand of how DNSSEC works is useful. Checking if you get a DNSKEY returned, without +cd, at each zone cut is useful for working out where to examine more closely. dig, date and a understanding of DNSSEC is all you should need to identify a configuration error. If the keyid match and timestamps are good and associated NSEC/NSEC3 appear to be sane the you will most probably have found a implementation bug. > Currently, my servers run BIND 9.3.4-10.P1 (as patched by Red Hat in > RHEL; we typically stick with their security patched version, since > that's what we pay them for). What does that mean with .ORG for > example, where NSEC3 is used? Would we just not see NXDOMAIN responses > as validated (and what happens to unvalidated responses)? I've put in a > request to Red Hat to update to a version that supports NSEC3 but I > don't know what their response will be yet. BIND 9.3 is already at EOL. > For our authoritative servers, we'll need to set up a system to sign the > zones. Is it expected that ISPs will sign every zone they serve, or > just the domains we consider "important"? What kind of problems might > be expected here? > > In both cases, what kind of CPU and/or RAM overhead will large-scale use > of DNSSEC add? > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sol
publish bind9 server
Hi all. This is my first message on this list. In my current project, we are using a bind9 server to assign web requests to different amazon ec2 computers. When a request is incoming, bind server (A) resolves the computer that has the specified subdomain and redirects the request to that computer (B). For example, we have a computer that host the domain "test.midomain.com". The bind server is where the "midomain.com" goes. So, the service must redirect the request "test.midomain.com" to another computer. At this time, if I try "host test.midomain.com" in (A), I get the correct IP for (B). Now I don't know what I have to do to publish this server to work outside. If I try to go in my local browser to "test.midomain.com" I don't get response. Hope someone can help me with this, because I'm quite tired of trying different thins. Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users