date:20171010

Re: Forwarding from delegated zone not working

2017-10-10 Thread Bob Harold

On Tue, Oct 10, 2017 at 11:21 AM, seanliam73  wrote:

> Hi
>
> I have a subdomain delegated from AD to a bind9 instance I have running
> that
> so that all requests for that subdomain are sent to the bind 9 instance. I
> would then like to set up zone forwarding so that further subdomains can be
> managed by other bind 9 instances.
>
> I know the forwarding is working because I can query the main bind9
> instance
> at receive the expected results. However if I query from the AD server that
> is doing the delegation I get a SERVFAIL error.
>
> Am I trying to do something that is not possible or am I just missing some
> configuration.
>
> *main instance config*
>
> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;
> recursion yes;
> allow-query { ip addresses; };
>

- You might also need to add:
   allow-recursion { ip addresses; };

-- 
Bob Harold


> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity debug 3;
> };
>
> channel querylog {
> file "data/query.log";
> severity debug 5;
> };
>
> category default { default_debug; };
> category queries { querylog; };
> };
>
> zone "example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
> zone "development.example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

2017-10-10 Thread Ben Croswell

I guess i made the assumption that zone was properly forwarded at the MS
end.

 However as you mentioned if it was only delegated then it would SERVFAIL
at the BIND server when receiving an iterative query from MS if BIND isn't
authoritative.

On Oct 10, 2017 11:44 AM, "Darcy Kevin (FCA)" 
wrote:

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.



The assumption I made in my post was that the delegation was pointed to the
forwarding BIND instance, which is a non-starter.



-  Kevin





*From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Ben
Croswell
*Sent:* Tuesday, October 10, 2017 11:38 AM
*To:* seanliam73 
*Cc:* bind-users@lists.isc.org
*Subject:* Re: Forwarding from delegated zone not working



If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.



On Oct 10, 2017 11:22 AM, "seanliam73"  wrote:

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

2017-10-10 Thread Tony Finch

seanliam73  wrote:
>
> I know the forwarding is working because I can query the main bind9
> instance at receive the expected results. However if I query from the AD
> server that is doing the delegation I get a SERVFAIL error.

I guess one possible cause for this problem might be if the AD server is
making iterative queries (RD=0) rather than recursive queries (RD=1). In
this the BIND forwarding setup will not work because forwarding only
applies to recursive queries.

It's probably more reliable to set up the subdomain and sub-sub-domains
with proper delegations, so that normal iterative resolution works.

A few unrelated notes...

> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;

Don't use this option, it has been useless since 2001.

> recursion yes;
> allow-query { ip addresses; };
> listen-on-v6 { any; };
> dnssec-enable no;

There should not be any reason to turn off DNSSEC support.

> dnssec-validation no;
> dnssec-lookaside auto;

dnssec-lookaside is now obsolete, but even before it was decommissioned
these two lines contradicted each other!

> };

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet, Irish Sea, Southeast Shannon: Southwesterly 5 to 7,
occasionally gale 8 later. Slight or moderate, becoming moderate or rough.
Occasional rain. Moderate or good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

2017-10-10 Thread Darcy Kevin (FCA)

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.

The assumption I made in my post was that the delegation was pointed to the 
forwarding BIND instance, which is a non-starter.


-  Kevin


From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ben 
Croswell
Sent: Tuesday, October 10, 2017 11:38 AM
To: seanliam73 
Cc: bind-users@lists.isc.org
Subject: Re: Forwarding from delegated zone not working

If the AD environment loads company.com you need to make 
sure it has NS delegations. The nameserver will ignore the zone forwarded if it 
knows the child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73" 
> wrote:
Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" 
IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

2017-10-10 Thread Darcy Kevin (FCA)

It doesn't work to delegate to a forwarder; you have to delegate to something 
that's authoritative for the zone (master or slave). Delegated nameservers are 
expected to have a full copy of the zone, either as the source (master) or 
through replication (slave).

Now, if you have restrictions/limitations that prevent you both from a) 
delegating directly from AD to the authoritative nameservers, and b) 
replicating from the authoritative nameservers to the BIND instance in 
question, then you'd need to look into some sort of "DNS proxy", but that's not 
BIND, and really beyond the scope of this list.


- Kevin

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
seanliam73
Sent: Tuesday, October 10, 2017 11:22 AM
To: bind-users@lists.isc.org
Subject: Forwarding from delegated zone not working

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that so 
that all requests for that subdomain are sent to the bind 9 instance. I would 
then like to set up zone forwarding so that further subdomains can be managed 
by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance at 
receive the expected results. However if I query from the AD server that is 
doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some 
configuration.

*main instance config* 

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

2017-10-10 Thread Ben Croswell

If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73"  wrote:

> Hi
>
> I have a subdomain delegated from AD to a bind9 instance I have running
> that
> so that all requests for that subdomain are sent to the bind 9 instance. I
> would then like to set up zone forwarding so that further subdomains can be
> managed by other bind 9 instances.
>
> I know the forwarding is working because I can query the main bind9
> instance
> at receive the expected results. However if I query from the AD server that
> is doing the delegation I get a SERVFAIL error.
>
> Am I trying to do something that is not possible or am I just missing some
> configuration.
>
> *main instance config*
>
> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;
> recursion yes;
> allow-query { ip addresses; };
> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity debug 3;
> };
>
> channel querylog {
> file "data/query.log";
> severity debug 5;
> };
>
> category default { default_debug; };
> category queries { querylog; };
> };
>
> zone "example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
> zone "development.example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Forwarding from delegated zone not working

2017-10-10 Thread seanliam73

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config* 

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

RE: Forwarding from delegated zone not working

Re: Forwarding from delegated zone not working

RE: Forwarding from delegated zone not working

RE: Forwarding from delegated zone not working

Re: Forwarding from delegated zone not working

Forwarding from delegated zone not working

7 matches

Site Navigation

Mail list logo

Footer information