Re: Forwarding zone, setup
On 2/28/22 1:47 PM, Gregory Sloop wrote: I figured before I beat my head against the wall for too long, I'd ask the real experts! :) I'm definitely not an expert. I don't even pretend to be one on T.V. But I do wonder what, if any, sort of restrictions you are placing on recursion on your system. It's my (mis)understanding that recursion has some effect on forwarding queries. My limited understanding is recursion is another way of saying if the server should chase the answer for you or not. If it doesn't have it in it's own data (authoritative and / or cache), then it's recursion setting comes into play. If I'm mistaken, please correct me. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
You didn’t share much of your configuration except the one forwarded zone,
not a lot to go on.
But one thing to check, you do have recursion enabled on the server?
On Mon, Feb 28, 2022 at 6:34 PM Gregory Sloop wrote:
> Wow. I hate to be the guy who looks the gift horse in the mouth - but that
> just seems "wrong." :)
>
> (Not the answer, but that that would be the way BIND wants it done.)
>
>
>
> So, now I've got two sets of NS and glue records?
>
> Please tell me that's not the way BIND insists you do this!
>
>
>
> I guess I should try it, but dang.
>
> Does anyone know for sure?
>
>
>
>
>
>
> Add Delegating NS records:
>
> ab.somedomain.local 3600 NS server1.ab.somedomain.local
> .
> .
> .
>
>
> And glue records
>
> server1.ab.somedomain.local 3600 A 10.0.0.1
> .
> .
>
>
> And see if it works. It’s got something to do with the way the record is
> matched (or not) before the forward statement is hit.
>
> J
>
> On Feb 28, 2022, at 3:47 PM, Gregory Sloop wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
>
> (Yes, I know .local is reserved now, but we've been using it a long time
> and changing would be rather painful. Unless there's some horrible
> consequences, I think we'll just continue for now. We won't ever use mDNS.)
>
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXOMAIN for
> abc.ab.somedomain.local.)
>
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
> get a proper result. (force dig to use the AD name servers directly,
> instead of relying on the forward.)
>
>
> (And yes the resolv.conf file has the ip addresses of the main internal
> BIND servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
Wow. I hate to be the guy who looks the gift horse in the mouth - but that just
seems "wrong." :)
(Not the answer, but that that would be the way BIND wants it done.)
So, now I've got two sets of NS and glue records?
Please tell me that's not the way BIND insists you do this!
I guess I should try it, but dang.
Does anyone know for sure?
> Add Delegating NS records:
> ab.somedomain.local 3600 NS server1.ab.somedomain.local
> .
> .
> .
> And glue records
> server1.ab.somedomain.local 3600 A 10.0.0.1
> .
> .
> And see if it works. It’s got something to do with the way the record is
> matched (or not) before the forward statement is hit.
> J
>> On Feb 28, 2022, at 3:47 PM, Gregory Sloop wrote:
>> So, I want to forward all queries for
>> *.ab.somedomain.local to some other internal DNS servers.
>> (Records in *.ab.somedomain.local actually are our active domain servers)
>>
>> (Yes, I know .local is reserved now, but we've been using it a long time and
>> changing would be rather painful. Unless there's some horrible consequences,
>> I think we'll just continue for now. We won't ever use mDNS.)
>>
>> zone "ab.somedomain.local" {
>> type forward;
>> forward only;
>> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
>> };
>> But this doesn't appear to do what I want.
>>
>> If I add the above to my regular BIND servers configuration, it doesn't
>> return results like it's forwarding them. (I get NXOMAIN for
>> abc.ab.somedomain.local.)
>>
>> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get
>> a proper result. (force dig to use the AD name servers directly, instead of
>> relying on the forward.)
>>
>> (And yes the resolv.conf file has the ip addresses of the main internal BIND
>> servers in it, and those only.)
>> I've looked and while I think I'm doing it right, I'm not entirely sure.
>> I figured before I beat my head against the wall for too long, I'd ask the
>> real experts! :)
>> --
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
Add Delegating NS records:
ab.somedomain.local 3600 NS server1.ab.somedomain.local
.
.
.
And glue records
server1.ab.somedomain.local 3600 A 10.0.0.1
.
.
And see if it works. It’s got something to do with the way the record is
matched (or not) before the forward statement is hit.
J
> On Feb 28, 2022, at 3:47 PM, Gregory Sloop wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
> (Yes, I know .local is reserved now, but we've been using it a long time and
> changing would be rather painful. Unless there's some horrible consequences,
> I think we'll just continue for now. We won't ever use mDNS.)
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXOMAIN for
> abc.ab.somedomain.local.)
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get a
> proper result. (force dig to use the AD name servers directly, instead of
> relying on the forward.)
>
> (And yes the resolv.conf file has the ip addresses of the main internal BIND
> servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users
> to unsubscribe from this
> list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: AA flag
On 2022 Feb 27, at 05:46, Bob McDonald wrote: > I'm guessing that the zone files hosted on the new DNS servers still contain > NS records pointing to the old DNS servers. After propagation everything seems to have settled out properly, no errors on dnsviz now. Thanks though. -- Advance and attack! Attack and destroy! Destroy and rejoice! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forwarding zone, setup
So, I want to forward all queries for
*.ab.somedomain.local to some other internal DNS servers.
(Records in *.ab.somedomain.local actually are our active domain servers)
(Yes, I know .local is reserved now, but we've been using it a long time and
changing would be rather painful. Unless there's some horrible consequences, I
think we'll just continue for now. We won't ever use mDNS.)
zone "ab.somedomain.local" {
type forward;
forward only;
forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
};
But this doesn't appear to do what I want.
If I add the above to my regular BIND servers configuration, it doesn't return
results like it's forwarding them. (I get NXOMAIN for abc.ab.somedomain.local.)
If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get a
proper result. (force dig to use the AD name servers directly, instead of
relying on the forward.)
(And yes the resolv.conf file has the ip addresses of the main internal BIND
servers in it, and those only.)
I've looked and while I think I'm doing it right, I'm not entirely sure.
I figured before I beat my head against the wall for too long, I'd ask the real
experts! :)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
