Re: Forwarding zone, setup
>Are you loading the parent domain and trying to zone forward a child domain on
>the same DNS server? I.e. loading somedomain.local and trying to forward
>ab.somedomain.local
Yup, exactly.
That solution was suggested by Jeff Sumner yesterday, but it seemed a little
nuts to me (BIND behaving that way) - though your explanation makes that
behavior seem less crazy.
If I get a chance, I'll perhaps try that, just to see if it fixes it - though
someone at ISC might save me the work, confirming the behavior. (please do!)
And, if that's the case, then static-sub is the far superior option - since
it's much more simple and straight-forward.
Consider it solved.
If ISC can confirm that behavior for forwarding a child domain when the server
is also auth for the parent zone, that would be very nice!
Thanks to everyone, again, for the help!
> Are you loading the parent domain and trying to zone forward a child domain
> on the same DNS server? I.e. loading somedomain.local and trying to forward
> ab.somedomain.local
> If so an NS delegation is required in every instance I have done in my
> environment. The NS doesn't need to be "right" but it needs to exist. I don't
> know the internal BIND logic for that but I have always taken it as "I load
> the parent and I know the child doesn't exist because there isn't a
> delegation to make it exist so why would I forward something that doesn't
> exist".
> On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop wrote:
>> Static-sub fixes the issue.
>>
>> Any idea why static-sub works when forwarder doesn't?
>>
>> (Again, the server is using recursion. Dig queries return the RA flag, so I
>> know it's actually offering recursion in reality.)
>>
>> I can live with static-sub just fine, since it works - but I'd really love
>> to understand why forwarder didn't - just so I can avoid getting bitten by
>> it in some other situation.
>>
>> Thanks Andrej!
>> -Greg
>>
>>> Is static-stub something you are looking for?
>>> Reference documentation:
>>> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
>>> And in human terms:
>>> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
>>> Ondrej
>>> --
>>> Ondřej Surý (He/Him)
>>> ond...@isc.org
>>> My working hours and your working hours may be different. Please do not
>>> feel obligated to reply outside your normal working hours.
On 28. 2. 2022, at 21:47, Gregory Sloop wrote:
So, I want to forward all queries for
*.ab.somedomain.local to some other internal DNS servers.
(Records in *.ab.somedomain.local actually are our active domain servers)
(Yes, I know .local is reserved now, but we've been using it a long time
and changing would be rather painful. Unless there's some horrible
consequences, I think we'll just continue for now. We won't ever use mDNS.)
zone "ab.somedomain.local" {
type forward;
forward only;
forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
};
But this doesn't appear to do what I want.
If I add the above to my regular BIND servers configuration, it doesn't
return results like it's forwarding them. (I get NXDOMAIN for
abc.ab.somedomain.local.)
If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
get a proper result. (force dig to use the AD name servers directly,
instead of relying on the forward.)
(And yes the resolv.conf file has the ip addresses of the main internal
BIND servers in it, and those only.)
I've looked and while I think I'm doing it right, I'm not entirely sure.
I figured before I beat my head against the wall for too long, I'd ask the
real experts! :)
--
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail: gr...@sloop.net
http://www.sloop.net
-
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
Are you loading the parent domain and trying to zone forward a child domain
on the same DNS server? I.e. loading somedomain.local and trying to forward
ab.somedomain.local
If so an NS delegation is required in every instance I have done in my
environment. The NS doesn't need to be "right" but it needs to exist. I
don't know the internal BIND logic for that but I have always taken it as
"I load the parent and I know the child doesn't exist because there isn't a
delegation to make it exist so why would I forward something that doesn't
exist".
On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop wrote:
> Static-sub fixes the issue.
>
>
>
> Any idea why static-sub works when forwarder doesn't?
>
>
>
> (Again, the server is using recursion. Dig queries return the RA flag, so
> I know it's actually offering recursion in reality.)
>
>
>
> I can live with static-sub just fine, since it works - but I'd really love
> to understand why forwarder didn't - just so I can avoid getting bitten by
> it in some other situation.
>
>
>
> Thanks Andrej!
>
> -Greg
>
>
>
>
> Is static-stub something you are looking for?
>
>
> Reference documentation:
>
> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
>
>
> And in human terms:
> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
>
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
>
> On 28. 2. 2022, at 21:47, Gregory Sloop wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
> (Yes, I know .local is reserved now, but we've been using it a long time
> and changing would be rather painful. Unless there's some horrible
> consequences, I think we'll just continue for now. We won't ever use mDNS.)
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXDOMAIN for
> abc.ab.somedomain.local.)
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
> get a proper result. (force dig to use the AD name servers directly,
> instead of relying on the forward.)
>
> (And yes the resolv.conf file has the ip addresses of the main internal
> BIND servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
Static-sub fixes the issue.
Any idea why static-sub works when forwarder doesn't?
(Again, the server is using recursion. Dig queries return the RA flag, so I
know it's actually offering recursion in reality.)
I can live with static-sub just fine, since it works - but I'd really love to
understand why forwarder didn't - just so I can avoid getting bitten by it in
some other situation.
Thanks Andrej!
-Greg
> Is static-stub something you are looking for?
> Reference documentation:
> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
> And in human terms:
> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
> My working hours and your working hours may be different. Please do not feel
> obligated to reply outside your normal working hours.
>> On 28. 2. 2022, at 21:47, Gregory Sloop wrote:
>> So, I want to forward all queries for
>> *.ab.somedomain.local to some other internal DNS servers.
>> (Records in *.ab.somedomain.local actually are our active domain servers)
>>
>> (Yes, I know .local is reserved now, but we've been using it a long time and
>> changing would be rather painful. Unless there's some horrible consequences,
>> I think we'll just continue for now. We won't ever use mDNS.)
>>
>> zone "ab.somedomain.local" {
>> type forward;
>> forward only;
>> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
>> };
>> But this doesn't appear to do what I want.
>>
>> If I add the above to my regular BIND servers configuration, it doesn't
>> return results like it's forwarding them. (I get NXDOMAIN for
>> abc.ab.somedomain.local.)
>>
>> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get
>> a proper result. (force dig to use the AD name servers directly, instead of
>> relying on the forward.)
>>
>> (And yes the resolv.conf file has the ip addresses of the main internal BIND
>> servers in it, and those only.)
>> I've looked and while I think I'm doing it right, I'm not entirely sure.
>> I figured before I beat my head against the wall for too long, I'd ask the
>> real experts! :)
>>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
This got held up in moderation. Let me repost it, from my regular mail client...
> You didn’t share much of your configuration except the one forwarded zone,
> not a lot to go on.
Fair enough. (I guess I thought you could just infer all the needed
information! Oops!)
Let me try Ondrej's static-sub and see if that makes a difference.
As for more detail.
Yeah, it's a recursive resolver, used internally only.
It's also authoritative for the somedomain.local zone.
I simply want(ed) to pass queries for *.ad.somedomain.local to another
server(s), so thought the forwarder setup was the right way to do that.
Sorry for being so lame in not providing enough detail - I think I just figured
I must be doing something terribly wrong and the forwarder setup must be wrong
in some obvious detail I wasn't seeing.
That doesn't appear to be the case, so we'll look again, try static-sub and
then re-group if it doesn't work.
Thanks all!
> But one thing to check, you do have recursion enabled on the server?
> On Mon, Feb 28, 2022 at 6:34 PM Gregory Sloop wrote:
>> Wow. I hate to be the guy who looks the gift horse in the mouth - but that
>> just seems "wrong." :)
>> (Not the answer, but that that would be the way BIND wants it done.)
>>
>> So, now I've got two sets of NS and glue records?
>> Please tell me that's not the way BIND insists you do this!
>>
>> I guess I should try it, but dang.
>> Does anyone know for sure?
>>
>>
>>> Add Delegating NS records:
>>> ab.somedomain.local 3600 NS server1.ab.somedomain.local
>>> .
>>> .
>>> .
>>> And glue records
>>> server1.ab.somedomain.local 3600 A 10.0.0.1
>>> .
>>> .
>>> And see if it works. It’s got something to do with the way the record is
>>> matched (or not) before the forward statement is hit.
>>> J
On Feb 28, 2022, at 3:47 PM, Gregory Sloop wrote:
So, I want to forward all queries for
*.ab.somedomain.local to some other internal DNS servers.
(Records in *.ab.somedomain.local actually are our active domain servers)
(Yes, I know .local is reserved now, but we've been using it a long time
and changing would be rather painful. Unless there's some horrible
consequences, I think we'll just continue for now. We won't ever use mDNS.)
zone "ab.somedomain.local" {
type forward;
forward only;
forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
};
But this doesn't appear to do what I want.
If I add the above to my regular BIND servers configuration, it doesn't
return results like it's forwarding them. (I get NXOMAIN for
abc.ab.somedomain.local.)
If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
get a proper result. (force dig to use the AD name servers directly,
instead of relying on the forward.)
(And yes the resolv.conf file has the ip addresses of the main internal
BIND servers in it, and those only.)
I've looked and while I think I'm doing it right, I'm not entirely sure.
I figured before I beat my head against the wall for too long, I'd ask the
real experts! :)
--
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
>> this list
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
--
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail: gr...@sloop.net
http://www.sloop.net
-
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
Is static-stub something you are looking for?
Reference documentation:
https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
And in human terms:
https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 28. 2. 2022, at 21:47, Gregory Sloop wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
> (Yes, I know .local is reserved now, but we've been using it a long time and
> changing would be rather painful. Unless there's some horrible consequences,
> I think we'll just continue for now. We won't ever use mDNS.)
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXDOMAIN for
> abc.ab.somedomain.local.)
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I get a
> proper result. (force dig to use the AD name servers directly, instead of
> relying on the forward.)
>
> (And yes the resolv.conf file has the ip addresses of the main internal BIND
> servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
On 3/1/22 5:35 AM, Matus UHLAR - fantomas wrote: you are right, forwarding queries requires recursion. Thank you for the confirmation Matus. :-) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding zone, setup
On 2/28/22 1:47 PM, Gregory Sloop wrote: I figured before I beat my head against the wall for too long, I'd ask the real experts! :) On 28.02.22 22:27, Grant Taylor via bind-users wrote: I'm definitely not an expert. I don't even pretend to be one on T.V. But I do wonder what, if any, sort of restrictions you are placing on recursion on your system. It's my (mis)understanding that recursion has some effect on forwarding queries. My limited understanding is recursion is another way of saying if the server should chase the answer for you or not. If it doesn't have it in it's own data (authoritative and / or cache), then it's recursion setting comes into play. If I'm mistaken, please correct me. you are right, forwarding queries requires recursion. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
