RE: Configuring a domain slave to look up subdomain hosts
Original Message
Subject: Configuring a domain slave to look up subdomain hosts
From: "Mike Bernhardt" <bernha...@bart.gov>
Date: Mon, February 27, 2012 4:50 pm
To: <bind-users@lists.isc.org>
I have a domain and a subdomain which is delegated by the
I am trying to figure out the correct way to have the slave of a parent
domain look up hosts in a subdomain managed by others. I'm running BIND
9.8.1-P1. The current working configuration for the subdomain is this:
options {
directory "/var/named";
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
forwarders { 148.165.3.10; };
forward only;
recursive-clients 2000;
zone-statistics yes;
};
zone "domain.com" {
type slave;
masters { 10.130.1.30; };
file "db.domain";
forwarders { };
};
But using "forwarders" doesn't seem like the correct way to do it. It's in
the options in order to forward internet queries to our external name server
instead of to the root servers, which aren't accessible from inside. I've
been messing with stub zones but that doesn't seem to work:
zone "domain.com" {
type slave;
masters { 10.130.1.30; };
file "db.domain";
};
zone "subdomain.domain.com" {
type stub;
masters { 10.2.241.101; 10.2.242.222; };
file "db.subdomain";
};
With this configuration, the zone file for subdomain.domain.com is correctly
created but when I run tcpdump I can see that queries for
host.subdomain.domain.com are being forwarded to 148.165.3.10, not to the
subdomain name servers. The result of course is NXDOMAIN.
With forwarders set for the zone domain.com, the slave queries the zone
master, which then queries the subdomain name server as it should. So the
stub zone is apparently being ignored.
What is wrong? Perhaps I'm misunderstanding the purpose of stub zones? Let
me know if you need additional config details.
/answer:This post, requires a much longer response then I have time for, but i will take a quick stab.a "stub" zone, is generally only used for cross corporate, or cross partner resolving. it gives you a "local" copy of possibly internal zone data.a "slave" is a type of Nameserver, not a type of zone. generally youll have authoritative name servers,and sometimes in bigger shops a number if "salves" or now called secondary name servers. for example,you could have your authoritative name servers behind your firewall, and put a slave in the DMZ sorta thing.or have a few authoritative name servers, a several salves, so you may have salves in each datacenter. a delegation, is where you "delagate" a subzone to someone else. example, you own say example.org, and a subgroup wants to manage their own namespace of depart1.example.org, so you delegate depart1.example.org to there name servers. and they will "own" the zone depart1.hope this helps clears a few things up.-Nex6
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Configuring a domain slave to look up subdomain hosts
Original Message
Subject: RE: Configuring a domain slave to look up subdomain hosts
From: "Mike Bernhardt" <bernha...@bart.gov>
Date: Tue, February 28, 2012 10:15 am
To: <bind-users@lists.isc.org>, "'Mark Andrews'" <ma...@isc.org>
So it sounds like in this case, stub zones don’t buy me anything? What I wanted was for this secondary to query the subdomain name servers directly instead of relying on the domain primary via forwarding. Is making this server a secondary for the subdomain the only way?/answer:I am a little confused on what your trying to do, I think your terminology may be making things harder. generally a stub zone is a local copy of a zone thats not yours. the reason for doing this, is many fold like its an internal zone in another entity. or, to make sure your name servers always have a copy. but generally its not needed. and the DNS Architecture accounts for much, with caching and TTL.what you would do, is have your primary Name Server, thats authoritative for the zones that it owns. and maybe some slaves to that name server to spread things around. with local caching, on the name servers that ensure good lookup times for oft requested zones.if your worried about "slow" lookups, or things always going out to the forwarder just make sure the local name servers caches are working. and check the TTLs for the zones your worried about.hope this helps clear things up.-Nex6 From: Nex6 [mailto:b...@borg1911.com] Sent: Monday, February 27, 2012 4:59 PM To: Mike Bernhardt; bind-users@lists.isc.org Subject: RE: Configuring a domain slave to look up subdomain hosts Original Message Subject: Configuring a domain slave to look up subdomain hosts From: "Mike Bernhardt" <bernha...@bart.gov> Date: Mon, February 27, 2012 4:50 pm To: <bind-users@lists.isc.org> I have a domain and a subdomain which is delegated by the I am trying to figure out the correct way to have the slave of a parent domain look up hosts in a subdomain managed by others. I'm running BIND 9.8.1-P1. The current working configuration for the subdomain is this: options { directory "/var/named"; allow-recursion { any; }; allow-query { any; }; allow-query-cache { any; }; forwarders { 148.165.3.10; }; forward only; recursive-clients 2000; zone-statistics yes; }; zone "domain.com" { type slave; masters { 10.130.1.30; }; file "db.domain"; forwarders { }; }; But using "forwarders" doesn't seem like the correct way to do it. It's in the options in order to forward internet queries to our external name server instead of to the root servers, which aren't accessible from inside. I've been messing with stub zones but that doesn't seem to work: zone "domain.com" { type slave; masters { 10.130.1.30; }; file "db.domain"; }; zone "subdomain.domain.com" { type stub; masters { 10.2.241.101; 10.2.242.222; }; file "db.subdomain"; }; With this configuration, the zone file for subdomain.domain.com is correctly created but when I run tcpdump I can see that queries for host.subdomain.domain.com are being forwarded to 148.165.3.10, not to the subdomain name servers. The result of course is NXDOMAIN. With forwarders set for the zone domain.com, the slave queries the zone master, which then queries the subdomain name server as it should. So the stub zone is apparently being ignored. What is wrong? Perhaps I'm misunderstanding the purpose of stub zones? Let me know if you need additional config details. /answer: This post, requires a much longer response then I have time for, but i will take a quick stab. a "stub" zone, is generally only used for cross corporate, or cross partner resolving. it gives you a "local" copy of possibly internal zone data. a "slave" is a type of Nameserver, not a type of zone. generally youll have authoritative name servers, and sometimes in bigger shops a number if "salves" or now called secondary name servers. for example, you could have your authoritative name servers behind your firewall, and put a slave in the DMZ sorta thing. or have a few authoritative name servers, a several salves, so you may have salves in each datacenter. a delegation, is where you "delagate" a subzone to someone else. example, you own sayexample.org, and a subgroup wants to manage their own namespace of depart1.example.org, soyou delegate depart1.example.org to there name servers. and they will "own" the zone depart1. hope this helps clears a few things up. -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://
RE: Configuring a domain slave to look up subdomain hosts
Original Message Subject: Re: Configuring a domain slave to look up subdomain hosts From: Chris Buxton <chris.p.bux...@gmail.com> Date: Tue, February 28, 2012 4:58 pm To: Mike Bernhardt <bernha...@bart.gov> Cc: bind-users@lists.isc.org Sorry, my mistake. Apparently, it needs to be overridden (disabled) in each affected zone, not just at the domain apex.If you leave out the stub zones entirely and disable forwarding in the parent zones, it should work. That way, the server is simply following delegations, rather than relying on stub zones.Regards,Chris BuxtonBlueCat NetworksI am not a huge fan of stub zones if they can be avoided. also, alot of forwarding is also bad, as it adds complexity'. tho, some forwarding is ok and even necessary.its much cleaner, to use TTLs, and have internal Nameservers that cache. just my 2 cents-Nex6 On Feb 28, 2012, at 3:11 PM, Mike Bernhardt wrote:So, it seems that the stub zone only works as I expected if I disable ALL forwarding- not just in the parent zone but also in global options. Is that the expected behavior for a stub zone? It’s not consistent with what you said below. From: Mike Bernhardt [mailto:bernha...@bart.gov] Sent: Tuesday, February 28, 2012 2:47 PMTo: 'Chris Buxton'Cc: bind-users@lists.isc.orgSubject: RE: Configuring a domain slave to look up subdomain hosts Forwarding was disabled for the parent zone, but it still didn’t work. That’s why I asked the question. I was doing one or the other, and trying to get rid of forwarding to the domain master. I have it on in global options because we don’t let internal name servers go to the root; they forward to our dmz name server for internet lookups. I can set up a forwarding zone on this server for the subdomain as someone else suggested. But if a stub zone is supposed to work, we’re back to my original question. Given the information I provided in my initial question, why isn’t it working when forwarding is disabled in the parent zone? From: Chris Buxton [mailto:chris.p.bux...@gmail.com] Sent: Tuesday, February 28, 2012 10:34 AMTo: Mike BernhardtCc: 'Nex6'; bind-users@lists.isc.org; 'Mark Andrews'Subject: Re: Configuring a domain slave to look up subdomain hosts On Feb 28, 2012, at 10:04 AM, Mike Bernhardt wrote: Yes, you are confused J I am simply trying to get the domain slave to make queries for hosts in the subdomain which is hosted on other servers, instead of forwarding the queries to the domain master. I thought a stub zone would facilitate this by giving my server the lookup information it needed to do this. Apparently this is not the case. Even though it receives a db file with the NS and SOA information for the subdomain, it is ignoring it. Forwarding works. Being a slave for the subdomain works. Stub zone doesn’t work. If it’s supposed to “ignore” the stub zone in my configuration, what is the value of a stub zone? Disable forwarding in the parent zone or in the stub zones and it will work. Forwarding, which is often a poor design choice, overrides stub zones. Disable forwarding selectively or remove it from your architecture completely. Regards,Chris BuxtonBlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reverse zones best practices
Hi all, look for some info on best practices for reverse zones. I have, a pretty big IP space and alot of reverse zones are not created. I want to clean it up, a few people that dont really know DNS are thinking of "super netting" eg a top level 10.0.0.0/16 sorta thing. but we have 100s of defined mission critical reverse zones defined at the vlan level of 10.x.x.0/24... my thinking, would be do a discovery and create all the /24s, even if there is like 100s. instead of the bigger super net... what would be the best practice and the way to go? -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zones best practices
* David Dowdle [2012-06-25 14:20:43 -0700]: so, create zones based on how networking creates vlans eg: /24s we dont have any /8 or /16 vlan networks yet > I strongly recommend splitting on /8 /16 and /24 boundries. With > the number of zones you are talking about, doing anything else will > get very confusing very quickly. > > If a netblock is larger than a /24, put at the top and bottom of > each /24 a comment lile explaining what size it is > > For example my 10.in-addr.arpa. zone has > "; this is top of the 10/8 delegates to 10.*/16" > > > zone file for 230.16.10.in-addr.arpa has comment ; 10.16.230.0/23 > vlan : Purpose-of-vlan-here 10.16.230.0-10.16.231.255 (512) > > > In this way, whoever looks at the zone, no matter how dns savvy they > are, knows the size of the netblock > > > > On Mon, 25 Jun 2012, nex6 wrote: > > > > > > >Hi all, > > > >look for some info on best practices for reverse zones. I have, a pretty big > >IP space and alot of reverse zones are not created. > >I want to clean it up, a few people that dont really know DNS are thinking > >of "super netting" eg a top level 10.0.0.0/16 sorta thing. > > > >but we have 100s of defined mission critical reverse zones defined at the > >vlan level of 10.x.x.0/24... my thinking, would be do a > >discovery and create all the /24s, even if there is like 100s. instead of > >the bigger super net... > > > > > >what would be the best practice and the way to go? > > > > > > > >-Nex6 > > > >___ > >Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >unsubscribe from this list > > > >bind-users mailing list > >bind-users@lists.isc.org > >https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zones best practices
* Brad Bendily [2012-06-25 16:35:28 -0500]: wouldn't it be more confusing, in a big IP space with servers, desktops etc all mashed together into one zone? > I don't know about best practice in this case, but I decided to put our > reverse entries into one "super netting" file as you call it. > > We had the same problem that a lot of reverse entries were missing, so I wrote > a script to parse the forward file and create the reverse. Then I incorporated > that into my "adding a new entry" process so, I never add a reverse entry > now, the script creates it. For that matter, all of our forward entries are > in one file as well. > > I don't need to look at DNS to find my network structure. I just want DNS to > do DNS. > > bb > > > -Original Message- > From: bind-users-bounces+brad.bendily=la@lists.isc.org > [mailto:bind-users-bounces+brad.bendily=la@lists.isc.org] On Behalf Of > nex6 > Sent: Monday, June 25, 2012 4:03 PM > To: bind-users@lists.isc.org > Subject: Reverse zones best practices > > > > Hi all, > > look for some info on best practices for reverse zones. I have, a pretty big > IP space and alot of reverse zones are not created. > I want to clean it up, a few people that dont really know DNS are thinking of > "super netting" eg a top level 10.0.0.0/16 sorta thing. > > but we have 100s of defined mission critical reverse zones defined at the > vlan level of 10.x.x.0/24... my thinking, would be do a discovery and create > all the /24s, even if there is like 100s. instead of the bigger super net... > > > what would be the best practice and the way to go? > > > > -Nex6 > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zones best practices
* Phil Mayers [2012-06-26 16:54:55 +0100]: I am not going to be editing files by hand, we actually have a tool. I am more concerned about best practices, and how to fix the mess. eg, say we have about 500 vlans (/24s) and say only 350 have reverse zones. from what I understand its best to just create the missing zones and fix the tools so new networks always get reverse zones created. becuase I dont think i can just create a larger /16 or /8. becuase they will overlap and create a bigger mess. -Nex6 > On 26/06/12 16:42, nex6 wrote: > >* Brad Bendily [2012-06-25 16:35:28 -0500]: > > > > > >wouldn't it be more confusing, in a big IP space with servers, > >desktops etc all mashed together into one zone? > > If you have enough hosts for this to be confusing, you have enough > hosts to store the data in some master data-source and automatically > generate the zone files (or dynamic updates). > > Don't edit zone files manually unless they're trivially small. > > Don't read zone files unless you're debugging. > > Basically: don't do this. > > FWIW we use one large 10.in-addr.arpa file. Likewise for our "real" > /16 subnets. We don't use a different reverse zone per actual subnet > - it's pointless, and limits you to byte-aligned subnets or horrible > delegation tricks. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zones best practices
* Phil Mayers [2012-06-27 14:29:38 +0100]: > On 26/06/12 17:25, nex6 wrote: > >* Phil Mayers [2012-06-26 16:54:55 +0100]: > > > > > >I am not going to be editing files by hand, we actually have a tool. I am > >more > >concerned about best practices, and how to fix the mess. > > > >eg, say we have about 500 vlans (/24s) and say only 350 have reverse zones. > >from what I understand its best to just create the missing zones and fix the > >tools > >so new networks always get reverse zones created. > > > >becuase I dont think i can just create a larger /16 or /8. becuase they will > >overlap and create a bigger mess. > > Do what works for you. If you would rather create the full range of > x.y.10.in-addr.arpa from your tools, that's fine. > > I'm not sure the "best practice" you are asking about exists in that form. > > One final point though - you *should* have an enclosing > 10.in-addr.arpa zone or "fill the holes", so that you don't leak > reverse lookups to the DNS root servers. You might even find that, > unless you disable it, your nameserver creates the empty zone for > you. so, you *should* have a larger 10.x.x.x zone? *and* smaller 10.x.x.0/24 zones? so i am assuming the workflow would be in this case, records go in the smaller zones, and the larger zone is the catchall to prevent leakage? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query about mirroring Root DNS Server
* Tony Finch [2012-07-06 11:30:43 +0100]: > Gaurav Kansal wrote: > > > > Somewhere I heard that one of the Root Servers allows you to take a zone > > copy of that, so that if you want to look and feel about Root DNS > > servers, you can do so. > > > > Is it true? If yes then can anyone please guide me which Root DNS Server > > is allowing for the same? > > You can find out for yourself (see below). I usually use the F root since > I know the ISC has a long-term policy of allowing zone transfers. > > Some people like to slave the root zone on their recursive servers instead > of using the root zone hints. This is not the same as looking or feeling > like a root server. If you want to actually look and feel like a root > server, talk to ICANN who are very liberal in allowing sites to host > instances of the L root. > http://blog.icann.org/2012/03/l-root-in-your-pocket/ > http://dns.icann.org/lroot/infocollect/ > > $ for i in `jot -c 13 97`; do echo === $i; dig axfr . @$i.root-servers.net | > grep failed; done > === a > ; Transfer failed. > === b > === c > === d > ; Transfer failed. > === e > ; Transfer failed. > === f > === g > === h > ; Transfer failed. > === i > ; Transfer failed. > === j > ; Transfer failed. > === k > === l > ; Transfer failed. > === m > ; Transfer failed. > > Tony. what would be the benefits of slaving root? -Nex6 > -- > f.anthony.n.finchhttp://dotat.at/ > Viking: Northeasterly 4 or 5, increasing 6 or 7 later in northwest. Slight or > moderate, becoming rough later in north. Fair. Moderate or good. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fordwarder and stub records
when should you use forwarding records/zones or stub records/zones? and how does using them effect client lookups? or, effect the name server doing the forwarding? for example, say you have a two groups who both have the same parent... say: parent.com but group1 @ group1.parent.com owns all the "clients" and even group2 is a client, but group2 has its own zone. so, group2 wants a forwarder on group1 name server, so the client lookups never have to goto parent.com. so the top question of when do you use these kinds of records and zones, and in the example is it good to forward? or not -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
port 53 tcp/udp
when does bind or dns in general use tcp and when does it use udp? from what i have read, from the client intial request if under 512b come in on UDP port 53, if and depending on the local resolver in needs to retry it *could* be a tcp port 53 request? now thats client to name server; what about, recursive lookups? or forwarded requests? etc how does that work? -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: port 53 tcp/udp
* Mark Andrews [2012-07-18 07:43:34 +1000]: > > In message <20120717194840.GA3773@glasya2>, nex6 writes: > > when does bind or dns in general use tcp and when does it use udp? > > When it needs to. TCP support is NOT optional. > > > from what i have read, from the client intial request if under 512b > > come in on UDP port 53, if and depending on the local > > resolver in needs to retry it *could* be a tcp port 53 request? > > > > now thats client to name server; > > > > > > what about, recursive lookups? or forwarded requests? etc > > It's still client to server. Recursive servers have a client side > and a server side. > > > how does that work? > > Exactly the same why. > > > -Nex6 Thanks for the reply, i have an internal client with there own NS that is blocking TCP port 53, and complaining of random issues. like our NS not sending them traffic randomly. I told them to unblock port 53 tcp then call me > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: port 53 tcp/udp
* Lance Bailey [2012-07-17 14:50:43 -0700]: > On Tuesday, July 17, 2012 2:43:34 PM UTC-7, Mark Andrews wrote: > > In message <20120717194840.GA3773@glasya2>, nex6 writes: > > > when does bind or dns in general use tcp and when does it use udp? > > > > When it needs to. TCP support is NOT optional. > > In particular for notification of secondaries and the subsequent xfer request > sequence both TCP and UDP are used. without both, the sequence does not work. Thanks, for the reply. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Windows DNS question
* Matus UHLAR - fantomas [2013-12-18 09:46:33 +0100]: > On 17.12.13 17:05, Davis, Donald W wrote: > >Sorry if this is the wrong forum for a Windows question. > > not for a windows questions... > > >Can clearing the Cache on Windows Domain Controller DNS server have any > >impact on forwarding, even if only for a few seconds? > > but surely for windows DNS question... this is a BIND list, please ask this question of at the microsoftm technet forums. but, clearing the cache is a non impact event. it only means some of the first lookups take a few ms longer while the cache is rebuilt. > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Chernobyl was an Windows 95 beta test site. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
writeable secondary zone?
I have a very specific issue, where a partner org, wants me to add an SRV record for there org. (i dont want to) - NOTE: and its for a major cloud app (to remain nameless) that points back to there active directoy. but this is a requirement for a cloud application. the only solution I can think of so far, is build out a new DNS box for just the users that need to use this application. and add the SRV record there. but, not sure how you could setup a secondary zone, thats writeable? any thoughts on this? -Nex6 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: writeable secondary zone?
On Wed, Jan 04, 2017 at 01:46:07AM +0100, Reindl Harald wrote: > > > Am 04.01.2017 um 01:35 schrieb Nex6: > >I have a very specific issue, where a partner org, wants me to add an > >SRV record for there org. (i dont want to) > > > >- NOTE: and its for a major cloud app (to remain nameless) that points > >back to there active directoy. > > > >but this is a requirement for a cloud application. the only solution I > >can think of so far, is build out a new DNS box for just the users > >that need to use this application. > > > >and add the SRV record there. but, not sure how you could setup a > >secondary zone, thats writeable? > > you can't write in a slave zone > > https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html yes, I know thats why I asked if there was a way to do this. I suspect i am stuck. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: writeable secondary zone?
On Tue, Jan 03, 2017 at 05:22:56PM -0800, Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Tue, 2017-01-03 at 16:35 -0800, Nex6 wrote: > I have a very specific issue, where a partner org, wants me to add an > > SRV record for there org. (i dont want to) > > If I understand the question, we have > > nex6.example.com -- under your dns control > > partner.example.com -- dns under the control of your partner, and they > want *you* to see something like: > > _http._tcp.partner.example.com. SRV 0 5 80 www.example.com. > > but they don't want to add that record in their own partner.example.com > zone where it would be visible to the world. > > You could use RPZ on your recursive resolvers for that, to add that SRV > record into their zone (assuming that they are not DNSSEC signing their > zones). Of course, that record would then be visible to all of your > users, not just the ones using that application. But does the existance > of that extra SRV record hurt any of those users? both orgs, have Internal private DNS, which include "active Directory" zones. the partner org, has a cloud based app that they are integrated with. that now some of our users need access to. and they need to use the partner org domain cred. so they wanted me to add more or less SRV _appname ->ad.partnerdomain.org becuase said, app might exist on on network and or we might have to add that record in the future i dont want to add the record. since you can only have one SRV record. and having another orgs SRV pointing back to there Active Directory just seems like an all bad idea. the problem is, when our users on our network connect to this app. for it to authenicate it needs the SRV record telling the app where AD is. since our network/NS does not have the record ... fail we tryed host files but that does not seem to work with SRV records. and not sure if I create a forward zone and point directly to there NS if that would work. -Nex6 > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlhsTkIACgkQL6j7milTFsGwfACeNi6U4lBSKetOjHZ6yk1fnZF3 > 4+gAn2JwvxmNv8fksTd20Y8mW+o7QOdZ > =Snhu > -END PGP SIGNATURE- > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: writeable secondary zone?
On Wed, Jan 04, 2017 at 12:23:44PM +1100, Mark Andrews wrote: > > In message <20170104010026.GA3160@ubuntu>, Nex6 writes: > > On Wed, Jan 04, 2017 at 01:46:07AM +0100, Reindl Harald wrote: > > > > > > > > > Am 04.01.2017 um 01:35 schrieb Nex6: > > > >I have a very specific issue, where a partner org, wants me to add an > > > >SRV record for there org. (i dont want to) > > > > > > > >- NOTE: and its for a major cloud app (to remain nameless) that points > > > >back to there active directoy. > > > > > > > >but this is a requirement for a cloud application. the only solution I > > > >can think of so far, is build out a new DNS box for just the users > > > >that need to use this application. > > > > > > > >and add the SRV record there. but, not sure how you could setup a > > > >secondary zone, thats writeable? > > > > > > you can't write in a slave zone > > > > > > https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-exam > > ple.html > > > > > > yes, I know thats why I asked if there was a way to do this. I suspect > > i am stuck. > > You don't need to modify a zone to graft on a SRV record as it will be > prefixed with one or more labels. You add a zone for that name. > > _example._tcp.example.com > > Now if _tcp.example.com already exists you add _example._tcp.example.com with > zone content similar to this: > > @ SOA ... > @ NS ... > @ SRV > > If _tcp.example.com does not already exist you add _tcp.example.com with zone > content similar to this: > > @ SOA ... > @ NS ... > _example SRV > > This prevents your clients seeing NXDOMAIN for _tcp.example.com. > > The better way to do all this however would be for the partner to > create the relevant zones with the SRV records (giving them change > control of the contents) and have you slave them on your recursive > servers possibly using TSIG to get the correct instance from them. > They can supply you with example.com with the SRV records present > or one of the above zones. You clients see will see > _example._tcp.example.com either way and it deals with their paranoia > over publishing a SRV record to the world. > > There is no need for you to muck with views for this. > > Mark hmmm, I wonder if a forward zone would work? or maybe us slaving there zone might be better. > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe > > from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
stub zones
recently, a question came up about "stub" zones came up and what they are and are they part of the DNS standards or are they a good idea. i said, they are evil and should not be used if you can avoid it. they way I understand them is the are when you create local zones for zones you are NOT authoritative for. and; the records in the stub zone do not update when the authoritative NS does. correct? thoughts? -Nex6___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: stub zones
I guess, i am having issues with this(maybe i am not fully getting it), and yea I know large environments sometimes have multiple sets of name servers. sometimes department level (i have this issue in my shop its a damn mess) if all the zones are delegated properly the local resolver will query its NS, and that NS will know where it should go next, whether its a internet side query or navigating the mess of local NS servers that some folks have. in the case of DNS views, where the local resolver may NOT be able to get to the correct view a forwarder would be better so you can point to the internal view NS. This keeps NS servers that are authoritative and responsible for handing out resource records they hand them out. and unless, your dealing with a load balancer (which is its own exception) which needs short TTLs, a caching forwarder is far better in most cases.. I guess, I am still not sure of the point of a stub zone, where you point to a different NS? than the authoritative NS for that zone? unless your changing the records which is all bad On Monday, June 2, 2014 2:18 PM, John Miller wrote: > > >Not quite, Bill. You point the zone at a different name server, but >_your_own_nameserver_ still does the iterative queries to make things >happen. It just queries a different set of nameservers than would >happen through normal delegation. > >The only recursive query going on is from the client to your nameserver. > >Since you asked the question, what would you propose as an alternative >for folks running multiple sets of nameservers with different info on them? > >John > > >On 06/02/2014 04:52 PM, Nex6|Bill wrote: >> so, stub zones allow you to point a zone to a different name server, and >> that name-server; to recurse to get the records for that zone. why? why >> not let DNS work the way it is suppose to and let your name servers work >> for you to the authoritative name-server to get the records? unless, >> your changing the zone records, which is why most people I know use it >> for, which is evil :) >> >> its almost the same, as creating a local zone for something your not >> authoritative for and then having to maintain those records. but, i >> guess their may be cases where it may be useful i guess >> >> >> On Monday, June 2, 2014 1:33 PM, John Miller wrote: >> >> >> >> Evil? Seems a bit strong. Unusual? Use with caution? OK. >> >> Stub zones mean that you're using a different set of authoritative >> nameservers for a particular domain. You're not storing all of that >> domain's records, except through the usual caching process. If it's >> a domain you control, where's the harm? >> >> Also, let's say that you're nominally a caching-only nameserver. >> You're responsible for making iterative queries, and you do not want >> the RD bit set. AFAIK, stub zones are the way to accomplish that. >> Forward zones just pass recursive queries on to someplace else. >> >> John >> >> >> >> >> On Mon, Jun 2, 2014 at 4:02 PM, Nex6|Bill > <mailto:n6gh...@yahoo.com>> wrote: >> >> recently, a question came up about "stub" zones came up and what >> they are and are they part of the DNS standards or are they a >> good idea. i said, they are evil and should not be used if you >> can avoid it. they way I understand them is the are when you >> create local zones for zones you are NOT authoritative for. and; >> the records in the stub zone do not update when the >> authoritative NS does. >> >> correct? thoughts? >> >> -Nex6 >> >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users >> to unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> >> https://lists.isc.org/mailman/listinfo/bind-users >> >> >> >> >> -- >> John Miller >> Systems Engineer >> Brandeis University >> johnm...@brandeis.edu <mailto:johnm...@brandeis.edu> > >> >> > > >___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forward vs Authoritative traffic
I am going to be adding a type forward zone for an important zone. how can i test that the forward is working correctly? if i do a dig against the NS the record will return no matter if its auth or fwd zone. -Nex6 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
My name server is not authoritative for it. but i want to verify once the forward is in place the query is following the forward and not the authoritative path. On Nov 7, 2014, at 11:46 AM, Barry Margolin wrote: > In article , > Nex6|Bill wrote: > >> I am going to be adding a type forward zone for an important zone. how can >> i >> test that the forward is working correctly? if i do a dig against the NS the >> record will return no matter if its auth or fwd zone. > > If you don't have a zone file for the zone on the server, yet it returns > the correct answer, then it must be forwarding. Where else would it get > the answer? > > -- > Barry Margolin > Arlington, MA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
our parent org, owns the parent zone, and this zone is delegated from there to a load balancer onsite. which is authoritative. but, the query path for a normal query crosses the internet gateway because thats where the parent is. ( very short TTL ). any internet connection issue causes issues, so i am going to put a forward zone directly from my NS to the load balancer which is auth for the zone. that way, if the internet gateway is down or has issues the application will still function. -Nex6 On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote: > On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: >> >> I am going to be adding a type forward zone for an important zone. how can >> i test that the forward is working correctly? if i do a dig against the NS >> the record will return no matter if its auth or fwd zone. > > Will your server be receiving recursive or iterative queries (rd=1 or rd=0) > for the zone? Forwarding zones like this don't work for iterative queries. > > Chris signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
zone is hosted on a load balancer, with parent org NS on internet side. when internet goes down, application goes down. putting a forward zone means internet downtime does not cause issues. On Nov 7, 2014, at 12:56 PM, Darcy Kevin (FCA) wrote: > If your nameserver can get the info equally reliably either way, I'd question > why you're using forwarding in the first place. > > Do you think you're going to get some sort of performance benefit from that? > > But, to answer your question, in the absence of taking a packet capture, you > could always define all the authoritative nameservers as "blackhole" or > "bogus" in your named.conf and see if the names still resolve (this assumes > that the forwarders are *not* the same, or a subset, of the auth servers. If > they are the same, or a subset, then I *really* would question why you're > forwarding in the first place, since in that case the queries are going to > *exactly*the*same*place*, and all you're basically doing is manipulating the > value of the "RD" bit). > > > - Kevin > > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Nex6|Bill > Sent: Friday, November 07, 2014 3:05 PM > To: Barry Margolin > Cc: comp-protocols-dns-b...@isc.org > Subject: Re: Forward vs Authoritative traffic > > My name server is not authoritative for it. but i want to verify once the > forward is in place the query is following the forward and not the > authoritative path. > > > On Nov 7, 2014, at 11:46 AM, Barry Margolin wrote: > >> In article , >> Nex6|Bill wrote: >> >>> I am going to be adding a type forward zone for an important zone. >>> how can i test that the forward is working correctly? if i do a dig >>> against the NS the record will return no matter if its auth or fwd zone. >> >> If you don't have a zone file for the zone on the server, yet it >> returns the correct answer, then it must be forwarding. Where else >> would it get the answer? >> >> -- >> Barry Margolin >> Arlington, MA >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
5 sec TTL, with a lot of load balancer based rules. on a lot of servers….. On Nov 7, 2014, at 1:31 PM, Chris Buxton wrote: > On Nov 7, 2014, at 1:29 PM, Nex6|Bill wrote: >> >> our parent org, owns the parent zone, and this zone is delegated from there >> to a load balancer onsite. which is authoritative. but, the query path for >> a normal query crosses the internet gateway because thats where the parent >> is. ( very short TTL ). >> >> any internet connection issue causes issues, so i am going to put a forward >> zone directly from my NS to the load balancer which is auth for the zone. >> that way, if the internet gateway is down or has issues the application will >> still function. > > I suspect a static-stub zone is more what you want, but yes, that sounds like > it should work. > > Chris > >> On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote: >> >>> On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: >>>> >>>> I am going to be adding a type forward zone for an important zone. how >>>> can i test that the forward is working correctly? if i do a dig against >>>> the NS the record will return no matter if its auth or fwd zone. >>> >>> Will your server be receiving recursive or iterative queries (rd=1 or rd=0) >>> for the zone? Forwarding zones like this don't work for iterative queries. >>> >>> Chris >> > signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
