Re: forwarding zone to another DNS server problem
Kevin, Thanks for this post. Its the most succinct description of stub zones I've ever read. I've often tried to wrap my head around when to use a stub and when to use a conditional forwarder and I *think* your description has cleared that up for me. On Wed, Nov 05, 2014 at 03:21:00PM +, Darcy Kevin (FCA) wrote: > My attempt to explain "stub"... > > It's like conditional forwarding, without the recursion. You tell named where > the top of the namespace tree is hosted, and it issues *iterative* (= > non-recursive) queries for names in that part of the tree. (Unless, of > course, you have a definition further down in that namespace that overrides > the behavior). > > As someone else pointed out, this raises the requirement that you have > *direct* connectivity to the published authoritative nameservers for the top > level of the zone, and any other descendant zones (unless, again, you > override those parts of the namespace tree with some other definition). In a > DMZ environment, you may not have open and clear communication to > *everything* that you need, and therefore "stub" might not be a good fit in > that case. You might be forced, as a last resort, to use forwarding, in such > a scenario. > > Beyond that understanding, there are differences in how named *gets* the > apex-NS information for a "stub" zone. The "classic" stub model is to use a > similar replication method as slaving, i.e. driven by the > REFRESH/RETRY/EXPIRE settings in the SOA of the zone. This will generate > periodic refresh traffic in the form of SOA and/or NS queries. With the newer > "static-stub" model (which, full disclosure, I've never actually *used*), > apparently you just plug the addresses of the auth servers directly into the > config, and no "refreshing" is necessary. There are pros and cons, that come > to mind, for each of those flavors of "stub". > > > - Kevin > > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tony Finch > Sent: Tuesday, November 04, 2014 5:10 AM > To: houguanghua > Cc: bind-users@lists.isc.org > Subject: RE: forwarding zone to another DNS server problem > > houguanghua wrote: > > > I 'm not familiar with'stub'. The description of 'stub' is hard to > > understand. > > Yes it's a bit weird. Think of it like the root hints but for other zones: > i.e. a hint zone configuration in a recursive server tells named that instead > of using a referral from the parent zone to find the name servers for this > zone, use these configured name servers. However the name servers at the > zone's apex can override your configuration. > > If you use static-stub instead, your configured name servers override all > name servers for the zone that your name server might receive. > > The difference with forwarding zones occurs if there is a delegation point > below the zone you have configured. With a fowarding zone, named expects the > target name server to do recursion, so the target server will deal with > following the referral and resolving the final answer. With a stub zone, > named expects to get authoritative answers and referrals to child zones, and > it will do its own recursion to resolve the final answer. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ Viking, North North > Utsire: Cyclonic, becoming northeasterly 6 to gale 8, occasionally severe > gale 9. Moderate or rough, becoming rough or very rough. > Rain or showers. Good, occasionally poor. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Joshua Smith Lead Systems Administrator WVNET (304)293-5192 x247 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: forwarding zone to another DNS server problem
My attempt to explain "stub"... It's like conditional forwarding, without the recursion. You tell named where the top of the namespace tree is hosted, and it issues *iterative* (= non-recursive) queries for names in that part of the tree. (Unless, of course, you have a definition further down in that namespace that overrides the behavior). As someone else pointed out, this raises the requirement that you have *direct* connectivity to the published authoritative nameservers for the top level of the zone, and any other descendant zones (unless, again, you override those parts of the namespace tree with some other definition). In a DMZ environment, you may not have open and clear communication to *everything* that you need, and therefore "stub" might not be a good fit in that case. You might be forced, as a last resort, to use forwarding, in such a scenario. Beyond that understanding, there are differences in how named *gets* the apex-NS information for a "stub" zone. The "classic" stub model is to use a similar replication method as slaving, i.e. driven by the REFRESH/RETRY/EXPIRE settings in the SOA of the zone. This will generate periodic refresh traffic in the form of SOA and/or NS queries. With the newer "static-stub" model (which, full disclosure, I've never actually *used*), apparently you just plug the addresses of the auth servers directly into the config, and no "refreshing" is necessary. There are pros and cons, that come to mind, for each of those flavors of "stub". - Kevin -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Tony Finch Sent: Tuesday, November 04, 2014 5:10 AM To: houguanghua Cc: bind-users@lists.isc.org Subject: RE: forwarding zone to another DNS server problem houguanghua wrote: > I 'm not familiar with'stub'. The description of 'stub' is hard to > understand. Yes it's a bit weird. Think of it like the root hints but for other zones: i.e. a hint zone configuration in a recursive server tells named that instead of using a referral from the parent zone to find the name servers for this zone, use these configured name servers. However the name servers at the zone's apex can override your configuration. If you use static-stub instead, your configured name servers override all name servers for the zone that your name server might receive. The difference with forwarding zones occurs if there is a delegation point below the zone you have configured. With a fowarding zone, named expects the target name server to do recursion, so the target server will deal with following the referral and resolving the final answer. With a stub zone, named expects to get authoritative answers and referrals to child zones, and it will do its own recursion to resolve the final answer. Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking, North North Utsire: Cyclonic, becoming northeasterly 6 to gale 8, occasionally severe gale 9. Moderate or rough, becoming rough or very rough. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
In article , Tony Finch wrote: > houguanghua wrote: > > > I 'm not familiar with'stub'. The description of 'stub' is hard to > > understand. > > Yes it's a bit weird. Think of it like the root hints but for other zones: > i.e. a hint zone configuration in a recursive server tells named that > instead of using a referral from the parent zone to find the name servers > for this zone, use these configured name servers. However the name servers > at the zone's apex can override your configuration. > > If you use static-stub instead, your configured name servers override all > name servers for the zone that your name server might receive. > > The difference with forwarding zones occurs if there is a delegation point > below the zone you have configured. With a fowarding zone, named expects > the target name server to do recursion, so the target server will deal > with following the referral and resolving the final answer. With a stub > zone, named expects to get authoritative answers and referrals to child > zones, and it will do its own recursion to resolve the final answer. If he wants to do forwarding rather than normal delegation, the likelihood is that the servers for the subdomain are not accessible from the public Internet. So stub won't help. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: forwarding zone to another DNS server problem
houguanghua wrote: > I 'm not familiar with'stub'. The description of 'stub' is hard to > understand. Yes it's a bit weird. Think of it like the root hints but for other zones: i.e. a hint zone configuration in a recursive server tells named that instead of using a referral from the parent zone to find the name servers for this zone, use these configured name servers. However the name servers at the zone's apex can override your configuration. If you use static-stub instead, your configured name servers override all name servers for the zone that your name server might receive. The difference with forwarding zones occurs if there is a delegation point below the zone you have configured. With a fowarding zone, named expects the target name server to do recursion, so the target server will deal with following the referral and resolving the final answer. With a stub zone, named expects to get authoritative answers and referrals to child zones, and it will do its own recursion to resolve the final answer. Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking, North North Utsire: Cyclonic, becoming northeasterly 6 to gale 8, occasionally severe gale 9. Moderate or rough, becoming rough or very rough. Rain or showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: forwarding zone to another DNS server problem
hi tony, I 'm not familiar with'stub'. The description of 'stub' is hard to understand. What do you mean is to configure 'stub' in the registered authoritative server and to configure zone file with A records in other not registered authoritative servers. Is it all right? Thanks, Guanghua > Date: Sun, 2 Nov 2014 21:23:14 + > From: d...@dotat.at > To: houguang...@hotmail.com > CC: bind-users@lists.isc.org > Subject: Re: forwarding zone to another DNS server problem > > houguanghua wrote: > > > > Can bind support forwarding zone to another DNS server? In my testing, > > for loacl name servers, it can. But for authority name servers, it > > can't. > > Use "stub" or "static-stub" to forward to an authoritative server. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly > 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
Matus UHLAR - fantomas wrote: > On 02.11.14 23:09, Frank Pikelner wrote: > > What is the advantage of using a "stub" or "static-stub" to using a slave? > > you should use them when it's not possible or viable to use slave, e.g. > windows AD domain, RBL domain, domain that can't be transferred etc... Also if you want to do DNSSEC validation. Tony. -- f.anthony.n.finchhttp://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
On 02.11.14 23:09, Frank Pikelner wrote: What is the advantage of using a "stub" or "static-stub" to using a slave? you should use them when it's not possible or viable to use slave, e.g. windows AD domain, RBL domain, domain that can't be transferred etc... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
houguanghua wrote: Can bind support forwarding zone to another DNS server? In my testing, for loacl name servers, it can. But for authority name servers, it can't. forwarding requires recursion allowed for the zone. On 02.11.14 21:23, Tony Finch wrote: Use "stub" or "static-stub" to forward to an authoritative server. the same applies here. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
houguanghua wrote: > >> Can bind support forwarding zone to another DNS server? In my testing, >> for loacl name servers, it can. But for authority name servers, it >> can't. >Use "stub" or "static-stub" to forward to an authoritative server. What is the advantage of using a "stub" or "static-stub" to using a slave? Thanks, Frank ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
houguanghua wrote: > > Can bind support forwarding zone to another DNS server? In my testing, > for loacl name servers, it can. But for authority name servers, it > can't. Use "stub" or "static-stub" to forward to an authoritative server. Tony. -- f.anthony.n.finchhttp://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding zone to another DNS server problem
In article ,
houguanghua wrote:
> Dear all,
>
> Can bind support forwarding zone to another DNS server? In my testing, for
> loacl name servers, it can. But for authority name servers, it can't.
>
> I have a authorative DNS server which are authorative for the domain
> "test.com". I would now want the machine just forward all incoming queries
> for "test.com" to the 83.248.21.12 server. The named.conf is as follows:
By definition an authoritative server knows the answers itself, it
doesn't need to forward.
> The named.conf is as follows:
> options {
> directory "/var/cache/bind";
> version "none";
> allow-recursion {"none";};
> };
> zone "test.com" in{
> type forward;
> forwarders {83.248.21.12;};
> };
That's not the configuration of an authoritative server. You're only
authoritative if it's "type master" or "type slave".
> The name server (83.248.21.12) isn't registered, but is configured as a
> normal authority name server.
> The named.conf is as follows:
> options {
> directory "/var/cache/bind";
> version "none";
> allow-recursion {"none";};
> };
> zone "test.com" in{
> type master;
> file zone/test.com.db";
> };
> This is the test.com.db file content:
> $ORIGIN test.com.
> $TTL 1W
> @ IN SOA ns1.test.com. postmaster.test.com. (
>6; serial number
>3600 ; refresh [1h]
>600 ; retry [10m]
>86400; expire[1d]
>3600 ) ; min TTL [1h]
> ;
> IN NS ns1.test.com.
> www IN A 172.22.2.150
>
>
> But the problem is that the any dns record can't be resolved when querying it
> for example www.test.com A record. What's wrong?
>
Are you sending recursive queries to the first server? Forwarding will
only be done if the client requests recursion. Recursive servers don't
request recursion when they query the registered servers for a zone.
--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
