1. Forum
  2. Newsgroups
  3. comp.protocols.dns.bind

  • Hints for forwarding a subdomain on a authoritative server

    From Tom@lists@verreckte-cheib.ch to BIND Users on Mon Jul 6 16:03:31 2020
    From Newsgroup: comp.protocols.dns.bind

    Hi list

    Our BIND (9.16.4) is authoritative for zone "example.com". Now I need to forward a subzone "sub.example.com" to another nameserver instance on
    the same server, running for example under port 5353:

    A few years ago, this topic was already discussed: https://lists.isc.org/pipermail/bind-users/2009-April/076156.html

    My BIND config looks like this:
    ================== SCHNIPP ==================
    zone "example.com" {
    type master;
    file "master/example.com.hosts";
    };
    zone "sub.example.com" {
    type forward;
    forwarders { 127.0.0.1 port 5353; };
    forward only;
    };
    ================== SCHNAPP ==================

    In the zonefile for "example.com" I have a delegation like this (as
    described in the post above):

    sub.example.com. IN NS subns.example.com.

    So, the authoritative server understands not to be responsible for this
    zone and forwards the request to the other nameserver.

    But: The zone-forwarding is only working, when I enable "recursion" on
    the authoritative server. Does this means, that zone-forwarding really requires recursion? Is there a better way with not enabling recursion
    (perhaps with views) to accomplish this?

    Many thanks for any hints.

    Kind regards,
    Tom
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Sten Carlsen@stenc@s-carlsen.dk to Tom on Mon Jul 6 16:11:01 2020
    From Newsgroup: comp.protocols.dns.bind


    --Apple-Mail=_9F8E39F2-35EA-4E12-AFD0-79BD8D2CC2EF
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain;
    charset=us-ascii


    Thanks

    Sten

    On 6 Jul 2020, at 16.03, Tom <lists@verreckte-cheib.ch> wrote:
    =20
    Hi list
    =20
    Our BIND (9.16.4) is authoritative for zone "example.com". Now I need =
    to forward a subzone "sub.example.com" to another nameserver instance on =
    the same server, running for example under port 5353:
    =20
    A few years ago, this topic was already discussed: https://lists.isc.org/pipermail/bind-users/2009-April/076156.html
    =20
    My BIND config looks like this: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SCHNIPP =
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
    zone "example.com" {
    type master;
    file "master/example.com.hosts";
    };
    zone "sub.example.com" {
    type forward;
    forwarders { 127.0.0.1 port 5353; };
    forward only;
    };
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SCHNAPP =
    =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
    =20
    In the zonefile for "example.com" I have a delegation like this (as =
    described in the post above):
    =20
    sub.example.com. IN NS subns.example.com.
    =20
    So, the authoritative server understands not to be responsible for =
    this zone and forwards the request to the other nameserver.
    =20
    But: The zone-forwarding is only working, when I enable "recursion" on =
    the authoritative server. Does this means, that zone-forwarding really = requires recursion?
    Yes.
    Is there a better way with not enabling recursion (perhaps with views) =
    to accomplish this?
    Stub zones are normally recommended instead.
    =20
    Many thanks for any hints.
    =20
    Kind regards,
    Tom
    _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to =
    unsubscribe from this list
    =20
    ISC funds the development of this software with paid support =
    subscriptions. Contact us at https://www.isc.org/contact/ for more = information.
    =20
    =20
    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users


    --Apple-Mail=_9F8E39F2-35EA-4E12-AFD0-79BD8D2CC2EF
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/html;
    charset=us-ascii

    <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><br = class=3D""><div class=3D"">
    <div style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); =
    font-family: Helvetica; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: normal; letter-spacing: normal; = orphans: auto; text-align: start; text-indent: 0px; text-transform: =
    none; white-space: normal; widows: auto; word-spacing: 0px; = -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; = text-decoration: none;">Thanks</div><div style=3D"caret-color: rgb(0, 0, =
    0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
    font-style: normal; font-variant-caps: normal; font-weight: normal; = letter-spacing: normal; orphans: auto; text-align: start; text-indent: =
    0px; text-transform: none; white-space: normal; widows: auto; =
    word-spacing: 0px; -webkit-text-size-adjust: auto; =
    -webkit-text-stroke-width: 0px; text-decoration: none;"><br = class=3D""></div><div style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, =
    0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: normal; letter-spacing: normal; = orphans: auto; text-align: start; text-indent: 0px; text-transform: =
    none; white-space: normal; widows: auto; word-spacing: 0px; = -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; = text-decoration: none;">Sten</div>
    </div>

    <div><br class=3D""><blockquote type=3D"cite" class=3D""><div =
    class=3D"">On 6 Jul 2020, at 16.03, Tom &lt;<a = href=3D"mailto:lists@verreckte-cheib.ch" = class=3D"">lists@verreckte-cheib.ch</a>&gt; wrote:</div><br = class=3D"Apple-interchange-newline"><div class=3D""><div class=3D"">Hi = list<br class=3D""><br class=3D"">Our BIND (9.16.4) is authoritative for =
    zone "<a href=3D"http://example.com" class=3D"">example.com</a>". Now I =
    need to forward a subzone "<a href=3D"http://sub.example.com" = class=3D"">sub.example.com</a>" to another nameserver instance on the =
    same server, running for example under port 5353:<br class=3D""><br = class=3D"">A few years ago, this topic was already discussed:<br = class=3D""><a = href=3D"https://lists.isc.org/pipermail/bind-users/2009-April/076156.html"=
    =
    class=3D"">https://lists.isc.org/pipermail/bind-users/2009-April/076156.ht= ml</a><br class=3D""><br class=3D"">My BIND config looks like this:<br = class=3D"">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
    SCHNIPP =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br = class=3D"">zone "example.com" {<br class=3D""> = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;type master;<br class=3D""> = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;file =
    "master/example.com.hosts";<br class=3D""> = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;};<br class=3D"">zone = "sub.example.com" {<br class=3D""> = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;type forward;<br class=3D""> = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;forwarders { 127.0.0.1 port =
    5353; };<br class=3D""> =
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;forward only;<br class=3D""> = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;};<br = class=3D"">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =
    SCHNAPP =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br = class=3D""><br class=3D"">In the zonefile for "example.com" I have a = delegation like this (as described in the post above):<br class=3D""><br = class=3D"">sub.example.com. = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;IN = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;NS = &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;subns.example.com.<br class=3D""><br = class=3D"">So, the authoritative server understands not to be =
    responsible for this zone and forwards the request to the other = nameserver.<br class=3D""><br class=3D"">But: The zone-forwarding is =
    only working, when I enable "recursion" on the authoritative server. =
    Does this means, that zone-forwarding really requires = recursion?</div></div></blockquote>Yes.<br class=3D""><blockquote = type=3D"cite" class=3D""><div class=3D""><div class=3D""> Is there a =
    better way with not enabling recursion (perhaps with views) to =
    accomplish this?<br class=3D""></div></div></blockquote>Stub zones are = normally recommended instead.<br class=3D""><blockquote type=3D"cite" = class=3D""><div class=3D""><div class=3D""><br class=3D"">Many thanks =
    for any hints.<br class=3D""><br class=3D"">Kind regards,<br = class=3D"">Tom<br = class=3D"">_______________________________________________<br = class=3D"">Please visit <a = href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = class=3D"">https://lists.isc.org/mailman/listinfo/bind-users</a> to = unsubscribe from this list<br class=3D""><br class=3D"">ISC funds the = development of this software with paid support subscriptions. Contact us =
    at <a href=3D"https://www.isc.org/contact/" = class=3D"">https://www.isc.org/contact/</a> for more information.<br = class=3D""><br class=3D""><br class=3D"">bind-users mailing list<br = class=3D""><a href=3D"mailto:bind-users@lists.isc.org" = class=3D"">bind-users@lists.isc.org</a><br = class=3D"">https://lists.isc.org/mailman/listinfo/bind-users<br = class=3D""></div></div></blockquote></div><br class=3D""></body></html>=

    --Apple-Mail=_9F8E39F2-35EA-4E12-AFD0-79BD8D2CC2EF--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Tony Finch@dot@dotat.at to Tom on Mon Jul 6 16:46:30 2020
    From Newsgroup: comp.protocols.dns.bind

    Tom <lists@verreckte-cheib.ch> wrote:

    But: The zone-forwarding is only working, when I enable "recursion" on the authoritative server. Does this means, that zone-forwarding really requires recursion?

    Yes, forwarding is completely specific to recursive servers. That is, the server doing the forwarding must be recursive, and the target server must
    also be recursive.

    [ In some limited cases you can get away with the target server not being recursive; I think the restrictions are that the target zone must not have
    any delegations or out-of-zone CNAMEs, but I haven't tested this myself. ]

    Is there a better way with not enabling recursion (perhaps with views)
    to accomplish this?

    Use a type "static-stub" zone if the target server is authoritative.

    If the server doing the forwarding is not recursive then it needs to
    secondary its own authoritative copy of the zone. But presumably you are
    trying to forward because AXFRing the zone isn't possible. In that case
    you need something like dnsdist which can act as a DNS reverse proxy. BIND won't query another server when a query is RD=0.

    Tony.
    --
    f.anthony.n.finch <dot@dotat.at> http://dotat.at/
    Fisher, German Bight: West or northwest 7 or gale 8, occasionally severe gale
    9 at first in Fisher, decreasing 5 or 6 later. Rough or very rough, becoming moderate or rough later. Showers. Good.
    --- Synchronet 3.18a-Linux NewsLink 1.113