On 12/17/2012 11:04 AM, Ray Van Dolson wrote:
I'm not sure quite how to properly describe this, and as a result my
searches aren't turning up much....
To support a legacy app, I need to have a domain defined called
"selfservice" so I can support resolution of "www.selfservice". Yes,
no trailing .com, .net, etc.... ugly, but I need it for now.
This domain actually lives on our AD servers,
Why? Is there anything inherently "AD-ish" about the zone? If not, why
not just take it over and maintain it in the central DNS infrastructure?
so I thought I'd do the
following:
zone "selfservice" {
type forward;
forwarders { adserver....; };
};
As a general rule, I prefer the use of "type stub" over "type forward"
in such situations: it optimizes/scales better and is more resilient
when there are descendant zones being served by geographically- and/or
topologically-diverse nameservers.
However, this doesn't work. Queries just return the TLD servers for .
as the SOA.
Is the "Recursion Available" (RA) flag set in the response?
Querying the AD servers directly works fine.
However, if I actually define a master zone:
zone "selfservice" {
type master;
file "selfservice.zone";
notify yes;
allow-transfer { secondary; };
};
And explicitly define the A record I need, then queries for
www.selfservice respond correctly.
It's almost as if BIND prefers the less specific hint zone for "." over
my forward zone definition for "selfservice" -- but not if I make it a
master zone...
Authoritative data always takes precedence over data obtained indirectly
from some other authoritative source, so it shouldn't surprise you that
defining the zone as "master" forces it to work. But you probably don't
want to have to sync that data manually with the authoritative source
every time it changes, so I'd go with a "type stub", or, define it as
"type slave", if you want the added redundancy and performance of having
the zone data local at all times, at the expense of some extra overhead
and the potential hassle of convincing some Windows admins to open up
zone transfers to you (which they tend to be skittish about since
Microsoft preaches to them that the only "safe" zone-transfer partners
are the ones that happen to be published for the zone). Note that "type
slave" or "type master" are your only real options if -- as I speculate
above -- your nameserver has recursion disabled, and assuming you want
to keep it that way. A non-recursive nameserver only serves data from
its authoritative zones and gives a mostly-useless "upwards" or
root-zone referral for everything else (the symptom you describe above).
If you're up for somewhat of a configuration challenge, you could even
set up GSS-TSIG such that your communication with the MS-DNS servers is
crytographically secure. That will require very close co-ordination with
the AD folks though, at least for the initial setup.
- Kevin
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
