Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Zone "type forward" vs. sub-domain delegation.

991 views
Skip to first unread message

Gabriele

unread,
Sep 13, 2007, 7:06:07 PM9/13/07
to
I would like to build a DNS hierarchy with a company-internal
"mycompany.com." domain (hosted on name servers running BIND) and an
"ad.mycompany.com." subdomain delegated to DNS administrators of a Microsoft
Active Directory environment.

I've seen that setting either forwarders (1) or zone-delegation (2) make
name resolution work even for sub-domain hosts:

1) zone "ad.mycompany.com" IN {
type forward;
forwarders {10.0.0.1; 10.0.0.2;};
};

2) $ORIGIN ad.mycompany.com.
@ IN NS ns1.ad.mycompany.com.
@ IN NS ns2.ad.mycompany.com.
ns1 IN A 10.0.0.1
ns2 IN A 10.0.0.2

Even if both works, I think option 2 is best as forwarders are set in
"named.conf" per-server configuration file, while the delegation is set in
the "domain.com" zone file that would be transfered to any secondary (slave)
name server.

What's your opinion?

Thanks in advance. - Gabriele

Barry Margolin

unread,
Sep 13, 2007, 9:10:57 PM9/13/07
to
In article <fccfp1$lhj$1...@nnrp.ngi.it>, "Gabriele" <ga...@gabro.net>
wrote:

Forwarding won't work if you're getting requests from caching
nameservers. They send non-recursive requests, and forwarding is only
followed for recursive requests. Also, the caching servers can cache
the delegation records, so from then on they'll go directly to the
ad.mycompany.com servers, rather than going through the mycompany.com
servers.

If the client machines are pointing directly to the mycompany.com
servers in their resolver configurations then there's not much
difference, other than the one you point out about only having to change
things in one place.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Gabriele

unread,
Sep 19, 2007, 5:51:14 PM9/19/07
to

"Barry Margolin" <bar...@alum.mit.edu> wrote in message
news:barmar-F86AD9....@comcast.dca.giganews.com...

Thanks for your valuable insight about potential problems coming from
caching nameservers.

Is there a way to retrieve configuration information from a DNS server to
understand if a certain zone is set as type-forward or delegated? Can
NSLOOKUP assist in this investigation if I do not have administrative rights
over the parent DNS server?

Thanks in advance.
Gabriele

Barry Margolin

unread,
Sep 19, 2007, 11:45:09 PM9/19/07
to
In article <fcs5lc$nph$1...@nnrp.ngi.it>, "Gabriele" <ga...@gabro.net>
wrote:

> Is there a way to retrieve configuration information from a DNS server to
> understand if a certain zone is set as type-forward or delegated? Can
> NSLOOKUP assist in this investigation if I do not have administrative rights
> over the parent DNS server?

No. If you want to know how a nameserver is configured, you need to
have access to the configuration files.

If you aren't an administrator of the server, why do you care how it
does it? All that matters is that it gives the correct answers.

0 new messages