Difference between delegation and forward zone

[Mik J]

Hello,

I would like to check if my understanding is correct regarding delegation and forward

Delegation: I want to delegate the administrative tasks to someone else for one subdomain

subdomain1.mydomain.org

I'll specify the NS of that subdomain1.mydomain.org in my mydomain.org zone file

The other person will be able to create rr1.subdomain1.mydomain.org

Forward zone: I can forward a specific zone to a DNS that is different from the default fowarders or I won't attempt to do an iterative lookup.

=> Question 1: Can I have a forward zone that is a subdomain subdomain1.mydomain.org ? Or when the zone is a subdomain of mydomain (I'm athoritative) it's always a delegation ?

=> Question 2: When I do a delegation, is it correct that the remote DNS server holding subdomain1.mydomain.org must always answer the SOA with SOA records and NS records (RFC 2181 chapter 6.1)

Regards

[McDonald, Daniel (Dan)]

Yes, you can forward to a subdomain.  Just define it as a separate zone and include the forwarders and forward-only lines.  I believe you need allow-query-cache for this to work.

 

Delegated zones don’t necessarily need to respond with SOA and NS records.  Many load balancers use delegated zones for global server load balancing.  Just point your NS records at the load balancer and it should refer the querying DNS server along to the load balancer.  Assuming something else is doing the recursive lookups, you just need allow-query for this.  If this device is doing the recursive lookups, then you need allow-recursion for this to work.

 

You do need SOA and NS records if you are going to set up either a secondary or a stub zone.  In this case, you would need allow-query.

[Barry Margolin]

In article <mailman.1039.1488821...@lists.isc.org>,

"McDonald, Daniel (Dan)" <Dan.Mc...@austinenergy.com> wrote:

> Yes, you can forward to a subdomain. Just define it as a separate zone and
> include the forwarders and forward-only lines. I believe you need
> allow-query-cache for this to work.

This won't work reliably if the server is supposed to be authoritative
for the parent domain. The problem is that queries from resolvers do not
have the Recursion Desired flag set, and forwarding is only done when
recursing.

Also, if there are no delegation records for the subdomain, the parent
server believes it's authoritative for them, despite having forwarders
configured.

Forwarding is generally only useful on resolvers, not authoritative
servers.

--
Barry Margolin
Arlington, MA

[Mik J]

Barry: "Also, if there are no delegation records for the subdomain, the parent

server believes it's authoritative for them, despite having forwarders
configured."

I don't understand what you just wrote above. Are you saying I need to do both delegation and forwarding on my authoritative server on the parent domain ?

So yes the case is load balancers or other devices that are not real DNS, they behave in funny way.

[Mik J]

[Mark Andrews]

Just delegate. That is what you are trying to do and that is how
the DNS is designed to work.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

[Mark Andrews]