how to create a private "test." zone?

Rui Lopes

unread,

Mar 1, 2009, 3:46:11 PM3/1/09

to

Hello,

I'm trying to create a private "test." zone for use in my local
"testing lab".

I've setup an recursive DNS server that will serve the "test." zone
(in Sun host; see the network diagram bellow).

The resolution of a domain in the "test" zone works as expected, eg:

dig sun.test
; <<>> DiG 9.4.2-P2 <<>> sun.test
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65413
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
0

;; QUESTION SECTION:
;sun.test. IN A

;; ANSWER SECTION:
sun.test. 600 IN A 192.168.2.1

;; AUTHORITY SECTION:
test. 600 IN NS sun.test.

;; Query time: 2 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Sun Mar 1 10:39:28 2009
;; MSG SIZE rcvd: 56

After this, I wanted to delegate the "example.test." zone to another
local DNS server of mine (the Plesk host). I did the delegation by
adding the following RR in the "test." zone (in the Sun host):

example IN NS plesk

I tried to resolve the "example.test" domain with:

dig example.test
; <<>> DiG 9.4.2-P2 <<>> example.test
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20407
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.test. IN A

;; Query time: 31 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Sun Mar 1 10:40:39 2009
;; MSG SIZE rcvd: 30

Which failed...

NB: I can see my local dns server sending queries to my isp dns
server. But why?

NB: Asking the same question directly at the Plesk DNS server works:

dig example.test @plesk.test
; <<>> DiG 9.4.2-P2 <<>> example.test @plesk.test
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2358
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
0

;; QUESTION SECTION:
;example.test. IN A

;; ANSWER SECTION:
example.test. 86400 IN A 192.168.2.10

;; AUTHORITY SECTION:
example.test. 86400 IN NS plesk.test.

;; Query time: 2 msec
;; SERVER: 192.168.2.10#53(192.168.2.10)
;; WHEN: Sun Mar 1 10:41:43 2009
;; MSG SIZE rcvd: 66

What I'm doing wrong in the delegation, and how can I fix it?

My network diagram is:

+-------------+
| isp |
+-------------+ 10.0.2.3 (DNS)
|
-------+------------------------------------------- 10/24
|
+-------------+ 10.0.2.15 +-------------+
| sun | | plesk |
+-------------+ 192.168.2.1 +-------------+ 192.168.2.10
| |
-------+-----------------------------+------------- 192.168.2/24

isp
my ISP DNS server host.
sun
my local DNS server host that hosts the "test." zone.
NB: this is an recursive server.
NB: it also forwards to "isp" dns server.
NB: local resolv.conf points to 192.168.2.1
plesk
my other local DNS server host that hosts the "example.test."
zone.
NB: this is an authoritative server only.
NB: local resolv.conf points to 192.168.2.1

This is what the Sun DNS server has about the "test." zone:

$TTL 10m ; default TTL
$ORIGIN test. ; base domain-name
@ IN SOA sun hostmaster (
2008042800 ; serial
10m ; refresh
15m ; retry
3w ; expire
10m ; minimum
)

IN NS sun

sun IN A 192.168.2.1
plesk IN A 192.168.2.10

; delegate example.test. to plesk.test.
example IN NS plesk
;example IN A 192.168.2.10

And this is what the Plesk DNS server has about the "example.test."
zone:

@ IN SOA plesk.test. ironman.example.test. (
1235830200 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
10800 ) ; Minimum

example.test. IN NS plesk.test.
example.test. IN A 192.168.2.10

If you need more information, please let me known.

Thanks!

Best regards,
Rui Lopes

_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Stephane Bortzmeyer

unread,

Mar 1, 2009, 4:01:59 PM3/1/09

to

On Sun, Mar 01, 2009 at 08:46:11PM +0000,
Rui Lopes <r...@ruilopes.com> wrote

a message of 168 lines which said:

> I did the delegation by
> adding the following RR in the "test." zone (in the Sun host):
>
> example IN NS plesk

May be an error prevented the loading of the zone? Check the SOA
serial number, as published by this server, and check BIND log files.

[Because your setup and files seem OK.]

Rui Lopes

unread,

Mar 1, 2009, 4:59:08 PM3/1/09

to

Stephane Bortzmeyer wrote:
> On Sun, Mar 01, 2009 at 08:46:11PM +0000,
> Rui Lopes <r...@ruilopes.com> wrote
> a message of 168 lines which said:
>
>
>> I did the delegation by
>> adding the following RR in the "test." zone (in the Sun host):
>>
>> example IN NS plesk
>>
>
> May be an error prevented the loading of the zone? Check the SOA
> serial number, as published by this server, and check BIND log files.
>
> [Because your setup and files seem OK.]
>

I've changed the serial to 2009030100 and I don't see any error on the logs:

Mar 1 21:53:05 sun named[5919]: zone test/IN: loaded serial 2009030100

I've also increased the log level using:

rndc trace 99
rndc querylog

And checked the zone with:

named-checkzone -D -d test /etc/bind/test.zone
loading "test" from "/etc/bind/test.zone" class "IN"
zone test/IN: loaded serial 2009030100
dumping "test"
test. 600 IN SOA sun.test. hostmaster.test.
2009030100 600 900 1814400 600

test. 600 IN NS sun.test.

example.test. 600 IN NS plesk.test.
plesk.test. 600 IN A 192.168.2.10

sun.test. 600 IN A 192.168.2.1

OK

Finally, checked the SOA value as:

dig soa test
; <<>> DiG 9.4.2-P2 <<>> soa test

;; global options: printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11705
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;test. IN SOA

;; ANSWER SECTION:
test. 600 IN SOA sun.test. hostmaster.test.
2009030100 600 900 1814400 600

;; AUTHORITY SECTION:
test. 600 IN NS sun.test.

;; ADDITIONAL SECTION:

sun.test. 600 IN A 192.168.2.1

;; Query time: 1 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Sun Mar 1 21:58:22 2009
;; MSG SIZE rcvd: 103

Still, no go. Any other suggestion?

Thanks!

Best regards,
Rui Lopes

Ben Bridges

unread,

Mar 1, 2009, 8:58:16 PM3/1/09

to

This is a multi-part message in MIME format.

--===============3933064765302601882==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C99ADA.59FE9C7A"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C99ADA.59FE9C7A
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

> sun

> NB: it also forwards to "isp" dns server.

If your sun server is configured to use your isp dns server as a =
forwarder, then I think it will forward requests for example.test to the =
isp server even though it delegated example.test to plesk. That would =
seem to be supported by the fact that your sun server knows it is not =
authoritative for example.test (no AA flag in response to the query for =
example.test) and that you see it sending requests to the isp server =
(although you don't specify that it is sending requests to it for =
example.test). You could try creating example.test as a forward zone in =
named.conf on your sun server and specifying plesk as the forwarder for =
that zone.
=20

________________________________

From: bind-user...@lists.isc.org on behalf of Rui Lopes
Sent: Sun 3/1/2009 2:46 PM
To: bind-...@lists.isc.org
Subject: how to create a private "test." zone?

Hello,

I'm trying to create a private "test." zone for use in my local
"testing lab".

I've setup an recursive DNS server that will serve the "test." zone
(in Sun host; see the network diagram bellow).

The resolution of a domain in the "test" zone works as expected, eg:

dig sun.test
; <<>> DiG 9.4.2-P2 <<>> sun.test

;; global options: printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65413

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:

0

;; QUESTION SECTION:
;sun.test. IN A

;; ANSWER SECTION:

sun.test. 600 IN A 192.168.2.1

;; AUTHORITY SECTION:

test. 600 IN NS sun.test.

;; Query time: 2 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)

;; WHEN: Sun Mar 1 10:39:28 2009
;; MSG SIZE rcvd: 56

After this, I wanted to delegate the "example.test." zone to another

local DNS server of mine (the Plesk host). I did the delegation by

adding the following RR in the "test." zone (in the Sun host):

example IN NS plesk

I tried to resolve the "example.test" domain with:

dig example.test
; <<>> DiG 9.4.2-P2 <<>> example.test

;; global options: printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20407
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.test. IN A

;; Query time: 31 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)

;; WHEN: Sun Mar 1 10:40:39 2009
;; MSG SIZE rcvd: 30

Which failed...

NB: I can see my local dns server sending queries to my isp dns
server. But why?

NB: Asking the same question directly at the Plesk DNS server works:

dig example.test @plesk.test
; <<>> DiG 9.4.2-P2 <<>> example.test @plesk.test

;; global options: printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2358

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:

0

My network diagram is:

IN NS sun

Thanks!

Best regards,
Rui Lopes

_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

------_=_NextPart_001_01C99ADA.59FE9C7A
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">=0A=
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">=0A=
<HTML>=0A=
<HEAD>=0A=
=0A=
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7651.59">=0A=
<TITLE>how to create a private "test." zone?</TITLE>=0A=
</HEAD>=0A=
<BODY>=0A=
<DIV id=3DidOWAReplyText5254 dir=3Dltr>=0A=
<DIV dir=3Dltr>> =0A=
sun >    NB: it also forwards to "isp" dns =0A=
server. </DIV>=0A=
<DIV dir=3Dltr>If your sun =
server is =0A=
configured to use your isp dns server as a forwarder, then I think it =0A=
will forward requests for example.test to the isp server even =
though =0A=
it delegated example.test to plesk.  That would seem to be =
supported by the =0A=
fact that your sun server knows it is not authoritative for example.test =0A=
(no AA flag in response to the query for example.test) and that you =
see it =0A=
sending requests to the isp server (although you don't specify that =
it is =0A=
sending requests to it for example.test).  You could try =
creating =0A=
example.test as a forward zone in named.conf on your sun server and =0A=
specifying plesk as the forwarder for that zone.</DIV>=0A=
<DIV dir=3Dltr> </DIV></DIV>=0A=
<DIV dir=3Dltr> =0A=
<HR tabIndex=3D-1>=0A=
From: =
bind-user...@lists.isc.org on behalf =0A=
of Rui Lopes Sent: Sun 3/1/2009 2:46 PM To: =0A=
bind-...@lists.isc.org Subject: how to create a private =
"test." =0A=
zone? </DIV>=0A=
<DIV>=0A=
Hello, I'm trying to create a private "test." =
zone for =0A=
use in my local "testing lab". I've setup an recursive DNS =
server that =0A=
will serve the "test." zone (in Sun host; see the network diagram =0A=
bellow). The resolution of a domain in the "test" zone works as =
expected, =0A=
eg:     dig sun.test ; <<>> DiG =
9.4.2-P2 =0A=
<<>> sun.test ;; global options:  printcmd ;; Got =0A=
answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, =
id: =0A=
65413 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, =0A=
ADDITIONAL: 0 ;; QUESTION =0A=
SECTION: ;sun.test.      =0A=
        =0A=
        =
IN      =0A=
A ;; ANSWER =
SECTION: sun.test.       =0A=
        600     =0A=
IN      A       =0A=
192.168.2.1 ;; AUTHORITY SECTION: test.   =0A=
        =0A=
        600     =0A=
IN      NS      =0A=
sun.test. ;; Query time: 2 msec ;; SERVER: =0A=
192.168.2.1#53(192.168.2.1) ;; WHEN: Sun Mar  1 10:39:28 =
2009 ;; MSG =0A=
SIZE  rcvd: 56 After this, I wanted to delegate the =0A=
"example.test." zone to another local DNS server of mine (the Plesk =
host). I =0A=
did the delegation by adding the following RR in the "test." zone (in =
the Sun =0A=
host):     =0A=
example         =0A=
IN      NS      =0A=
plesk I tried to resolve the "example.test" domain =0A=
with:     dig example.test ; <<>> =
DiG =0A=
9.4.2-P2 <<>> example.test ;; global options:  =0A=
printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, =
status: =0A=
NXDOMAIN, id: 20407 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, =
AUTHORITY: 0, =0A=
ADDITIONAL: 0 ;; QUESTION SECTION: ;example.test.  =0A=
        =0A=
        =
IN      =0A=
A ;; Query time: 31 msec ;; SERVER: =
192.168.2.1#53(192.168.2.1) ;; =0A=
WHEN: Sun Mar  1 10:40:39 2009 ;; MSG SIZE  rcvd: =0A=
30 Which failed... NB: I can see my local dns server =
sending =0A=
queries to my isp dns server.  But why? NB: Asking the =
same =0A=
question directly at the Plesk DNS server =
works:     dig =0A=
example.test @plesk.test ; <<>> DiG 9.4.2-P2 =
<<>> =0A=
example.test @plesk.test ;; global options:  printcmd ;; Got =0A=
answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, =
id: =0A=
2358 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, =0A=
ADDITIONAL: 0 ;; QUESTION SECTION: ;example.test.  =0A=
        =0A=
        =
IN      =0A=
A ;; ANSWER SECTION: example.test.   =0A=
        86400   =0A=
IN      A       =0A=
192.168.2.10 ;; AUTHORITY SECTION: example.test.   =0A=
        86400   =0A=
IN      NS      =0A=
plesk.test. ;; Query time: 2 msec ;; SERVER: =0A=
192.168.2.10#53(192.168.2.10) ;; WHEN: Sun Mar  1 10:41:43 =
2009 ;; =0A=
MSG SIZE  rcvd: 66 What I'm doing wrong in the =
delegation, and =0A=
how can I fix it? My network diagram =
is:     =0A=
+-------------+     |     =0A=
isp     |     +-------------+ =
10.0.2.3 =0A=
(DNS)            =0A=
|     =
-------+------------------------------------------- =0A=
10/24            =0A=
|     +-------------+ =
10.0.2.15     =0A=
+-------------+     |     =0A=
sun     =0A=
|            =
   =0A=
|    plesk    |     =0A=
+-------------+ 192.168.2.1   +-------------+ =0A=
192.168.2.10          &nb=
sp; =0A=
|            =
            &=
nbsp;    =0A=
|     =
-------+-----------------------------+------------- =0A=
192.168.2/24 isp     my ISP DNS server =0A=
host. sun     my local DNS server host that hosts =
the =0A=
"test." zone.     NB: this is an recursive =0A=
server.     NB: it also forwards to "isp" dns =0A=
server.     NB: local resolv.conf points to =0A=
192.168.2.1 plesk     my other local DNS server =
host that =0A=
hosts the "example.test." zone.     NB: this is an =0A=
authoritative server only.     NB: local resolv.conf =
points to =0A=
192.168.2.1 This is what the Sun DNS server has about the =
"test." =0A=
zone: $TTL         &n=
bsp;  =0A=
10m           &nbs=
p; ; =0A=
default TTL $ORIGIN         =0A=
test.           ; base =0A=
domain-name @         &nb=
sp;     =0A=
IN      SOA     sun =
hostmaster =0A=
(            &n=
bsp;           &nb=
sp;            =0A=
2008042800 ; =0A=
serial           &nb=
sp;           &nbs=
p;           &nbsp=
; =0A=
10m        ; =0A=
refresh           &n=
bsp;           &nb=
sp;           &nbs=
p; =0A=
15m        ; =0A=
retry           &nbs=
p;           &nbsp=
;            =
=0A=
3w         ; =0A=
expire           &nb=
sp;           &nbs=
p;           &nbsp=
; =0A=
10m        ; =0A=
minimum           &n=
bsp;           &nb=
sp;           &nbs=
p; =0A=
)           &nbs=
p;     =0A=
IN      NS      =0A=
sun sun         &nbsp=
;   =0A=
IN      A       =0A=
192.168.2.1 plesk        &nbsp=
;  =0A=
IN      A       =0A=
192.168.2.10 ; delegate example.test. to =0A=
plesk.test. example         =0A=
IN      NS      =0A=
plesk ;example        =0A=
IN      A       =0A=
192.168.2.10 And this is what the Plesk DNS server has about =
the =0A=
"example.test." zone: @       =0A=
IN      SOA     plesk.test. =0A=
ironman.example.test. =0A=
(            &n=
bsp;            =0A=
1235830200      ; =0A=
Serial           &nb=
sp;           &nbs=
p; =0A=
10800   ; =0A=
Refresh           &n=
bsp;           &nb=
sp; =0A=
3600    ; =0A=
Retry           &nbs=
p;           &nbsp=
; =0A=
604800  ; =0A=
Expire           &nb=
sp;           &nbs=
p; =0A=
10800 ) ; =0A=
Minimum example.test.       &nb=
sp;    =0A=
IN NS   =0A=
plesk.test. example.test.       &nb=
sp;    =0A=
IN A    192.168.2.10 If you need more =
information, =0A=
please let me known. Thanks! Best regards, Rui =0A=
Lopes _______________________________________________ bind-user=
s =0A=
mailing list bind-...@lists.isc.org <A =0A=
href=3D"https://lists.isc.org/mailman/listinfo/bind-users">https://lists.=
isc.org/mailman/listinfo/bind-users</A> </DIV>=0A=
=0A=
</BODY>=0A=
</HTML>
------_=_NextPart_001_01C99ADA.59FE9C7A--

--===============3933064765302601882==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--===============3933064765302601882==--

Rui Lopes

unread,

Mar 2, 2009, 5:27:37 PM3/2/09

to

Hi,

Ben Bridges wrote:
> > sun
> > NB: it also forwards to "isp" dns server.
> If your sun server is configured to use your isp dns server as a

> forwarder, then I think it will forward requests for example.test

> to the isp server even though it delegated example.test to plesk.
> That would seem to be supported by the fact that your sun server knows
> it is not authoritative for example.test (no AA flag in response to
> the query for example.test) and that you see it sending requests
> to the isp server (although you don't specify that it is sending
> requests to it for example.test).
Ah sorry, its indeed sending requests to it for the example.test domain.

> You could try creating example.test as a forward zone in named.conf on
> your sun server and specifying plesk as the forwarder for that zone.
Indeed, adding a forward zone like bellow works! but why does it work?
or why is it needed?

zone "example.test" {
type forward;
// forward only;
// forwarders { 192.168.2.10; };
};

Note that I only needed to include the "type forward" line, the other
lines do not seem to be needed. I'm I missing something? they aren't
really needed? By reading the bind manual it seems we have to include them.

BTW, if I try to query without recurse (and without addind the forward
zone as above):

dig example.test +norecurse
; <<>> DiG 9.4.2-P2 <<>> example.test +norecurse

;; global options: printcmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62293
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;example.test. IN A

;; AUTHORITY SECTION:

example.test. 600 IN NS plesk.test.

;; ADDITIONAL SECTION:

plesk.test. 600 IN A 192.168.2.10

;; Query time: 1 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Mon Mar 2 22:22:40 2009
;; MSG SIZE rcvd: 66

it seems to work (that is, it returns the NS and A record for the NS)...
only when quering with recurse it fails, any ideia why?

Thanks!

Best regards,
Rui Lopes

>
>
> ------------------------------------------------------------------------
> *From:* bind-user...@lists.isc.org on behalf of Rui Lopes
> *Sent:* Sun 3/1/2009 2:46 PM
> *To:* bind-...@lists.isc.org
> *Subject:* how to create a private "test." zone?

Mark Andrews

unread,

Mar 2, 2009, 6:07:01 PM3/2/09

to

You turned off forwarding for that namespace.
It's the equivalent of:

zone "example.test" {
type forward;
forwarders { /* empty */ };
};

You could have also added it to the test zones config.

zone "test" {
type master; // or slave
...
forwarders { /* empty */ };
};

Mark

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org

Mark Andrews

unread,

Mar 2, 2009, 6:10:01 PM3/2/09

to

// or stub

Rui Lopes

unread,

Mar 3, 2009, 3:16:56 AM3/3/09

to

Mark Andrews wrote:
> Mark Andrews writes:
>
>> In message <49AC5D59...@ruilopes.com>, Rui Lopes writes:
>>
>>> Hi,
>>>
>>> Ben Bridges wrote:
>>>

>>> [...]

>>>> You could try creating example.test as a forward zone in named.conf on
>>>> your sun server and specifying plesk as the forwarder for that zone.
>>>>
>>> Indeed, adding a forward zone like bellow works! but why does it work?
>>> or why is it needed?
>>>
>>> zone "example.test" {
>>> type forward;
>>> // forward only;
>>> // forwarders { 192.168.2.10; };
>>> };
>>>
>>> Note that I only needed to include the "type forward" line, the other
>>> lines do not seem to be needed. I'm I missing something? they aren't
>>> really needed? By reading the bind manual it seems we have to include them
>>>
>> .
>>
>> You turned off forwarding for that namespace.
>> It's the equivalent of:
>>
>> zone "example.test" {
>> type forward;
>> forwarders { /* empty */ };
>> };
>>
>>
>> You could have also added it to the test zones config.
>>
>> zone "test" {
>> type master; // or slave
>>
> // or stub
>
>> ...
>> forwarders { /* empty */ };
>> };
>>
>> Mark
>>

Thanks!

Why isn't bind just following the "example.test. NS plesk.test." RR that
is inside the "test." zone without removing the forwarders?

Rui Lopes

unread,

Mar 1, 2009, 6:06:22 AM3/1/09

to

Hello,

example IN NS plesk

Which failed...

My network diagram is:

IN NS sun

Thanks!

Rui Lopes

unread,

Mar 1, 2009, 6:06:22 AM3/1/09

to

Mark Andrews

unread,

Mar 3, 2009, 3:47:24 PM3/3/09

to

Because you have a forwarding turned on at the options/view
level. Unless you have a special reason (like you can't
reach the root servers) that requires forwarding I don't
recommend using it.

Mark

> Best regards,
> Rui Lopes
> _______________________________________________
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org

Kevin Darcy

unread,

Mar 3, 2009, 6:16:34 PM3/3/09

to

It's the result of a couple deliberate design decisions.

When named tries to resolve a name, it looks at the zones which are
explicitly defined in its config. If the name isn't contained in any of
them, then, by BIND's design, it looks to see what the closest
applicable "forward" statement is, if any. Example.test is *outside* of
the "test" zone you have defined, so:

BEFORE (no "forward" defined in the "test" zone): it finds your "global"
forwarders and uses them to resolve example.test names.
AFTER (a "forward" defined in the "test" zone, with an empty forwarders
list): it finds the "test" forwarders (since they're closer than the
global forwarders, which are considered to be at the root) and uses them.

The other deliberate design decision is that the resolver algorithm
interprets an empty forwarders list to mean "don't forward at all". So
when it finds the empty forwarders list for "test" it follows the
"example.test" delegation records and resolves as you expected it to.

- Kevin

Barry Margolin

unread,

Mar 4, 2009, 1:23:15 AM3/4/09

to

In article <goip2j$2a06$1...@sf1.isc.org>, Rui Lopes <r...@ruilopes.com>
wrote:

> Why isn't bind just following the "example.test. NS plesk.test." RR that
> is inside the "test." zone without removing the forwarders?

Because the point of configuring forwarders is to use them INSTEAD of
following NS records. Forwarders are generally used when the server
doesn't have direct access to the Internet, so it can't reach the
nameservers named in NS records.

The basic algorithm is this:

If we're authoritative for the zone, return the answer.
If the answer is already cached, return it.
If there's a forward zone for it, obey it (send to its forwarders if
any, otherwise follow NS records).
If there's global forwarding enabled, send to them.
Follow the NS records.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***