After delegation parent DNS cannot resolve to child DNS
Andrew Buttigieg
After delegating a forward lookup zone to another DNS server I am unable
to get proper name resolution to addresses in the delegated zone from the
parent DNS. I made the delegation and specified the zone and the ip address
of the DNS server. I also followed the verify delegation task in the DNS
Help for delegation which worked fine. But if I ping I get no name to
address resolution. If I ping -a ip-address I get a resolved name. I have
also followed the Optional Configuration in KB255248 so that the child DNS
conditionally forwards requests to parent domain. I've also stopped and
restarted DNS service and flushed DNS cache. I've tried looking under the
delegated zone on the parent DNS server but I don't see a glue record. I
tried adding a host record for the child DNS server in the parent zone but
it says a record already exists (which of course I can't find). What have I
missed??
- Andrew
Kevin D. Goodknecht Sr. [MVP]
Andrew Buttigieg <Andrew.B...@hkkk.fi.no-spam> wrote their comments
Then Kevin replied below:
You cannot add a glue record for the child DNS server in the parent zone, if
the child zone is delegated. There is somewhat of a glue record in the NS
record in the delegation, but I've found it does not always work as
expected. If you add the glue record in the form of it's FQDN in a new zone.
e.g. child.example.com is delegated to dns.child.example.com by adding a
delegation named "child" in example .com.
To create the glue for the child's DNS server, create a new Forward lookup
zone named "dns.child.example.com" then place a new host record, leave the
host name blank and give that record the IP of the child DNS server. This is
a hardened glue record and it works every time.
--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
Sharad Naik
asking my query here might benefit the original post also.
He configured a delegation and also conditional forwarding.
Can both work for same child domain?
If one delegates a child domain and also set a conditional forwarding for
the same, is it OK?
I am about to add some delegations / conditional forwarders (which one to
opt for, I haven't decided yet.)
Sharad
"Kevin D. Goodknecht Sr. [MVP]" <ad...@nospam.WFTX.US> wrote in message
news:uh4Qr2rh...@TK2MSFTNGP12.phx.gbl...
William Stacey [MVP]
I did not see where he also created a cond. forwarder zone?
> Can both work for same child domain?
IIRC, the conditional forwarder is actually a handled like a zone with
explicit forwarder(s) set on the zone (the zone contains no RRs.) The zone
will "override" any other delegations in another zone as it will be found
first or "closer" to the answser then any other zone (as normal). As the
zone type is Forward, only the forwarder IP(s) will be used. The other zone
with the delegation will not even be "seen" by the server. Also, forwarders
are used first even if you have a delegation and you have forwarders. In
Bind you can clear that per zone by setting zone forwarders to empty {}, and
it will use the delegations if available (one place where using forwarders
gets confusing if you expect NS delegations are being used.). afaik,
forward override on zones is not an option in w2kx. hth
--
William Stacey, MVP
Andrew Buttigieg
Thanks for your response. I have created the hardened glue record as you
describe but I can then only resolve the address of the child DNS server. I
cannot resolve any other hosts in the child zone....
- Andrew
"Kevin D. Goodknecht Sr. [MVP]" <ad...@nospam.WFTX.US> wrote in message
news:uh4Qr2rh...@TK2MSFTNGP12.phx.gbl...
Kevin D. Goodknecht Sr. [MVP]
Andrew Buttigieg <Andrew.B...@hkkk.fi.no-spam> wrote their comments
Then Kevin replied below:
> Thanks for your response. I have created the hardened
> glue record as you describe but I can then only resolve
> the address of the child DNS server. I cannot resolve any
> other hosts in the child zone....
That doesn't make any sense at all, You created the delegation, the DNS
server's address can be resolved to an IP, but you can't resolve any names
on the DNS server?
If you connect directly to the DNS server with Nslookup is it able to
resolve the child domain?
What name did you give the child zone?
William Stacey [MVP]
> You cannot add a glue record for the child DNS server in the parent zone,
if
> the child zone is delegated.
I think you can add glue ok. Maybe I don't understand your intent.
> There is somewhat of a glue record in the NS
> record in the delegation, but I've found it does not always work as
> expected.
Have not seen that myself, but don't use a lot of delegations. How does in
not always work?
> This is a hardened glue record and it works every time.
Have not heard that term "hardened glue" record. Is this documented
somewhere? Just curious. Thanks Kevin.
--
William Stacey, MVP
Kevin D. Goodknecht Sr. [MVP]
William Stacey [MVP] <stacey...@mvps.org> wrote their comments
Then Kevin replied below:
>> You cannot add a glue record for the child DNS server in
>> the parent zone, if the child zone is delegated.
>
> I think you can add glue ok. Maybe I don't understand
> your intent.
You can't create an A record in a parent zone for a name in the child zone.
e.g. You can't create an A record for "host.child.example.com" in the
"example.com" zone.
But to give the parent DNS server glue for "host.child.example.com" You can
create a zone with that name and a blank A record in the zone so the parent
has glue for "host.child.example.com"
>
>> There is somewhat of a glue record in the NS
>> record in the delegation, but I've found it does not
>> always work as expected.
>
> Have not seen that myself, but don't use a lot of
> delegations. How does in not always work?
When you create a delegation, or for that fact any NS record you have to put
in the name and IP of the NS, but DNS cannot resolve the NS record to an IP
address.
>
>> This is a hardened glue record and it works every time.
>
> Have not heard that term "hardened glue" record. Is this
> documented somewhere? Just curious. Thanks Kevin.
It is a term I use, because I have found that even though you put the IP in
for NS records unless you actually create a real A record for glue it cannot
resolve its own IP that you put in when you create the NS record.
William Stacey [MVP]
zone.
> e.g. You can't create an A record for "host.child.example.com" in the
> "example.com" zone.
There are some fine point to glue, and hence why I was probing to clarify
your intent.
You can in add glue A records to the zone for in-domain NS records. In
fact, that ability is essenstial in DNS to find NSs addresses if the NS name
is in the same domain.
RFC 2181 widens the definition of glue a bit to include:
""Glue" above includes any record in a zone file that is not properly part
of that zone, including nameserver records of delegated sub-zones (NS
records), address records that accompany those NS records (A, AAAA, etc),
and any other stray data that might appear. "
The parent of delegated domain will not reply with the glue as it ignores it
other then for internal processing to find the best server(s) to ask.
Normally if you query for glue and the NSs can not be found (i.e. a lame
delegation or configuration error) your dig/nslookup client will timeout or
will get a SERVFAIL rcode from the server (which is proper) depending on
timeouts setting of client, etc. The explicit creation of NS records
out-of-domain is not required (unless that is the server that must be used)
and probably just adds more zones to manage and maintain. However, if the
server also hosts the zone that contains the A glue, then the server should
use that A record before any A-glue that may have been added in the zone
file, etc.
Cheers!
--
William Stacey, MVP
AndrewB
firewall at the parent site not allowing DNS packets to child DNS server.
Always helps to use Network Monitor at both ends! :-)
- Andrew
"Kevin D. Goodknecht Sr. [MVP]" <ad...@nospam.WFTX.US> wrote in message
news:%239kpn0N...@TK2MSFTNGP11.phx.gbl...
Kevin D. Goodknecht Sr. [MVP]
AndrewB <andrew.b...@pp.inet.fi.spa.m> wrote their comments
Then Kevin replied below:
> Thanks all for your input. The culprit of the issue was
> the Cisco PIX firewall at the parent site not allowing
> DNS packets to child DNS server. Always helps to use
> Network Monitor at both ends! :-)
Ah Ha! Didn't know there was a Pix in the picture, did you do the fix the
Pix or disable EDNS Probes?