Delegation

[John Bond]

Hello list,

I am hoping that someone will be able to help me with an issue I had
assumed would be simple to resolve but is proving otherwise.

Currently our dns infrastructure runs bind 9.3.0 it has one primary
and and 7 Slaves. At the moment we are in the process of migrating to
a new infrastructure and we wanted to migrate zones one at a time in a
safe, testable and easily revertible method.

Our primary server on the current infrastructure is ns1.example.com,
(slaves: ns2.example.com - ns8.example.com),
the primary on the new infrastructure is ns1.example.net (salves:
ns2.example.net & ns3.example.net) and
the zone to transfer/migrate is test.org

I have set up the zone test.org on the new infrastructure and querying
the box directly works fine, the registered nameservers for test.org
in the root domain .org zone is set to ns1.example.com (and the rest
of that infrastructure) . Until I am confident that things work I
would like to leave things like that. However I want ns1.example.com
to send all requests to the new infrastructure (delegate?). I dont
think fowarders will do what i want as i need to test a faliure to the
primary server and ensure the slaves kick in. In an effort to fix
this i created the following zone on ns1.example.com

#################zone file for test.org#############################
$TTL 60
@ IN SOA ns1.example.com. hostmaster.ns1.example.com (
2008021409 ;Serial yyyymmddvv
21600 ;Refresh 6 hours
900 ;Retry 15 minutes
1209600 ;Expire 2 weeks
12800) ;Min 3 hours

IN NS ns1.example.net.
IN NS ns2.example.net.
IN NS ns3.example.net.

###############end zone file for test.org###########################

I had hoped that this would delegate the entire zone to the new
infrastructure but when i test* my query stops at ns1.example.com and
is never forwarded to ns1.eduserv.net. If i do an NS lookup though it
appears as if everything is set up correctly.

I have tried google and nothing comes up. i am starting to come to
the conclusion that the way I'm doing things is not the correct way.
if anyone could point me in the right direction of what im doing wrong
and how i can archive what i want it would be much appreciated.

Everything below here is testing output
thanks john

*see below for test results note that real fqdn have been swapped for
the domains used above
########################################################
dig +trace test0.test.org
; <<>> DiG 9.4.2 <<>> +trace test0.test.org
;; global options: printcmd
. 4759 IN NS b.root-servers.net.
. 4759 IN NS c.root-servers.net.
. 4759 IN NS d.root-servers.net.
. 4759 IN NS e.root-servers.net.
. 4759 IN NS f.root-servers.net.
. 4759 IN NS g.root-servers.net.
. 4759 IN NS h.root-servers.net.
. 4759 IN NS i.root-servers.net.
. 4759 IN NS j.root-servers.net.
. 4759 IN NS k.root-servers.net.
. 4759 IN NS l.root-servers.net.
. 4759 IN NS m.root-servers.net.
. 4759 IN NS a.root-servers.net.
;; Received 433 bytes from 192.168.33.223#53(192.168.33.223) in 2 ms

org. 172800 IN NS B0.ORG.AFILIAS-NST.org.
org. 172800 IN NS A0.ORG.AFILIAS-NST.INFO.
org. 172800 IN NS C0.ORG.AFILIAS-NST.INFO.
org. 172800 IN NS D0.ORG.AFILIAS-NST.org.
org. 172800 IN NS TLD2.ULTRADNS.NET.
org. 172800 IN NS TLD1.ULTRADNS.NET.
;; Received 430 bytes from 192.112.36.4#53(g.root-servers.net) in 192 ms

test.org. 86400 IN NS ns1.example.com.
test.org. 86400 IN NS ns2.example.com.
;; Received 101 bytes from 199.19.56.1#53(A0.ORG.AFILIAS-NST.INFO) in 21 ms

test.org. 60 IN SOA ns1.example.com.
hostmaster.ns1.example.com 2008021409 21600 900 1209600 12800
;; Received 113 bytes from 123.123.123.123#53(ns1.example.com) in 17 ms
################################################

dig +trace NS test.org
; <<>> DiG 9.4.2 <<>> +trace NS test.org
;; global options: printcmd
. 4237 IN NS b.root-servers.net.
. 4237 IN NS c.root-servers.net.
. 4237 IN NS d.root-servers.net.
. 4237 IN NS e.root-servers.net.
. 4237 IN NS f.root-servers.net.
. 4237 IN NS g.root-servers.net.
. 4237 IN NS h.root-servers.net.
. 4237 IN NS i.root-servers.net.
. 4237 IN NS j.root-servers.net.
. 4237 IN NS k.root-servers.net.
. 4237 IN NS l.root-servers.net.
. 4237 IN NS m.root-servers.net.
. 4237 IN NS a.root-servers.net.
;; Received 433 bytes from 192.168.33.223#53(192.168.33.223) in 14 ms

org. 172800 IN NS C0.ORG.AFILIAS-NST.INFO.
org. 172800 IN NS D0.ORG.AFILIAS-NST.org.
org. 172800 IN NS TLD1.ULTRADNS.NET.
org. 172800 IN NS TLD2.ULTRADNS.NET.
org. 172800 IN NS A0.ORG.AFILIAS-NST.INFO.
org. 172800 IN NS B0.ORG.AFILIAS-NST.org.
;; Received 424 bytes from 192.36.148.17#53(i.root-servers.net) in 19 ms

test.org. 86400 IN NS ns1.example.com.
test.org. 86400 IN NS ns2.example.com.
;; Received 95 bytes from 199.19.56.1#53(A0.ORG.AFILIAS-NST.INFO) in 22 ms

test.org. 60 IN NS ns1.example.net.
test.org. 60 IN NS ns2.example.net.
test.org. 60 IN NS ns0.example.net.
;; Received 102 bytes from 152.78.129.184#53(clover.sucs.soton.ac.uk) in 16 ms

#################################################
dig test0.test.org @ns1.example.net

; <<>> DiG 9.4.2 <<>> test0.eduserv-test.org @ns1.example.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37523
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;test0.test.org. IN A

;; ANSWER SECTION:
test0.test.org. 60 IN A 123.123.123.123

;; AUTHORITY SECTION:
test.org. 60 IN NS ns1.example.net.
test.org. 60 IN NS ns2.example.net.
test.org. 60 IN NS ns3.example.net.

;; ADDITIONAL SECTION:
ns1.example.net. 60 IN A 123.123.123.123
ns2.example.net. 60 IN A 123.123.123.124
ns3.example.net. 60 IN A 123.123.123.125

;; Query time: 3 msec
;; SERVER: 123.123.123.123#53(ns0.test.org)
;; WHEN: Thu Feb 14 17:12:18 2008
;; MSG SIZE rcvd: 172

dig NS @example.com

[Mark Andrews]

From RFC 1034.

As the last installation step, the delegation NS RRs and glue RRs
necessary to make the delegation effective should be added to the parent
zone. The administrators of both zones should insure that the NS and
glue RRs which mark both sides of the cut ARE CONSISTENT AND REMAIN SO.

I've capitalised the critical part.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_A...@isc.org

[Chris Buxton]

As Mark pointed out, you can't do what you want to do. It just won't
work. The only thing you could do would be to configure the old
servers (nsX.example.com) as slaves of ns1.example.net.

To really test without jumping in feet first would require you to set
up a testbed resolving name server. Configure it with a stub zone for
test.org pointing to the example.net servers. Then query it for your
tests. While all this is going on, the example.com name servers act as
if the example.net servers did not exist - they have an authoritative
zone that lists them as the authoritative name servers.

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbu...@menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.

[John Bond]

Thanks for the responses everyone i guess its back to the drawing
board. I think i will have to use the forwarders option and include
all three of the boxes in the new infratructure. If i where to do
this, will the dns boxes which are forwarding round robin the three
forwarders if not i can to this load balancing at the firewall. Also
will the box doing the fowarding cache the dns results or will it
foward all requests. If it performs cachijg can this be disabled.
Thanks agaiin

[Chris Buxton]

BIND 9.3 and later will use RTT with the forwarders list. (This is
better than round-robin.)

A server that forwards a query to another server will cache the
result. To suppress this, set your TTL's on the authoritative server
to a very low number, such as 5 seconds, or even 0. Note that this is
generally not good practice, but while you are testing, it may be
warranted.

If you were to somehow disable caching at the server by setting max-
cache-size, or something like that, the client machines would still
tend to cache records. Setting a low TTL solves that problem as well,
although some clients (e.g. Mac OS X's resolver service) will still
cache for some amount of time (typically applying a minimum of no more
than 1 minute).

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354 412 1500
Email: cbu...@menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and
privileged information only intended for the person or entity to which
it is addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any retention, dissemination,
distribution or copy of this e-mail is strictly prohibited. If you
have received this e-mail in error, please notify us immediately by
reply e-mail and immediately delete this message and all its attachment.

[John Bond]

Thanks again for your response. I think that al makes sense but i may
need to go of and do it bit more reading before i fully understand.
thanks for the help