Issue #141: ad.example.com forward zone doesn't work if example.com is also defined - bind-dyndb-ldap

bind-dyndb-ldap

#141 ad.example.com forward zone doesn't work if example.com is also defined

Closed: Invalid None Opened 9 years ago by jhrozek.

My DNS zones are defined as:

[root@master ~]# ipa dnszone-find
  Zone name: example.com
  Active zone: TRUE
  Authoritative nameserver: master.ipa.example.com
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1414596433
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;

  Zone name: ipa.example.com
  Active zone: TRUE
  Authoritative nameserver: master.ipa.example.com.
  Administrator e-mail address: hostmaster.ipa.example.com.
  SOA serial: 1414596432
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;

  Zone name: 122.168.192.in-addr.arpa.
  Active zone: TRUE
  Authoritative nameserver: master.ipa.example.com.
  Administrator e-mail address: hostmaster.ipa.example.com.
  SOA serial: 1414596433
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 3
----------------------------

ad.example.com is a forwarder zone:

[root@master ~]# ipa dnsforwardzone-find                                                                                                                                     
  Zone name: ad.example.com.
  Active zone: TRUE
  Zone forwarders: 192.168.122.76
  Forward policy: first
----------------------------
Number of entries returned 1
----------------------------

Currently ad.example.com doesn't forward unless I disable example.com... disabling example.com makes things work again.

pspacek commented 9 years ago

Results of planning meeting held on 2014-11-04.

pspacek commented 9 years ago

After all, it is an configuration issue.

[[ftp://ftp.isc.org/isc/bind/cur/9.9/doc/arm/Bv9ARM.ch06.html|BIND manual]] says this:

Forwarding

... Forwarding occurs only on those queries for which the server is not authoritative ...

example.com. in this report is by definition authoritative (master) zone. Forwarding does not happen because server thinks he is authoritative and returns NXDOMAIN.

It is necessary to delegate authority to another server using NS records before you enable forwarding.

I have tested this configuration with plain BIND 9.9.4:

/etc/named.conf:

zone "example.com." IN {
type master;
file "example.com.db";
allow-update { none; };
};

zone "sub.example.com." IN {
type forward;
forward only;
forwarders { 192.0.2.1; };
};
/var/named/example.com.db:

@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR ns.example.net.

;sub NS ns2.example.net.

The forwarding does not work with this configuration (please note that line sub NS ns2.example.net.) is commented out.

Forwarding works when I uncomment the line with NS record for sub.example.com..

Metadata Update from @pspacek:
- Issue assigned to pspacek
- Issue set to the milestone: Fedora 22

7 years ago

Metadata

Assignee

pspacek

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

Fedora 22

rhbz

blockedby

None

blocking

None

fixedby

None

fixedin

None

proposedmilestone

None

type

defect

component

ldap driver

version

6.0

keywords

None

bind-dyndb-ldap

Source Code

Documentation

#141 ad.example.com forward zone doesn't work if example.com is also defined Closed: Invalid None Opened 9 years ago by jhrozek.

Metadata

#141 ad.example.com forward zone doesn't work if example.com is also defined

Closed: Invalid None Opened 9 years ago by jhrozek.