1. Forum
  2. USENET
  3. comp.protocols.dns.bind

  • Hints for forwarding a subdomain on a authoritative server

    From Tom@lists@verreckte-cheib.ch to BIND Users on Mon Jul 6 16:03:31 2020
    From Newsgroup: comp.protocols.dns.bind

    Hi list

    Our BIND (9.16.4) is authoritative for zone "example.com". Now I need to forward a subzone "sub.example.com" to another nameserver instance on
    the same server, running for example under port 5353:

    A few years ago, this topic was already discussed: https://lists.isc.org/pipermail/bind-users/2009-April/076156.html

    My BIND config looks like this:
    ================== SCHNIPP ==================
    zone "example.com" {
    type master;
    file "master/example.com.hosts";
    };
    zone "sub.example.com" {
    type forward;
    forwarders { 127.0.0.1 port 5353; };
    forward only;
    };
    ================== SCHNAPP ==================

    In the zonefile for "example.com" I have a delegation like this (as
    described in the post above):

    sub.example.com. IN NS subns.example.com.

    So, the authoritative server understands not to be responsible for this
    zone and forwards the request to the other nameserver.

    But: The zone-forwarding is only working, when I enable "recursion" on
    the authoritative server. Does this means, that zone-forwarding really requires recursion? Is there a better way with not enabling recursion
    (perhaps with views) to accomplish this?

    Many thanks for any hints.

    Kind regards,
    Tom
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Tony Finch@dot@dotat.at to Tom on Mon Jul 6 16:46:30 2020
    From Newsgroup: comp.protocols.dns.bind

    Tom <lists@verreckte-cheib.ch> wrote:

    But: The zone-forwarding is only working, when I enable "recursion" on the authoritative server. Does this means, that zone-forwarding really requires recursion?

    Yes, forwarding is completely specific to recursive servers. That is, the server doing the forwarding must be recursive, and the target server must
    also be recursive.

    [ In some limited cases you can get away with the target server not being recursive; I think the restrictions are that the target zone must not have
    any delegations or out-of-zone CNAMEs, but I haven't tested this myself. ]

    Is there a better way with not enabling recursion (perhaps with views)
    to accomplish this?

    Use a type "static-stub" zone if the target server is authoritative.

    If the server doing the forwarding is not recursive then it needs to
    secondary its own authoritative copy of the zone. But presumably you are
    trying to forward because AXFRing the zone isn't possible. In that case
    you need something like dnsdist which can act as a DNS reverse proxy. BIND won't query another server when a query is RD=0.

    Tony.
    --
    f.anthony.n.finch <dot@dotat.at> http://dotat.at/
    Fisher, German Bight: West or northwest 7 or gale 8, occasionally severe gale
    9 at first in Fisher, decreasing 5 or 6 later. Rough or very rough, becoming moderate or rough later. Showers. Good.
    --- Synchronet 3.21d-Linux NewsLink 1.2