Hints for forwarding a subdomain on a authoritative server

Discussion:

(too old to reply)

Tom

2020-07-06 14:03:31 UTC

Hi list

Our BIND (9.16.4) is authoritative for zone "example.com". Now I need to
forward a subzone "sub.example.com" to another nameserver instance on
the same server, running for example under port 5353:

A few years ago, this topic was already discussed:
https://lists.isc.org/pipermail/bind-users/2009-April/076156.html

My BIND config looks like this:
================== SCHNIPP ==================
zone "example.com" {
type master;
file "master/example.com.hosts";
};
zone "sub.example.com" {
type forward;
forwarders { 127.0.0.1 port 5353; };
forward only;
};
================== SCHNAPP ==================

In the zonefile for "example.com" I have a delegation like this (as
described in the post above):

sub.example.com. IN NS subns.example.com.

So, the authoritative server understands not to be responsible for this
zone and forwards the request to the other nameserver.

But: The zone-forwarding is only working, when I enable "recursion" on
the authoritative server. Does this means, that zone-forwarding really
requires recursion? Is there a better way with not enabling recursion
(perhaps with views) to accomplish this?

Many thanks for any hints.

Kind regards,
Tom

Sten Carlsen

2020-07-06 14:11:01 UTC

Permalink

Thanks

Sten

Post by Tom
Hi list
https://lists.isc.org/pipermail/bind-users/2009-April/076156.html
================== SCHNIPP ==================
zone "example.com" {
type master;
file "master/example.com.hosts";
};
zone "sub.example.com" {
type forward;
forwarders { 127.0.0.1 port 5353; };
forward only;
};
================== SCHNAPP ==================
sub.example.com. IN NS subns.example.com.
So, the authoritative server understands not to be responsible for this zone and forwards the request to the other nameserver.
But: The zone-forwarding is only working, when I enable "recursion" on the authoritative server. Does this means, that zone-forwarding really requires recursion?

Yes.

Post by Tom
Is there a better way with not enabling recursion (perhaps with views) to accomplish this?

Stub zones are normally recommended instead.

Post by Tom
Many thanks for any hints.
Kind regards,
Tom
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users

Tony Finch

2020-07-06 15:46:30 UTC

Permalink

Post by Tom
But: The zone-forwarding is only working, when I enable "recursion" on the
authoritative server. Does this means, that zone-forwarding really requires
recursion?

Yes, forwarding is completely specific to recursive servers. That is, the
server doing the forwarding must be recursive, and the target server must
also be recursive.

[ In some limited cases you can get away with the target server not being
recursive; I think the restrictions are that the target zone must not have
any delegations or out-of-zone CNAMEs, but I haven't tested this myself. ]

Post by Tom
Is there a better way with not enabling recursion (perhaps with views)
to accomplish this?

Use a type "static-stub" zone if the target server is authoritative.

If the server doing the forwarding is not recursive then it needs to
secondary its own authoritative copy of the zone. But presumably you are
trying to forward because AXFRing the zone isn't possible. In that case
you need something like dnsdist which can act as a DNS reverse proxy. BIND
won't query another server when a query is RD=0.

Tony.

--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
Fisher, German Bight: West or northwest 7 or gale 8, occasionally severe gale
9 at first in Fisher, decreasing 5 or 6 later. Rough or very rough, becoming
moderate or rough later. Showers. Good.