Hi! On 1/17/22 11:46, ONRUBIA AVILES Carlos (CCS/MST) wrote: > > Hello, > > > > Maybe someone can help me with the following problem: > > > > My name server is authoritative with the following domain “toto.be”: > > zone "toto.be." { > > type master; > > file "/etc/masterdns.db"; > > > > But I would like that a subdomain “titi.toto.be” is not searched in my > masterdns.db file but via the normal process via internet. > > > > I have tried to 2 solutions but it do not work: > > > > 1. Adding a forward for this subdomain: > > > > zone "titi.toto.be." { > > type forward; > > forwarders {1.2.3.4; 5.6.7.8;}; (ip’s from dsn cache servers) > > forward only; > > }; > > > > * Seems not to work. Not possible to add a subdomain forwarding? > No, because authoritative zone knows what is inside the zone and what is not there. If titi.toto.be is not in the zone, it would respond NXDOMAIN on any name under it. Regardless of forwarders specified. If specified forwarders are authoritative for the titi.toto.be zone, just direct any server there. Note those cache servers would be contacted by any recursive servers from the internet, they have to be reachable and allow queries to that zone from anyone.
> > > 2. Using directly the cache servers as NS: > > > > Cache.proximus.be. IN A 1.2.3.4 > > Cache.proximus.be. IN A 5.6.7.8 > > Titi.toto.be. IN NS cache.proximus.be. > > > > * Not always working as if “titi.toto.be” is not at this moment in > the cache, the cache will answer SERVFAIL and not do the > recursion. (I guess the query via this method is done with flag > “Recursion Desired” set to false) > > > > > > So my question is: Is it possible to configure what I am trying to do? > Recursive servers which queries your authoritative server want to do the recursion themselves. They send queries without recursion ok bit, meaning they want to speak authoritative server only. cache.proximus.be would have to be authoritative for titi.toto.be zone and answer everyone from the internet. It cannot be hidden behind your authoritative server. "dig @cache.proximus.be +norec titi.toto.be" command should contain aa flag. If that cache does not know how to be authoritative, it has to serve zone not under primary or secondary zones of your server. dnsmasq knows --auth-zone for similar queries, for example. > > > > > Thanks in advance for your feedback, > > > > Carlos, > > > > > > > > > > > > > > > > > > > > *Carlos Onrubia Aviles* > Solution Engineer | WIFI @ INTERNET TECHNOLOGIES > > Proximus <http://www.proximus.be> > > Discover a world of possibilities on Thinkpossible.be > <http://www.thinkpossible.be> > > Cheers, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users