Re: BIND 9.8.2: forward zone not working
On 3/19/2013 8:30 PM, Gerry Reno wrote: On 03/19/2013 08:10 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 23.04, Gerry Reno gr...@verizon.net wrote: On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels. -ben If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forward zone working. I don't need any delegation. I'm not looking to slave the zone. as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that. As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP which holds the SOA for the external answers. And sure delegation works. You don't even need a forward zone. So what exactly is the use case for this forward zone? If you can achieve what you want through delegation alone, and unless you think that you can squeeze out a performance benefit by forwarding to a rich cache, then yeah, there is no compelling use case for forwarding and you shouldn't do it. Selective forwarding is most commonly employed when you can't talk directly to the authoritative nameservers for the zone and need to go through an intermediate resolver. I see a number of postings over several y ears where people have not been able to get the forward zone working. Probably because they don't follow the simple advice to delegate the zone. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
On Mar 18, 2013, at 23.04, Gerry Reno gr...@verizon.net wrote: On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels. -ben If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forward zone working. I don't need any delegation. I'm not looking to slave the zone. as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that. -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
On 03/19/2013 08:10 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 23.04, Gerry Reno gr...@verizon.net wrote: On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels. -ben If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forward zone working. I don't need any delegation. I'm not looking to slave the zone. as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that. -ben As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP which holds the SOA for the external answers. And sure delegation works. You don't even need a forward zone. So what exactly is the use case for this forward zone? I see a number of postings over several y ears where people have not been able to get the forward zone working. -Gerry ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
On Mar 19, 2013, at 20.30, Gerry Reno gr...@verizon.net wrote: On 03/19/2013 08:10 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 23.04, Gerry Reno gr...@verizon.net wrote: On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels. -ben If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forward zone working. I don't need any delegation. I'm not looking to slave the zone. as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that. -ben As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP which holds the SOA for the external answers. i don't know what the point of that would be. you'd still have to overload your other zone. all i can do at this point is suggest you simply try what has been suggested [by multiple people]. -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
On 03/19/2013 09:26 PM, b...@bitrate.net wrote: On Mar 19, 2013, at 20.30, Gerry Reno gr...@verizon.net wrote: On 03/19/2013 08:10 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 23.04, Gerry Reno gr...@verizon.net wrote: On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels. -ben If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forward zone working. I don't need any delegation. I'm not looking to slave the zone. as i said, you'll need to delegate that new zone from the parent. i'm not sure what slaves zones would have to do with that. -ben As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP which holds the SOA for the external answers. i don't know what the point of that would be. you'd still have to overload your other zone. all i can do at this point is suggest you simply try what has been suggested [by multiple people]. -ben It's called Split-DNS. And delegation was implemented yesterday. Still no answer about what is the use case for this forward zone. And why many people have posted that they have not been able to get it to work for years. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
In message 514911cf.5060...@verizon.net, Gerry Reno writes: On 03/19/2013 09:26 PM, b...@bitrate.net wrote: On Mar 19, 2013, at 20.30, Gerry Reno gr...@verizon.net wrote: On 03/19/2013 08:10 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 23.04, Gerry Reno gr...@verizon.net wrote: On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has exter nal servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's ju st two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in you r config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations a nd zone declarations for every label for which this is desired becomes quickl y prohibitive. instead, i'd suggest using a subdomain for samba - e.g. somet hing like ad.example.com. there are a number of other solutions as well whic h would likely be more sensible than hijacking labels. -ben If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forwar d zone working. I don't need any delegation. I'm not looking to slave the zone. as i said, you'll need to delegate that new zone from the parent. i'm no t sure what slaves zones would have to do with that. -ben As I said, if I was going to do this for a bunch of labels I would add an external view and just slave it from the ISP which holds the SOA for the external answers. i don't know what the point of that would be. you'd still have to overload your other zone. all i can do at this point is suggest you simply try what has been suggeste d [by multiple people]. -ben It's called Split-DNS. And delegation was implemented yesterday. Still no answer about what is the use case for this forward zone. And why m any people have posted that they have not been able to get it to work for years. Forward zones affect where recursive queries are sent. They have 2 purposes: 1. work around firewalls blocking direct access to the authoritative servers (forward only). 2. allow access to central caches (forward first). They do not and never have instantiated delegations. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9.8.2: forward zone not working
Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. /etc/resolv.conf looks like this: domain company.com nameserver 192.168.2.105 /etc/named.conf contains: forwarders { isp_nameservers; }; recursion yes; What is the preferred way to forward DNS requests to the ISP nameservers in order to resolve the domain's external servers without using BIND views? I tried using a forward zone but it does not work in 9.8.2. zone www.company.com { type forward; forward only; forwarders { isp_nameservers; }; }; Everything resolves fine both our domain and other external domains with the exception of our domain's external server's (www,mail). What do we need to get this forward zone working? -Gerry ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
2013/3/19 Gerry Reno gr...@verizon.net: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. /etc/resolv.conf looks like this: domain company.com nameserver 192.168.2.105 /etc/named.conf contains: forwarders { isp_nameservers; }; recursion yes; What is the preferred way to forward DNS requests to the ISP nameservers in order to resolve the domain's external servers without using BIND views? I tried using a forward zone but it does not work in 9.8.2. zone www.company.com { type forward; forward only; forwarders { isp_nameservers; }; }; If a domain name has CNAME, you must forward the CNAMEed one too. In this example, both www.company.com and company.com has to be forwarded. $ dig +nocmd www.company.com +multiline +noall +answer www.company.com. 1800 IN CNAME company.com. company.com. 1605 IN A 208.74.66.138 Everything resolves fine both our domain and other external domains with the exception of our domain's external server's (www,mail). What do we need to get this forward zone working? -Gerry ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
On 03/18/2013 08:32 PM, Drunkard Zhang wrote: 2013/3/19 Gerry Reno gr...@verizon.net: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. /etc/resolv.conf looks like this: domain company.com nameserver 192.168.2.105 /etc/named.conf contains: forwarders { isp_nameservers; }; recursion yes; What is the preferred way to forward DNS requests to the ISP nameservers in order to resolve the domain's external servers without using BIND views? I tried using a forward zone but it does not work in 9.8.2. zone www.company.com { type forward; forward only; forwarders { isp_nameservers; }; }; If a domain name has CNAME, you must forward the CNAMEed one too. In this example, both www.company.com and company.com has to be forwarded. $ dig +nocmd www.company.com +multiline +noall +answer www.company.com. 1800 IN CNAME company.com. company.com. 1605 IN A 208.74.66.138 Everything resolves fine both our domain and other external domains with the exception of our domain's external server's (www,mail). What do we need to get this forward zone working? -Gerry I don't see CNAME involved. We have no local record for www. A dig at the ISP shows www.company.com: www.company.com43200 IN A XX.XX.XX.XX -Gerry ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels. -ben ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
On 03/18/2013 10:25 PM, b...@bitrate.net wrote: On Mar 18, 2013, at 20.27, Gerry Reno gr...@verizon.net wrote: Using BIND 9.8.2 When you setup Samba 4 AD DC using BIND9_DLZ and your domain has external servers (eg: www,mail) at external providers this means that the ISP and the internal network nameservers will both have SOA record for the domain. it's not really anything particularly related to samba or dlz. it's just two different computers serving the same zone. you're just hijacking or overloading that particular label. in addition to declaring the zone in your config, you'll need to delegate that new zone from the parent. it's worth noting that this scales poorly. having to add delegations and zone declarations for every label for which this is desired becomes quickly prohibitive. instead, i'd suggest using a subdomain for samba - e.g. something like ad.example.com. there are a number of other solutions as well which would likely be more sensible than hijacking labels. -ben If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forward zone working. I don't need any delegation. I'm not looking to slave the zone. I just need the forward zone to work and send the question over to the ISP. -Gerry ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.8.2: forward zone not working
In message 5147d5ae.5050...@verizon.net, Gerry Reno writes: If it was more than just a few labels I would do it another way. But this will suffice, if I can only get bind to actually get the forward zon e working. I don't need any delegation. I'm not looking to slave the zone. I just need the forward zone to work and send the question over to the ISP. -Gerry Add the delegation. Delegation are about change of authority. The SOA record stands for Start Of Authority. For this to work properly there needs to be a corresponding zone cut in the public zone as well so that the negative responses come back with a appropriate SOA record. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users