subject:"Questions about delegation"

Re: Questions about delegation

2018-12-19 Thread Cathy Almond

Hi Bob(s),

All good so far.

It doesn't matter whether the authoritative servers for the delegated
subdomain are in the parent or the delegated zone.  (Actually, they
could be somewhere completely different - and if they are, it just needs
to be possible for recursive servers following the delegation to be able
resolve them - don't put their A and  RRs into the parent zone).

Either way, the delegation NS records need to exist in the parent zone
(this has to happen, even if the parent is also delegating to itself).

Glue is needed to solve the 'chicken and egg' problem - so if you're
delegating a child zone to nameservers that are in the child zone
themselves, then you need glue in the parent.  (If the nameservers
you're delegating to have names in the parent zone, then you're going to
have their A and  RRsets in the parent zone anyway).



While you're setting this up...

What also matters is that the responses from the delegated servers for
the delegated zone are consistent with the delegation.  This is
sometimes misunderstood or overlooked in GTM configurations and then
causes problems later for resolvers.  Make sure that:

1.  The GTMs are configured to respond with an SOA RR and NS RRset that
is for the zone that has been delegated to them, not the parent zone (a
commonly-seen pitfall that causes client resolution failures because
this is a lame delegation.

2.  The GTMs are configured to respond with NS RRs that are the names
that you delegated from the parent (and that those names can be
resolved) - this is just basic DNS sanity stuff, and although DNS can be
quite accommodating when it's not, it's best to get it consistent.

3.  Don't overlook that the GTMs will need to answer queries for 
and any other record types - as in, they need to be authoritative for
the entire delegated zone, not just proxying the RRs that they 'know'
about.  This means responding with 'no answer no error' for a name that
exists as an A record when queried for the  record instead, and
similar scenarios.  So make sure that the GTMs are fully and correctly
configured.

4.  If you've delegated across an intermediate zone (e.g. from
example.com to zone1.my.example.com) you need to make sure that queries
for anything in my.example.com are handled correctly - that is, that the
servers for example.com reply with 'no answer no error'.

Why?  Because my.example.com implicitly exists as a name, but is empty -
has no RRs and responding NXDOMAIN will cause problems for
zone1.my.example.com.

(This scenario is typically encountered by validating resolvers querying
for DS RRsets which live in the parent zone; they are queried-for by
validators, even if the responses they're validating aren't signed.
This is to check that the parent doesn't 'say' that the child zone
should be signed, in which case receiving unsigned query responses from
the child zone's servers is a DNSSEC-validation failure).

-

The null forwarders you wouldn't ordinarily need, unless the parent zone
server is a mixed-mode resolver/auth server with global forwarding from
which you've delegated the subdomain.  In that case, if you don't want
your recursive client queries to follow the global forwarding when you
resolve them, but to use the delegation instead, then you need null
forwarders set-up.

Info here: https://kb.isc.org/docs/aa-00538

Cathy
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about delegation

2018-12-19 Thread Bob Harold

On Wed, Dec 19, 2018 at 10:51 AM Bob McDonald  wrote:

> I have a DNS server that serves a zone for domain example.org.
> That DNS server lives at 192.0.2.53
> As part of hosting that domain, a child domain is delegated. (
> gtm-int.example.org.)
> There are two NS records as follows:
> gtm-int.example.org. IN NS gtm-int-east.example.org.
> gtm-int.example.org. IN NS gtm-int-west.example.org.
> gtm-int-east.example.org. IN A 203.0.113.53
> gtm-int-west.example.org. IN A 198.51.100.53
> (and yes, in this case the delegated child domain lives on two F5 GTMs)
>
> The devices hosting the delegated child domain both contain NS records
> which match the parent's NS records for the child domain and they contain
> glue records which also match the parent's A records for the NS records.
>
> Here are my curiosities:
>
> 1) should the NS records for the delegated child domain be hosts which
> reside in the parent domain or the delegated child domain? (or does it
> matter as long as the glue is correct?)
> gtm-int.example.org. IN NS gtm-int-east.example.org.
> gtm-int.example.org. IN NS gtm-int-west.example.org.
> gtm-int-east.example.org. IN A 203.0.113.53
> gtm-int-west.example.org. IN A 198.51.100.53
> -OR-
> gtm-int.example.org. IN NS gtm-int-east.gtm-int.example.org
> .
> gtm-int.example.org. IN NS gtm-int-west.gtm-int.example.org
> .
> gtm-int-east.gtm-int.example.org . IN A
> 203.0.113.53
> gtm-int-west.gtm-int.example.org . IN A
> 198.51.100.53
>
> 2) Do I need to specify a null forwarder statement for the parent domain?
> (to prevent query forwarding to the delegated child domain)
>
> Regards,
>
> Bob
>

If I get this wrong, someone will correct me.  But as I understand it...

1. Your choice.  Glue is needed if the servers are in the child zone.

2. No.  I don't know what a "null" forwarder statement is, but your F5's
are acting as Authoritative DNS servers.  Forwarding only applies to DNS
Resolvers, and is only used if you don't want the resolver to follow the NS
records (like when firewalls are in the way).

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Questions about delegation

2018-12-19 Thread Bob McDonald

I have a DNS server that serves a zone for domain example.org.
That DNS server lives at 192.0.2.53
As part of hosting that domain, a child domain is delegated. (
gtm-int.example.org.)
There are two NS records as follows:
gtm-int.example.org. IN NS gtm-int-east.example.org.
gtm-int.example.org. IN NS gtm-int-west.example.org.
gtm-int-east.example.org. IN A 203.0.113.53
gtm-int-west.example.org. IN A 198.51.100.53
(and yes, in this case the delegated child domain lives on two F5 GTMs)

The devices hosting the delegated child domain both contain NS records
which match the parent's NS records for the child domain and they contain
glue records which also match the parent's A records for the NS records.

Here are my curiosities:

1) should the NS records for the delegated child domain be hosts which
reside in the parent domain or the delegated child domain? (or does it
matter as long as the glue is correct?)
gtm-int.example.org. IN NS gtm-int-east.example.org.
gtm-int.example.org. IN NS gtm-int-west.example.org.
gtm-int-east.example.org. IN A 203.0.113.53
gtm-int-west.example.org. IN A 198.51.100.53
-OR-
gtm-int.example.org. IN NS gtm-int-east.gtm-int.example.org
.
gtm-int.example.org. IN NS gtm-int-west.gtm-int.example.org
.
gtm-int-east.gtm-int.example.org . IN A
203.0.113.53
gtm-int-west.gtm-int.example.org . IN A
198.51.100.53

2) Do I need to specify a null forwarder statement for the parent domain?
(to prevent query forwarding to the delegated child domain)

Regards,

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Questions about delegation

Re: Questions about delegation

Questions about delegation

3 matches

Site Navigation

Mail list logo

Footer information