Re: Forward vs Authoritative traffic
On Nov 7, 2014, at 1:32 PM, Nex6|Bill wrote: > > 5 sec TTL, with a lot of load balancer based rules. on a lot of servers….. I'm not sure what difference that makes. You said the load balancer is authoritative for a child zone. Therefore, don't forward to it, send it iterative queries. You do that using a zone of any of the following types on your server: slave, stub (may not work with a LB), or static-stub. Slave: You would slave the parent zone from your parent org. This way, your server has the delegation on hand to use when answering queries for the child zone on the LB. There are several potential pitfalls with this approach, such as not being able to slave the zone from the parent org. Stub: You would stub the delegated subzone from the LB. May not work. You would be telling your server, "Ask this server (the LB) what servers are authoritative for this zone (the zone on the LB), and then when you get a query for this zone, if you don't have the answer in cache, send an iterative query to one of the indicated servers in order to resolve it." The LB may not support SOA and NS records, in which case the stub zone would fail. Static-stub: You would be telling your server, "When you get a query for this zone (the zone on the LB), if you don't have the answer in cache, send an iterative query to the LB in order to resolve it." That sounds to me like it's exactly what you want. Type forward is virtually identical to type static-stub, except it sends recursive queries instead of iterative queries. This is generally bad practice (it might work fine, or it might have unintended consequences or otherwise fail, in a hard-to-diagnose way) unless the forwarder accepts recursive queries. So type static-stub is probably what you want. Chris > On Nov 7, 2014, at 1:31 PM, Chris Buxton wrote: > >> On Nov 7, 2014, at 1:29 PM, Nex6|Bill wrote: >>> >>> our parent org, owns the parent zone, and this zone is delegated from >>> there to a load balancer onsite. which is authoritative. but, the query >>> path for a normal query crosses the internet gateway because thats where >>> the parent >>> is. ( very short TTL ). >>> >>> any internet connection issue causes issues, so i am going to put a forward >>> zone directly from my NS to the load balancer which is auth for the zone. >>> that way, if the internet gateway is down or has issues the application >>> will still function. >> >> I suspect a static-stub zone is more what you want, but yes, that sounds >> like it should work. >> >> Chris >> >>> On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote: >>> On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: > > I am going to be adding a type forward zone for an important zone. how > can i test that the forward is working correctly? if i do a dig against > the NS the record will return no matter if its auth or fwd zone. Will your server be receiving recursive or iterative queries (rd=1 or rd=0) for the zone? Forwarding zones like this don't work for iterative queries. Chris >>> >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
5 sec TTL, with a lot of load balancer based rules. on a lot of servers….. On Nov 7, 2014, at 1:31 PM, Chris Buxton wrote: > On Nov 7, 2014, at 1:29 PM, Nex6|Bill wrote: >> >> our parent org, owns the parent zone, and this zone is delegated from there >> to a load balancer onsite. which is authoritative. but, the query path for >> a normal query crosses the internet gateway because thats where the parent >> is. ( very short TTL ). >> >> any internet connection issue causes issues, so i am going to put a forward >> zone directly from my NS to the load balancer which is auth for the zone. >> that way, if the internet gateway is down or has issues the application will >> still function. > > I suspect a static-stub zone is more what you want, but yes, that sounds like > it should work. > > Chris > >> On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote: >> >>> On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: I am going to be adding a type forward zone for an important zone. how can i test that the forward is working correctly? if i do a dig against the NS the record will return no matter if its auth or fwd zone. >>> >>> Will your server be receiving recursive or iterative queries (rd=1 or rd=0) >>> for the zone? Forwarding zones like this don't work for iterative queries. >>> >>> Chris >> > signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
On Nov 7, 2014, at 1:29 PM, Nex6|Bill wrote: > > our parent org, owns the parent zone, and this zone is delegated from there > to a load balancer onsite. which is authoritative. but, the query path for a > normal query crosses the internet gateway because thats where the parent > is. ( very short TTL ). > > any internet connection issue causes issues, so i am going to put a forward > zone directly from my NS to the load balancer which is auth for the zone. > that way, if the internet gateway is down or has issues the application will > still function. I suspect a static-stub zone is more what you want, but yes, that sounds like it should work. Chris > On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote: > >> On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: >>> >>> I am going to be adding a type forward zone for an important zone. how can >>> i test that the forward is working correctly? if i do a dig against the NS >>> the record will return no matter if its auth or fwd zone. >> >> Will your server be receiving recursive or iterative queries (rd=1 or rd=0) >> for the zone? Forwarding zones like this don't work for iterative queries. >> >> Chris > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
zone is hosted on a load balancer, with parent org NS on internet side. when internet goes down, application goes down. putting a forward zone means internet downtime does not cause issues. On Nov 7, 2014, at 12:56 PM, Darcy Kevin (FCA) wrote: > If your nameserver can get the info equally reliably either way, I'd question > why you're using forwarding in the first place. > > Do you think you're going to get some sort of performance benefit from that? > > But, to answer your question, in the absence of taking a packet capture, you > could always define all the authoritative nameservers as "blackhole" or > "bogus" in your named.conf and see if the names still resolve (this assumes > that the forwarders are *not* the same, or a subset, of the auth servers. If > they are the same, or a subset, then I *really* would question why you're > forwarding in the first place, since in that case the queries are going to > *exactly*the*same*place*, and all you're basically doing is manipulating the > value of the "RD" bit). > > > - Kevin > > -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Nex6|Bill > Sent: Friday, November 07, 2014 3:05 PM > To: Barry Margolin > Cc: comp-protocols-dns-b...@isc.org > Subject: Re: Forward vs Authoritative traffic > > My name server is not authoritative for it. but i want to verify once the > forward is in place the query is following the forward and not the > authoritative path. > > > On Nov 7, 2014, at 11:46 AM, Barry Margolin wrote: > >> In article , >> Nex6|Bill wrote: >> >>> I am going to be adding a type forward zone for an important zone. >>> how can i test that the forward is working correctly? if i do a dig >>> against the NS the record will return no matter if its auth or fwd zone. >> >> If you don't have a zone file for the zone on the server, yet it >> returns the correct answer, then it must be forwarding. Where else >> would it get the answer? >> >> -- >> Barry Margolin >> Arlington, MA >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
our parent org, owns the parent zone, and this zone is delegated from there to a load balancer onsite. which is authoritative. but, the query path for a normal query crosses the internet gateway because thats where the parent is. ( very short TTL ). any internet connection issue causes issues, so i am going to put a forward zone directly from my NS to the load balancer which is auth for the zone. that way, if the internet gateway is down or has issues the application will still function. -Nex6 On Nov 7, 2014, at 1:04 PM, Chris Buxton wrote: > On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: >> >> I am going to be adding a type forward zone for an important zone. how can >> i test that the forward is working correctly? if i do a dig against the NS >> the record will return no matter if its auth or fwd zone. > > Will your server be receiving recursive or iterative queries (rd=1 or rd=0) > for the zone? Forwarding zones like this don't work for iterative queries. > > Chris signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
On Nov 7, 2014, at 11:35 AM, Nex6|Bill wrote: > > I am going to be adding a type forward zone for an important zone. how can i > test that the forward is working correctly? if i do a dig against the NS the > record will return no matter if its auth or fwd zone. Will your server be receiving recursive or iterative queries (rd=1 or rd=0) for the zone? Forwarding zones like this don't work for iterative queries. Chris ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Forward vs Authoritative traffic
If your nameserver can get the info equally reliably either way, I'd question why you're using forwarding in the first place. Do you think you're going to get some sort of performance benefit from that? But, to answer your question, in the absence of taking a packet capture, you could always define all the authoritative nameservers as "blackhole" or "bogus" in your named.conf and see if the names still resolve (this assumes that the forwarders are *not* the same, or a subset, of the auth servers. If they are the same, or a subset, then I *really* would question why you're forwarding in the first place, since in that case the queries are going to *exactly*the*same*place*, and all you're basically doing is manipulating the value of the "RD" bit). - Kevin -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Nex6|Bill Sent: Friday, November 07, 2014 3:05 PM To: Barry Margolin Cc: comp-protocols-dns-b...@isc.org Subject: Re: Forward vs Authoritative traffic My name server is not authoritative for it. but i want to verify once the forward is in place the query is following the forward and not the authoritative path. On Nov 7, 2014, at 11:46 AM, Barry Margolin wrote: > In article , > Nex6|Bill wrote: > >> I am going to be adding a type forward zone for an important zone. >> how can i test that the forward is working correctly? if i do a dig >> against the NS the record will return no matter if its auth or fwd zone. > > If you don't have a zone file for the zone on the server, yet it > returns the correct answer, then it must be forwarding. Where else > would it get the answer? > > -- > Barry Margolin > Arlington, MA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
My name server is not authoritative for it. but i want to verify once the forward is in place the query is following the forward and not the authoritative path. On Nov 7, 2014, at 11:46 AM, Barry Margolin wrote: > In article , > Nex6|Bill wrote: > >> I am going to be adding a type forward zone for an important zone. how can >> i >> test that the forward is working correctly? if i do a dig against the NS the >> record will return no matter if its auth or fwd zone. > > If you don't have a zone file for the zone on the server, yet it returns > the correct answer, then it must be forwarding. Where else would it get > the answer? > > -- > Barry Margolin > Arlington, MA > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward vs Authoritative traffic
In article , Nex6|Bill wrote: > I am going to be adding a type forward zone for an important zone. how can i > test that the forward is working correctly? if i do a dig against the NS the > record will return no matter if its auth or fwd zone. If you don't have a zone file for the zone on the server, yet it returns the correct answer, then it must be forwarding. Where else would it get the answer? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forward vs Authoritative traffic
I am going to be adding a type forward zone for an important zone. how can i test that the forward is working correctly? if i do a dig against the NS the record will return no matter if its auth or fwd zone. -Nex6 signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users