Re: [Bind-dlz-testers] Help requested for zone delegation using DLZ
Brought to you by:
crodster
From: Michael K. <mik...@uc...> - 2009-11-04 03:50:49
|
On server A, you need to create an A record assuming the sub delegated name server lives at 192.168.0.1: Example.com ns1-us 300 A 192.168.0.1 The following line should cause bind to sub delegate the us.example.com properly: us.example.com | @ | 300 | NS | | ns1-us.example.com. | | | | | | Server B Make the NS record point to ns1-us.example.com. us.example.com | @ | 300 | NS | | ns1-us.example.com. Trying to make the delegated name server anything.us.example.com will not work. The only reason why ns1-us.example.com will work is because that is being resolved by server A. The lookups will not find server B if it is delegating it's name in this case. Hopefully this helps. _____ From: Mike Toler [mailto:mik...@pr...] Sent: Tuesday, November 03, 2009 2:46 PM To: bin...@li... Subject: [Bind-dlz-testers] Help requested for zone delegation using DLZ First off, I've gone through all of the previous DLZ/Zone Delegation threads both here and on other lists, and have not found a working example on any of them. I've tried dumbing down my own selects to the bare minimum and still am not able to get a successful delegation of a request. The QUERIES all look fine when I run named in debug mode (see below), but I NEVER see any attempt to delegate to the second server any DNS queries for us.example.com. Using the example.com and us.example.com nomenclature that seems popular in the threads, this is a description of what I have (DB SQL statements at the bottom of e-mail so they can be easily dropped into a matching DB): Server A: Domain: example.com IP: 172.25.2.94 Hosts: SOA record, NS record (ns1), A record (ns1), A record (ns1-us), NS record (us.example.com) zone | host | ttl | type | mx_priority | data | resp_person | serial | refresh | retry | expire | minimum ----------------+--------+-----+------+-------------+---------------------+- ------------+------------+---------+-------+--------+--------- example.com | @ | 300 | SOA | | ns1 | hostmaster | 2009091600 | 900 | 2800 | 8640 | 1080 example.com | ns1-us | 300 | A | | 172.24.1.93 | | | | | | example.com | @ | 300 | NS | | ns1.example.com. | | | | | | us.example.com | @ | 300 | NS | | ns1-us.example.com. | | | | | | example.com | ns1 | 300 | A | | 172.24.2.196 | | | | | | Server B: Domain: us.example.com IP: 172.25.1.93 Hosts: SOA record, NS record (ns1), A record (ns1), A record (ns1-us), NS record (us.example.com) zone | host | ttl | type | mx_priority | data | resp_person | serial | refresh | retry | expire | minimum ----------------+-------+-----+------+-------------+---------------------+-- -----------+------------+---------+-------+--------+--------- us.example.com | ns1 | 300 | A | | 172.24.1.93 | | | | | | us.example.com | @ | 300 | SOA | | ns1 | hostmaster | 2009091600 | 900 | 2800 | 8640 | 1080 us.example.com | @ | 300 | NS | | ns1.us.example.com. | | | | | | us.example.com | test1 | 300 | A | | 1.2.3.4 | | | | | | My DLZ configuration in the Named.conf file looks like: . . . dlz "postgres zone" { database "postgres 2 {host=int-dbs port=5432 dbname=xxxx user=yyyy} {select zone from dns_records where zone = '%zone%'} {select ttl, type, mx_priority, case when lower(type)='txt' then '\"' || data || '\"' else data end from dns_records where zone = '%zone%' and host = '%record%' }"; }; . . . If I do a dig command for the NS record for "us.example.com" on server A, it works fine and returns the NS record. (ns1-us.example.com evaluates to the IP of server B. [root@int-svc-11 ~]# dig ns @172.24.2.196 us.example.com ; <<>> DiG 9.4.3-P2 <<>> ns @172.24.2.196 us.example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30308 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;us.example.com. IN NS ;; ANSWER SECTION: us.example.com. 300 IN NS ns1-us.example.com. ;; Query time: 1 msec ;; SERVER: 172.24.2.196#53(172.24.2.196) ;; WHEN: Tue Nov 3 20:20:49 2009 ;; MSG SIZE rcvd: 53 If I do a dig command for the A Record "test1.us.example.com" it fails. [root@int-svc-11 ~]# dig a @172.24.2.196 test1.us.example.com ; <<>> DiG 9.4.3-P2 <<>> a @172.24.2.196 test1.us.example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29260 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;test1.us.example.com. IN A ;; Query time: 3 msec ;; SERVER: 172.24.2.196#53(172.24.2.196) ;; WHEN: Tue Nov 3 20:22:03 2009 ;; MSG SIZE rcvd: 38 The final query that DLZ does before failing (that if I understand correctly is used to determine if the request needs to be forwarded) is: 03-Nov-2009 20:20:56.532 84 built query 03-Nov-2009 20:20:56.532 84 query is 'select ttl, type, mx_priority, case when lower(type)='txt' then '"' || data || '"' else data end from dns_records where zone = 'us.example.com' and host = '@' ' 03-Nov-2009 20:20:56.532 84 executing query for 0 time 03-Nov-2009 20:20:56.532 84 rs ok 03-Nov-2009 20:20:56.532 84 cleaning up 03-Nov-2009 20:20:56.532 84 returning 03-Nov-2009 20:20:56.532 842 Getting DBI 03-Nov-2009 20:20:56.532 842 Got DBI - checking query 03-Nov-2009 20:20:56.532 842 cleaning up 03-Nov-2009 20:20:56.532 842 returning That query on my DB returns: dns_data=# select ttl, type, mx_priority, case when lower(type)='txt' then '"' || data || '"' else data end from dns_records where zone = 'us.example.com' and host = '@'; ttl | type | mx_priority | data -----+------+-------------+--------------------- 300 | NS | | ns1-us.example.com. (1 row) Which appears to me to be correct. That is returning the NS record defined for "us.example.com" in SERVER A (ns1-us.example.com is an A record that points to server B). So why, when I do a dig, does the query never make it to the server B and I get the DNS lookup failure??? This is driving me nuts. --------------------------------------------------DB Definition ---------------- Postgres DB Definition: CREATE TABLE dns_records ( "zone" character varying(255) NOT NULL, host character varying(255) NOT NULL, ttl integer, "type" character varying(16) NOT NULL, mx_priority integer, data character varying(255) NOT NULL, resp_person character varying(255), serial integer, refresh integer, retry integer, expire integer, minimum integer, datestamp timestamp without time zone DEFAULT now(), CONSTRAINT dns_records_pkey PRIMARY KEY (zone, host, data, type) ) WITH ( OIDS=FALSE ); Michael L. Toler Sr. System Test Engineer Prodea Systems, Inc. 214-278-1834 (office) 972-816-7790 (mobile) This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified. |