BIND: how to delegate subzone to other DNS server?
-
I'm in the process of migrating from a workgroup served by a BIND9 DNS server, to a AD Domain based on Windows Server 2008 R2, and I'd like to keep using the BIND server until the AD infrastructure is ready. During the setup of AD, via dcpromo, I get a warning that I should make sure our current DNS server delegates the AD domain name to the AD server. Suppose my AD domain is mydomain.lan, and my regular BIND domain is example.com. I'm setting my BIND server as authoritive for lan., but would like to delegate mydomain.lan. to the AD server's IP. My named.conf.local contains: zone "lan" { type master; file "zone.lan"; }; And zone.lan contains: $ORIGIN lan. $TTL 1H ; 1 hour @ IN SOA dns.example.com. hostmaster.example.com. ( 201008137 ; serial 28800 ; refresh (8 hours) 14400 ; retry (4 hours) 2419200 ; expire (4 weeks) 86400 ; minimum (1 day) ) IN NS dns.example.com. $ORIGIN mydomain.lan. @ IN NS dc1.mydomain.lan. dc1 IN A 10.10.0.200 ; 'glue' record When I query dns.example.com for "lan", I can the expected answer, but when I query for "mydomain.lan" or "dc1.mydomain.lan" I get an NXDOMAIN response. All my tries so far have failed. How do I properly create and delegate a subzone? Update: some more info $ dig mydomain.lan @dns.example.com NS +norecurse ; <<>> DiG 9.7.0-P1 <<>> @dns.example.com mydomain.lan NS +norecurse ; (3 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23380 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;mydomain.lan. IN NS ;; AUTHORITY SECTION: mydomain.lan. 3600 IN NS dc1.mydomain.lan. ;; ADDITIONAL SECTION: dc1.mydomain.lan. 3600 IN A 10.10.0.200 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Sun Aug 15 00:41:05 2010 ;; MSG SIZE rcvd: 64 $ dig @dc1.mydomain.lan dc1.mydomain.lan dig: couldn't get address for 'dc1.mydomain.lan': not found $ dig @10.10.0.200 dc1.mydomain.lan ; <<>> DiG 9.7.0-P1 <<>> @10.10.0.200 dc1.mydomain.lan ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21348 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;dc1.mydomain.lan. IN A ;; ANSWER SECTION: dc1.mydomain.lan. 1200 IN A 10.10.0.200 ;; Query time: 6 msec ;; SERVER: 10.10.0.200#53(10.10.0.200) ;; WHEN: Sun Aug 15 00:55:11 2010 ;; MSG SIZE rcvd: 50 $ dig @10.10.0.200 mydomain.lan ; <<>> DiG 9.7.0-P1 <<>> @10.10.0.200 mydomain.lan ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24664 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydomain.lan. IN A ;; ANSWER SECTION: mydomain.lan. 600 IN A 10.10.0.200 ;; Query time: 0 msec ;; SERVER: 10.10.0.200#53(10.10.0.200) ;; WHEN: Sun Aug 15 01:04:39 2010 ;; MSG SIZE rcvd: 46
-
Answer:
There is a problem in the zone file. $ORIGIN lan. $TTL 1H ; 1 hour @ IN SOA dns.example.com. hostmaster.example.com. ( 201008137 ; serial 28800 ; refresh (8 hours) 14400 ; retry (4 hours) 2419200 ; expire (4 weeks) 86400 ; minimum (1 day) ) IN NS dns.example.com. $ORIGIN mydomain.lan. @ IN NS dc1.mydomain.lan. dc1 IN A 10.10.0.200 ; 'glue' record The @ refers the zone name as defined in the named.conf zone "lan" { type master; file "zone.lan"; }; which is just 'lan'. The record you created is lan. IN NS dc1.nydomain.lan. I tend not to use BIND shortcuts for important records because it's easy forget or misunderstand the behavior, leading to unexpected results. (I realize it's probably too late to help this person, but if someone else looks at this, try removing the BIND shortcuts to see if it fixes your problems.)
Martijn Heemels at Server Fault Visit the source
Other answers
Looks like you're missing 'dc1' as a host in the AD-managed zone; the glue is only used to find the authoritative servers, not as actual content once those servers have been reached. You might want to explore dig +trace to see the servers queried, when not using @server.name, to see the delegation chain being chased.
Phil P
The problem is in your named.conf. I'm guessing you've got forwarders defined in your named.conf somewhere. For any zone for which your server is authoritative, you need to turn the forwarding off. Using the sample from above, you should change it to read like this: zone "lan" { type master; file "zone.lan"; forwarders { }; }; It should work once you do this.
jeh
Related Q & A:
- Is it safe to use another DNS server?Best solution by Quora
- How to build a public DNS server?Best solution by Server Fault
- How do I setup a dns server?Best solution by eHow old
- What is a DNS server?Best solution by ChaCha
- Why is DNS Server not responding?Best solution by Yahoo! Answers
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.