Dynamically Loadable Zones for BIND

Todd Lyons | 4 Nov 2009 16:45

Re: Help requested for zone delegation using DLZ

On Wed, Nov 4, 2009 at 7:27 AM, Mike Toler <mike.toler <at> prodeasystems.com> wrote:
> All right.  So the two responses I have are:
> >From Todd:
>        It does not work.

You missed the context because I did not state it clearly.  You cannot
delegate us.example.com to ns1.us.example.com.  However, you *can*
delegate it to ns1-us.example.com (in other words, a dns server on the
root domain) and it will work.

> >From Michael K.:
>        Add the glue record and change the us.example.com NS server on B
> to
>      point to  ns1-us.example.com.
>
> I tried adding/updating the records as directed by Michael K., but
> nothing changed.

His suggestion should work, see below...

> Todd, when you say it doesn't work, do you mean there isn't a way to
> make it work or that it doesn't work like it should, but there may be
> workarounds?

Requires the workaround that Michael suggested above.  Look at this ML
post from Rob Butler back in June, the author of bind-dlz about this
exact issue.  It explains why my use case described in my original
email does not work, and how Michael K's suggestion is a modification
that will make it work:

(Continue reading)

headers

Mike Toler | 4 Nov 2009 18:34

Re: Help requested for zone delegation using DLZ

Well, updating the DBs as per Michael K. and Rob Butlers suggestions did
not help.  Am I missing something stupid like a tag in the named.conf
that  has to be turned on for this to work?

I mean the configs don't seem like rocket science here. (Setting the
Name Server to be outside of the sub-domain aside.)

Or am I just not understanding how zone delegation works.

If I do an "dig a  <at> ServerA test1.us.example.com", should I get back the
IP of test1.us.example.com from ServerB?  Or is that expected to fail
and the client retry with the new NS?

DB tables:
Server A:
      zone      |  host  | ttl | type | mx_priority |        data
| resp_person |   serial   | refresh | retry | expire | minimum
----------------+--------+-----+------+-------------+-------------------
--+-------------+------------+---------+-------+--------+---------+
 example.com    |  <at>       | 300 | SOA  |             | ns1
| hostmaster  | 2009091600 |     900 |  2800 |   8640 |    1080 
 example.com    | ns1-us | 300 | A    |             | 172.24.1.93
|             |            |         |       |        |         
 example.com    |  <at>       | 300 | NS   |             | ns1.example.com.
|             |            |         |       |        |            
 us.example.com |  <at>       | 300 | NS   |             |
ns1-us.example.com. |             |            |         |       |
|          
 example.com    | ns1    | 300 | A    |             | 172.24.2.196
|             |            |         |       |        |

(Continue reading)

headers

Todd Lyons | 4 Nov 2009 22:03

Re: Help requested for zone delegation using DLZ

dig does not do recursion unless you tell it to (and then only with
+trace, to my knowledge, which forces it to start at the root servers
and work its way down the delegation chain).  Try with the host
command and see if you get the same results.

Regards....               Todd

On Wed, Nov 4, 2009 at 9:34 AM, Mike Toler <mike.toler <at> prodeasystems.com> wrote:
> Well, updating the DBs as per Michael K. and Rob Butlers suggestions did
> not help.  Am I missing something stupid like a tag in the named.conf
> that  has to be turned on for this to work?
>
> I mean the configs don't seem like rocket science here. (Setting the
> Name Server to be outside of the sub-domain aside.)
>
> Or am I just not understanding how zone delegation works.
>
> If I do an "dig a  <at> ServerA test1.us.example.com", should I get back the
> IP of test1.us.example.com from ServerB?  Or is that expected to fail
> and the client retry with the new NS?
>
>
> DB tables:
> Server A:
>      zone      |  host  | ttl | type | mx_priority |        data
> | resp_person |   serial   | refresh | retry | expire | minimum
> ----------------+--------+-----+------+-------------+-------------------
> --+-------------+------------+---------+-------+--------+---------+
>  example.com    |  <at>       | 300 | SOA  |             | ns1
> | hostmaster  | 2009091600 |     900 |  2800 |   8640 |    1080

(Continue reading)

headers

Mike Toler | 4 Nov 2009 22:16

Re: Help requested for zone delegation using DLZ

Well, still no luck.

I set the resolv.conf for a server to point to ServerA.   Then:
[root <at> int-svc-11 ~]# host -t ns us.example.com
us.example.com name server ns1-us.example.com.
[root <at> int-svc-11 ~]# host -t a ns1-us.example.com
ns1-us.example.com has address 172.24.1.93 

[root <at> int-svc-11 ~]# host -a test1.us.example.com 127.0.0.1
Trying "test1.us.example.com"
;; connection timed out; no servers could be reached

The ns lookup worked fine.  The a record lookup for the ns server worked
fine.  
The lookup for the specific host failed.

Then I did a lookup to ServerB directly on the 'test1' dn and got:
   [root <at> int-svc-11 ~]# host -t a test1.us.example.com 172.24.1.93
   Using domain server:
   Name: 172.24.1.93
   Address: 172.24.1.93#53
   Aliases:

   test1.us.example.com has address 1.2.3.4

Which is what I expected.

Michael

-----Original Message-----

(Continue reading)

headers

Todd Lyons | 4 Nov 2009 23:21

Re: Help requested for zone delegation using DLZ

Can you add a -v to all three of those host commands?

It may just be that my original statement was unintentionally correct
and sub-delegation doesn't work within the same domain.

Regards....              Todd

On Wed, Nov 4, 2009 at 1:16 PM, Mike Toler <mike.toler <at> prodeasystems.com> wrote:
> Well, still no luck.
>
> I set the resolv.conf for a server to point to ServerA.   Then:
> [root <at> int-svc-11 ~]# host -t ns us.example.com
> us.example.com name server ns1-us.example.com.
> [root <at> int-svc-11 ~]# host -t a ns1-us.example.com
> ns1-us.example.com has address 172.24.1.93
>
> [root <at> int-svc-11 ~]# host -a test1.us.example.com 127.0.0.1
> Trying "test1.us.example.com"
> ;; connection timed out; no servers could be reached
>
>
>
> The ns lookup worked fine.  The a record lookup for the ns server worked
> fine.
> The lookup for the specific host failed.
>
> Then I did a lookup to ServerB directly on the 'test1' dn and got:
>   [root <at> int-svc-11 ~]# host -t a test1.us.example.com 172.24.1.93
>   Using domain server:
>   Name: 172.24.1.93

(Continue reading)

headers

Michael Kirkpatrick | 5 Nov 2009 05:07

Re: Help requested for zone delegation using DLZ

Here is what I have found with sub delegation.

All requests initially go to the name servers of example.com.
They pick up the name servers to look at for us.example.com.
Then they query the name servers of us.example.com.  Basically a little
recursion is going on.

I can't stress this enough.  Always follow the name with a "period".
It dawned on me when I looked over your settings again that you had entries
as example.com without a trailing period.  In bind it interprets that as
example.com.example.com if you don't have that period.  Basically shorthand
so you can just enter  <at>  or www without having to spell out the entire domain
name.  

On server A:
You need an NS record pointing to server B for us.example.com

On Server B:
Don't forget to have the same NS record pointing to itself.

Basically the NS records on server A and server B are going to be the same
for us.example.com.

This is how I sub delegated one of my domains (Raw File Format):
Primary: ns1.example.com (10.0.0.1)
Secondary: ns2.example.com (10.0.0.2)
Sub Primary: sub1.example.com (192.168.0.1)
Sub Primary: sub2.example.com (192.168.0.2)

Primary & secondary servers:

(Continue reading)

headers

Mike Toler | 6 Nov 2009 23:02

Re: Help requested for zone delegation using DLZ

Ok, I just went through my data again and can find no instances of fully
qualified zones that are not terminated with a period "."

All lookups to the two servers for Records that are on that server work
100% of the time.

According to Todd, the NS for the secondary domain can't be within the
sub-domain, but has to be in the primary domain.
ns1.us.example.com won't work, but ns1-us.example.com should.

What follows in a complete lookup of all entries on ServerA and ServerB.

These are the commands I entered:
host -v -t soa example.com       127.0.0.1
host -v -t ns example.com       127.0.0.1
host -v -t a ns1.example.com       127.0.0.1
host -v -t a ns1-us.example.com       127.0.0.1
host -v -t ns us.example.com       127.0.0.1

host -v -t soa us.example.com     172.24.1.93
host -v -t ns us.example.com     172.24.1.93
host -v -t a ns1-us.example.com     172.24.1.93
host -v -t a test1.us.example.com     172.24.1.93

host -v -t soa us.example.com     127.0.0.1
host -v -t ns us.example.com     127.0.0.1
host -v -t a test1.us.example.com     127.0.0.1

The results follow below.

(Continue reading)

headers

Todd Lyons | 7 Nov 2009 05:28

Re: Help requested for zone delegation using DLZ

On Fri, Nov 6, 2009 at 2:02 PM, Mike Toler <mike.toler <at> prodeasystems.com> wrote:
> The hangup, as it has been all along, is when I attempt to use zone
> delegation.
>        SOA Fails:   Host us.example.com not found: 2(SERVFAIL)
>      NS works because it's the same query from the first section.
>      test1.us.example.comf fails:  Host test1.us.example.com not found:
> 2(SERVFAIL)
>
> I think I'm beginning to believe that this is just not going to work
> with DLZ.

Sadly, in the face of your well documented tests, I don't see the
ability to refute your conclusion.   It looks like the
sub-delegation cannot be within the same domain, unless someone else
can provide a working config to demonstrate otherwise.

--

-- 
Regards...      Todd
The best thing about pair programming is that you have the perfect
audience for your genius.  -- Kent Beck

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Dominique DERRIER | 7 Nov 2009 05:46

Re: Help requested for zone delegation using DLZ

Todd Lyons a écrit :

On Fri, Nov 6, 2009 at 2:02 PM, Mike Toler <mike.toler <at> prodeasystems.com> wrote:
The hangup, as it has been all along, is when I attempt to use zone delegation. SOA Fails: Host us.example.com not found: 2(SERVFAIL) NS works because it's the same query from the first section. test1.us.example.comf fails: Host test1.us.example.com not found: 2(SERVFAIL) I think I'm beginning to believe that this is just not going to work with DLZ.
Sadly, in the face of your well documented tests, I don't see the ability to refute your conclusion. It looks like the sub-delegation cannot be within the same domain, unless someone else can provide a working config to demonstrate otherwise.

Hi,
For me it dosen't work, for a long time ago. It's the only trouble for me.
I've try to:
- Change database query
- Duplicate data with view to produce good data.

*Only bind with config file working fine with sub-delegation.

To find a solution, I'm writing a config file generator from a mysql database.

ps: other software like Power DNS didn't work too, for complicate sub-delegation.

Dominique

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Bind-dlz-testers mailing list
Bind-dlz-testers <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bind-dlz-testers

headers

Todd Lyons | 7 Nov 2009 06:32

Re: Help requested for zone delegation using DLZ

2009/11/6 Dominique DERRIER <derrierdo <at> gmail.com>:
> For me it dosen't work, for a long time ago. It's the only trouble for me.
> I've try to:
> - Change database query
> - Duplicate data with view to produce good data.
> *Only bind with config file working fine with sub-delegation.

Like Rob said, the logic that creates the glue happens before the
query(ies) by DLZ.  Without the answers that DLZ lookups provide, it
can't create the glue.  The solution will undoubtedly be to hack some
DLZ code into the glue generation section.

> ps: other software like Power DNS didn't work too, for complicate
> sub-delegation.

That's interesting, and an interesting metric.  Is it a known
limitation or is it possible that the config or data just needed
tweaking?
--

-- 
Regards...      Todd
The best thing about pair programming is that you have the perfect
audience for your genius.  -- Kent Beck

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Michael J. Ayers | 16 Oct 2010 00:49

Re: Help requested for zone delegation using DLZ

Hey all,

I finally solved this tricky little problem with no code modification on bind 9.5 and up (it should work for earlier versions but I do not have any instances deployed anywhere). To get this to work you need to perform the following:

On Server A:

Create an NS record for us.example.com and an A record for the nameserver in the parent (example.com) domain you will be delegating the subdomain to.

zone host type data ttl mx_priority refresh retry expire minimum serial resp_person

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

example.com us NS ns10.example.com. 300 NULL NULL NULL NULL NULL NULL NULL

example.com ns10 A 192.168.0.10 86400 NULL NULL NULL NULL NULL NULL NULL

On Server B:

Create an SOA record for us.example.com, an NS record for us.boingo.com containing the ns10 server entry, and your new A record entries.

On Server A:

Create an NS record for us.example.com and an A record for the nameserver in the parent (example.com) domain you will be delegating the subdomain to.

zone host type data ttl mx_priority refresh retry expire minimum serial resp_person

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

example.com us NS ns10.example.com. 300 NULL NULL NULL NULL NULL NULL NULL

example.com ns10 A 192.168.0.10 86400 NULL NULL NULL NULL NULL NULL NULL

On Server B:

Create an SOA record for us.example.com, an NS record for us.boingo.com containing the ns10 server entry, and your new A record entries.

zone host type data ttl mx_priority refresh retry expire minimum serial resp_person

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

us.example.com <at> SOA ns10.example.com. 86400 NULL 7200 600 86400 3600 1287000000 hostmaster.example.com.

us.example.com us.example.com NS ns10.example.com. 300 NULL NULL NULL NULL NULL NULL NULL

us.example.com www A 192.168.0.110 86400 NULL NULL NULL NULL NULL NULL NULL

us.example.com ftp A 192.168.0.111 86400 NULL NULL NULL NULL NULL NULL NULL

This actually works for setting up sub-domain delegation in BIND-DLZ. I have tested it and verified working. Let me know if you have any questions.

Thanks,

Mike

This actually works for setting up sub-domain delegation in BIND-DLZ. I have tested it and verified working. Let me know if you have any questions.

Thanks,

Mike

On Fri, Nov 6, 2009 at 10:32 PM, Todd Lyons <tlyons <at> ivenue.com> wrote:

2009/11/6 Dominique DERRIER <derrierdo <at> gmail.com>:
> For me it dosen't work, for a long time ago. It's the only trouble for me.
> I've try to:
> - Change database query
> - Duplicate data with view to produce good data.
> *Only bind with config file working fine with sub-delegation.

Like Rob said, the logic that creates the glue happens before the
query(ies) by DLZ. Without the answers that DLZ lookups provide, it
can't create the glue. The solution will undoubtedly be to hack some
DLZ code into the glue generation section.

> ps: other software like Power DNS didn't work too, for complicate
> sub-delegation.

That's interesting, and an interesting metric. Is it a known
limitation or is it possible that the config or data just needed
tweaking?

--
Regards... Todd
The best thing about pair programming is that you have the perfect
audience for your genius. -- Kent Beck

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Bind-dlz-testers mailing list
Bind-dlz-testers <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bind-dlz-testers

--
Michael J. Ayers
Senior Systems Engineer

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

_______________________________________________
Bind-dlz-testers mailing list
Bind-dlz-testers <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bind-dlz-testers

headers

Michael J. Ayers | 16 Oct 2010 00:50

Re: Help requested for zone delegation using DLZ

I garbaged up the earlier email. Cut and paste occasionally can blow up...

On Server A:

Create an NS record for us.example.com and an A record for the nameserver in the parent (example.com) domain you will be delegating the subdomain to.

zone host type data ttl mx_priority refresh retry expire minimum serial resp_person

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

example.com us NS ns10.example.com. 300 NULL NULL NULL NULL NULL NULL NULL

example.com ns10 A 192.168.0.10 86400 NULL NULL NULL NULL NULL NULL NULL

On Server B:

Create an SOA record for us.example.com, an NS record for us.boingo.com containing the ns10 server entry, and your new A record entries.

zone host type data ttl mx_priority refresh retry expire minimum serial resp_person

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

us.example.com <at> SOA ns10.example.com. 86400 NULL 7200 600 86400 3600 1287000000 hostmaster.example.com.

us.example.com us.example.com NS ns10.example.com. 300 NULL NULL NULL NULL NULL NULL NULL

us.example.com www A 192.168.0.110 86400 NULL NULL NULL NULL NULL NULL NULL

us.example.com ftp A 192.168.0.111 86400 NULL NULL NULL NULL NULL NULL NULL

This actually works for setting up sub-domain delegation in BIND-DLZ. I have tested it and verified working. Let me know if you have any questions.

Thanks,

Mike

On Fri, Nov 6, 2009 at 10:32 PM, Todd Lyons <tlyons <at> ivenue.com> wrote:

2009/11/6 Dominique DERRIER <derrierdo <at> gmail.com>:
> For me it dosen't work, for a long time ago. It's the only trouble for me.
> I've try to:
> - Change database query
> - Duplicate data with view to produce good data.
> *Only bind with config file working fine with sub-delegation.

Like Rob said, the logic that creates the glue happens before the
query(ies) by DLZ. Without the answers that DLZ lookups provide, it
can't create the glue. The solution will undoubtedly be to hack some
DLZ code into the glue generation section.

> ps: other software like Power DNS didn't work too, for complicate
> sub-delegation.

That's interesting, and an interesting metric. Is it a known
limitation or is it possible that the config or data just needed
tweaking?

--
Regards... Todd
The best thing about pair programming is that you have the perfect
audience for your genius. -- Kent Beck

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Bind-dlz-testers mailing list
Bind-dlz-testers <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bind-dlz-testers

--
Michael J. Ayers
Senior Systems Engineer

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

_______________________________________________
Bind-dlz-testers mailing list
Bind-dlz-testers <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bind-dlz-testers

headers

Todd Lyons | 5 Nov 2010 08:48

Re: Help requested for zone delegation using DLZ

So to summarize, you created two zones:

$ORIGIN example.com.
 <at>  IN SOA blah
 <at>  IN NS ns10.example.com. (I am assuming this one)
us IN NS ns10.example.com.
ns10 IN A 192.168.0.10

$ORIGIN us.example.com.
 <at>  IN SOA blah2
us.example.com IN NS ns10.example.com.
; no trailing dot, so the above literally expands to:
; us.example.com.us.example.com IN NS ns10.example.com.
www IN A 192.168.0.110
ftp IN A 192.168.0.111

2010/10/15 Michael J. Ayers <ayerslists <at> gmail.com>:
> I finally solved this tricky little problem with no code modification on
> bind 9.5 and up (it should work for earlier versions but I do not have any
> instances deployed anywhere).  To get this to work you need to perform the
> following:
> On Server A:
> On Server B:

Hmmm, so you're doing this on more than one bind server?  What about
in the case where it's all running on one server?

I don't see how the second zone as written above could work.  Can you explain?

--

-- 
Regards...      Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm.  -- Marcus Aurealius

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a 
Billion" shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev