Chris Buxton wrote:
> On Jul 8, 2008, at 11:33 AM, Kyle McDonald wrote:
>> Chris Buxton wrote:
>>> Your basic problem is that your authoritative name servers are also
>>> doing recursion. If you can avoid this, do so - turn recursion off on
>>> the name servers that host the subdomain.

>> Ok. I have, and want, the clients in the subdomain to use these servers
>> (in their resolv.conf) to resolve queries. Doesn't that mean I need
>> recursion on? Is that a bad idea?

> Using your servers for recursion makes things more complex, and can
> cause problems in certain circumstances. However, in your case, it may
> be a reasonable thing to do.

I've been out of the DNS game for years, so I must have a bunch of
learning to do, but it seemed good o way back when.

> On your servers. You've already done this (with a slave zone), so I
> was simply pointing out that either a slave zone or a stub zone would
> be the best solution. (Personally, I favor the stub zone.)

I just tried the stub zone. That's working well also, and it caches to
boot. I think I'll stick with this.
>> The parent domain is managed by Win2k3
>> DNS servers and I don't think they have the concept of 'stub' zones.

> Yes they do. But that wasn't the point - a stub zone there should not
> be necessary.

So I learned. I was going by the bind manual where it stated that
stub zones were a implementation feature of BIND and not found in all
other servers.

> Don't use forwarding. Just don't. (There has been some discussion on
> the list on this topic, but in this particular situation, you almost
> certainly should not use forwarding. It would be a very strange
> situation indeed if forwarding were required, and if it is not
> required, you should not use it here.)

It seems it's not required since stubs and slaves work. So I'll stick
with stubs (since I don't want to do zone transfers,) and I'll learnmore
about the evils of forwarding later.

> Somewhat similar to a slave zone, except the data is considered cached
> rather than authoritative, and there's a lot less data retrieved from
> the parent zone's servers. Also, it means they don't have to open zone
> transfers to you.

All good things.

> Not quite right.
> 1) Disable recursion. Set up separate recursion servers that know
> where to find the parent zone(s) (using one or more stub zones).
> Do not use forwarding. And the servers for the parent zone absolutely
> should not be doing recursion. (If they are, ask the admins to turn it
> off, and set up replacement resolving name servers elsewhere.)

Since the 2 AD/WinDNS servers are the only DNS servers in the company
(at least they're the ones DHCP configures for resolution on all the
windows clients.) I'm betting they are doing recursion. But that's not
the only thing wrong there I think. (It may be OK but seems wierd to me
that the SOA record on each is different - claiming that each is master,
and they seem to have slightly different info at times.)

>> 3) Setup a 'stub' zone for the parent domain. (Is this any different
>> than the 'forward' zone?)

> Yes. The crucial difference (not the only difference) is that, with a
> stub zone, your server sends iterative queries upstream. With
> forwarding, it sends recursive queries.

Ok. In the grand scheme, I'm not sure what real difference that makes,
but I like the idea that the recursion will be kept closer to home.

Interestingly enough, while all the solutions I've tried have worked
using nslookup and dig, when I ask dig to trace the search, it fails
again and I end up stuck at the external parent zone. Is that expected?
> My replacement option 1 is your best bet. Second best is 3 (or
> possibly 4, but I like 3 better).

I like 3 better than 4 also. And since your 1 and 3 both have stubs the
only difference there is recursion and another set of servers.

I already have recursion disabled on the master, which no client is
really setup to query. I only have recursion on on the 3 slaves I setup
for the clients to use. I suppose I could not make servers slaves, and
let them recurse to the master. Hmm.

>> Anything wrong with my logic or understanding?

> Don't use forwarding. It's a hazard to troubleshooting.

If there's only one thing I learned today. That's it: don't use


> Chris Buxton
> Professional Services
> Men & Mice