On Jul 8, 2008, at 12:32 PM, Kyle McDonald wrote:
> Chris Buxton wrote:
>> On Jul 8, 2008, at 11:33 AM, Kyle McDonald wrote:
>>> Chris Buxton wrote:
>>>> Your basic problem is that your authoritative name servers are also
>>>> doing recursion. If you can avoid this, do so - turn recursion
>>>> off on
>>>> the name servers that host the subdomain.
>>> Ok. I have, and want, the clients in the subdomain to use these
>>> servers
>>> (in their resolv.conf) to resolve queries. Doesn't that mean I need
>>> recursion on? Is that a bad idea?
>>>>

>>
>> Using your servers for recursion makes things more complex, and can
>> cause problems in certain circumstances. However, in your case, it
>> may be a reasonable thing to do.

> I've been out of the DNS game for years, so I must have a bunch of
> learning to do, but it seemed good o way back when.


It is a common thing to do, although becoming less popular in my
experience, but it has been recommended against for something like 20
years.

>>> 3) Setup a 'stub' zone for the parent domain. (Is this any
>>> different
>>> than the 'forward' zone?)

>>
>> Yes. The crucial difference (not the only difference) is that, with
>> a stub zone, your server sends iterative queries upstream. With
>> forwarding, it sends recursive queries.

> Ok. In the grand scheme, I'm not sure what real difference that
> makes, but I like the idea that the recursion will be kept closer to
> home.
>
> Interestingly enough, while all the solutions I've tried have worked
> using nslookup and dig, when I ask dig to trace the search, it fails
> again and I end up stuck at the external parent zone. Is that
> expected?
>>


Yes. 'dig +trace' goes out to the Internet unless you have a private
root zone.

Chris Buxton
Professional Services
Men & Mice