• "forward first" set on a master zone not working as expected

    From Taylor Vierrether@taylor@viertaxa.com to bind-users on Wed Sep 2 15:00:44 2020
    From Newsgroup: comp.protocols.dns.bind

    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) -----------------------4b46cbea0f35db73f2c63d9fb236b321
    Content-Type: multipart/alternative; boundary="Apple-Mail=_02FE9945-4A58-4CA7-A3A2-379138347C24"
    Date: Wed, 2 Sep 2020 11:00:38 -0400
    From: Taylor Vierrether <taylor@viertaxa.com>
    Message-Id: <2B932467-EE30-41AB-9C62-EE9FD8D3A96B@viertaxa.com>
    Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
    Subject: "forward first" set on a master zone not working as expected
    To: bind-users@lists.isc.org
    X-Mailer: Apple Mail (2.3608.120.23.2.1)


    This is a multi-part message in MIME format. --Apple-Mail=_02FE9945-4A58-4CA7-A3A2-379138347C24
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/plain; charset=utf-8

    Hello,

    I am attempting to set up an internal DNS server that is authoritative for = internal resources, but also will respond for external resources on the sam=
    e domain that it does not have records for.

    For example, I have a domain sub.example.com <http://sub.example.com/>, and=
    I want to have internal entries in the BIND zone file for host1.sub.exampl= e.com <http://host1.sub.example.com/> and host2.sub.example.com <http://hos= t2.sub.example.com/>. That part is working fine. However, there is a public=
    ly available DNS entry for sub.example.com <http://sub.example.com/> that I=
    want my internal clients to be able to resolve, but I don=E2=80=99t want t=
    o have the IP in the BIND zone file, because the IP is dynamic. There are a= lso some hosts (host3.sub.example.com <http://host3.sub.example.com/>) and = (host4.sub.example.com <http://host4.sub.example.com/>) that are externally=
    resolvable that I don=E2=80=99t want to put in my internal BIND file becau=
    se they are not controlled by me. (Think CNAME to a SaaS application)

    I=E2=80=99ve attempted to do this as follows, and it seems to make sense th=
    at it would work, but it does not.=20


    named.conf:

    zone =E2=80=9Csub.example.com" IN {
    type master;
    file "/etc/bind/sub.example.com.zone";
    forward first;
    forwarders { 1.1.1.1; 1.0.0.1; };
    };

    sub.example.com <http://sub.example.com/>.zone:

    $ORIGIN sub.example.com.
    $ttl 600
    @ 300 SOA dns.sub.example.com. (
    taylor.viertaxa.com. ; address of respon= sible party
    2020090101 ; serial number
    300 ; refresh period
    300 ; retry period
    604800 ; expire time
    300 ) ; minimum ttl
    300 NS elinore.ns.cloudflare.com.
    300 NS hal.ns.cloudflare.com.
    host1 60 A 10.x.x.x
    host2 60 A 10.x.x.x

    What I would expect to happen, is that BIND sees =E2=80=9Cforward first=E2= =80=9D and attempts to look up the hostname host3.sub.example.com <http://h= ost3.sub.example.com/> on the listed forwarders, and succeeds (there=E2=80= =99s an entry publicly available for that one.=20

    What actually happens, is if I query for sub.example.com <http://sub.exampl= e.com/> I get the following from nslookup:
    *** Can't find sub.example.com: No answer

    And if I query for host3.example.com <http://host3.example.com/>, I get the=
    following from nslookup:
    ** server can't find host3.sub.example.com: NXDOMAIN


    BIND version:

    Package: bind9
    Version: 1:9.11.5.P4+dfsg-5.1+deb10u2


    Thank you in advance for any help you might be able to provide.=20 --Apple-Mail=_02FE9945-4A58-4CA7-A3A2-379138347C24
    Content-Transfer-Encoding: quoted-printable
    Content-Type: text/html; charset=utf-8

    <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset= =3Dutf-8"></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: s= pace; line-break: after-white-space;" class=3D"">Hello,<div class=3D""><br = class=3D""></div><div class=3D"">I am attempting to set up an internal DNS = server that is authoritative for internal resources, but also will respond = for external resources on the same domain that it does not have records for= .</div><div class=3D""><br class=3D""></div><div class=3D"">For example, I = have a domain <a href=3D"http://sub.example.com" class=3D"">sub.example.com= </a>, and I want to have internal entries in the BIND zone file for <a href= =3D"http://host1.sub.example.com" class=3D"">host1.sub.example.com</a>&nbsp= ;and <a href=3D"http://host2.sub.example.com" class=3D"">host2.sub.example.= com</a>. That part is working fine. However, there is a publicly available = DNS entry for <a href=3D"http://sub.example.com" class=3D"">sub.example.com= </a>&nbsp;that I want my internal clients to be able to resolve, but I don= =E2=80=99t want to have the IP in the BIND zone file, because the IP is dyn= amic. There are also some hosts (<a href=3D"http://host3.sub.example.com" c= lass=3D"">host3.sub.example.com</a>) and (<a href=3D"http://host4.sub.examp= le.com" class=3D"">host4.sub.example.com</a>) that are externally resolvabl=
    e that I don=E2=80=99t want to put in my internal BIND file because they ar=
    e not controlled by me. (Think CNAME to a SaaS application)</div><div class= =3D""><br class=3D""></div><div class=3D"">I=E2=80=99ve attempted to do thi=
    s as follows, and it seems to make sense that it would work, but it does no= t.&nbsp;</div><div class=3D""><br class=3D""></div><div class=3D""><br clas= s=3D""></div><div class=3D"">named.conf:</div><div class=3D""><br class=3D"= "></div><div class=3D""><div class=3D"">zone =E2=80=9C<a href=3D"http://sub= .example.com" class=3D"">sub.example.com</a>" IN {</div><div class=3D"">&nb= sp; &nbsp; &nbsp; &nbsp; type master;</div><div class=3D"">&nbsp; &nbsp; &n= bsp; &nbsp; file "/etc/bind/sub.example.com.zone";</div><div class=3D"">&nb= sp; &nbsp; &nbsp; &nbsp; forward first;</div><div class=3D"">&nbsp; &nbsp; = &nbsp; &nbsp; forwarders { 1.1.1.1; 1.0.0.1; };</div><div class=3D"">};</di= v></div><div class=3D""><br class=3D""></div><div class=3D""><a href=3D"htt= p://sub.example.com" class=3D"">sub.example.com</a>.zone:</div><div class= =3D""><br class=3D""></div><div class=3D""><div class=3D"">$ORIGIN <a href= =3D"http://sub.example.com" class=3D"">sub.example.com</a>.</div><div class= =3D"">$ttl 600</div><div class=3D"">@ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &n= bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;300 SOA &nbsp; <a href=3D"http://dns= .sub.example.com" class=3D"">dns.sub.example.com</a>. (</div><div class=3D"= ">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nb= sp; &nbsp; &nbsp; &nbsp; &nbsp; <a href=3D"http://taylor.viertaxa.com" clas= s=3D"">taylor.viertaxa.com</a>. &nbsp; &nbsp; &nbsp;; address of responsibl=
    e party</div><div class=3D"">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbs=
    p; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2020090101 &nbsp=
    ; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;; serial number</div><div=
    class=3D"">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 300 &nbsp; &nbsp; &nbsp; &nbsp; &= nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; refresh period</div><div = class=3D"">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &= nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 300 &nbsp; &nbsp; &nbsp; &nbsp; &n= bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; retry period</div><div cla= ss=3D"">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbs=
    p; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 604800 &nbsp; &nbsp; &nbsp; &nbsp; &n= bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;; expire time</div><div class=3D"">&= nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;=
    &nbsp; &nbsp; &nbsp; &nbsp; 300 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = &nbsp; &nbsp; &nbsp; &nbsp; ) ; minimum ttl</div><div class=3D"">&nbsp; &nb= sp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 300 NS &= nbsp; &nbsp;<a href=3D"http://elinore.ns.cloudflare.com" class=3D"">elinore= .ns.cloudflare.com</a>.</div><div class=3D"">&nbsp; &nbsp; &nbsp; &nbsp; &n= bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 300 NS &nbsp; &nbsp;<a href= =3D"http://hal.ns.cloudflare.com" class=3D"">hal.ns.cloudflare.com</a>.</di= v><div class=3D"">host1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &n= bsp; &nbsp; 60 &nbsp;A &nbsp; &nbsp; 10.x.x.x</div><div class=3D"">host2 &n= bsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 60 &nbsp;A &nb= sp; &nbsp; 10.x.x.x</div></div><div class=3D""><br class=3D""></div><div cl= ass=3D"">What I would expect to happen, is that BIND sees =E2=80=9Cforward = first=E2=80=9D and attempts to look up the hostname <a href=3D"http://host3= .sub.example.com" class=3D"">host3.sub.example.com</a>&nbsp;on the listed f= orwarders, and succeeds (there=E2=80=99s an entry publicly available for th=
    at one.&nbsp;</div><div class=3D""><br class=3D""></div><div class=3D"">Wha=
    t actually happens, is if I query for <a href=3D"http://sub.example.com" cl= ass=3D"">sub.example.com</a>&nbsp;I get the following from nslookup:</div><= div class=3D"">*** Can't find <a href=3D"http://sub.example.com" class=3D""= >sub.example.com</a>: No answer</div><div class=3D""><br class=3D""></div><= div class=3D"">And if I query for <a href=3D"http://host3.example.com" clas= s=3D"">host3.example.com</a>, I get the following from nslookup:</div><div = class=3D"">** server can't find <a href=3D"http://host3.sub.example.com" cl= ass=3D"">host3.sub.example.com</a>: NXDOMAIN</div><div class=3D""><br class= =3D""></div><div class=3D""><br class=3D""></div><div class=3D"">BIND versi= on:</div><div class=3D""><br class=3D""></div><div class=3D""><div class=3D= "">Package: bind9</div><div class=3D"">Version: 1:9.11.5.P4+dfsg-5.1+deb10u= 2</div></div><div class=3D""><br class=3D""></div><div class=3D""><br class= =3D""></div><div class=3D"">Thank you in advance for any help you might be = able to provide.&nbsp;</div></body></html> --Apple-Mail=_02FE9945-4A58-4CA7-A3A2-379138347C24--
    .

    -----------------------4b46cbea0f35db73f2c63d9fb236b321
    Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature
    Content-Disposition: attachment; filename="signature.asc"

    -----BEGIN PGP SIGNATURE-----
    Version: ProtonMail

    wsFmBAEBCAAQBQJfT7OaCRCBIrlIUuSYEQAKCRCBIrlIUuSYEWGOEACQaGwg 4LqIDoOFrB4ORgUDn8zshkIlBqhbUzY9pjCjipZeb4F4u6kxSvehlrZ1N3w4 qWZ1iXcyQFdKMx+djwsS7cEa885fm1158FQx0CVopPHM1CEH8GYczr7cFW8I I74Q3jFJnohuegfEpUGSeXo0VVKaYv/kj4YHaE2+EelU+jpYHjXXRkaYgaYU 884yip8t0f7cYjl5jCcMrtT7Eib+orbQpF/CdqEJjGgrTAOdg64jL3C+6uhc eg9K3+oQpkaK+WO5rgzOBqgtgbDswn39iYSXqywWKVeWsC3bnlK61F6+g+hW 6fCoymizSd9hapi01cXSj53iiy2rPmSjB3P98eEqB6RxwAOgs3kbbUjeqJPO qIx3AX2d6bIPEA0JG40kNRkPDZvafuZUQuh7NscKkpvF0s9Gtu5zz1z5FNiJ a775jgU8G3n0FlgWFfamX/eCI5lJ8LUFBVnadQ3dRO/6q7jRn9H86g8lUhf4 ayUnP144aQ8ly8MyZiMO+XqZ4SL/THkafKdQCYNCxu/xuujtN5Cpvtn+aRqT k1ojIL8yW/kN4Q1O6/j8VngXkQCu/6vs43cgf0jzEIjslexGTIUw40BGpCd3 f7ELe375h6XxQnYkFny/tT9yhomtOHy7nNgwkTeV574nBqg2nGO0Ru3ineXw cnFU5hu5C2LeHBUd5w==
    =z36U
    -----END PGP SIGNATURE-----


    -----------------------4b46cbea0f35db73f2c63d9fb236b321--

    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Matus UHLAR - fantomas@uhlar@fantomas.sk to bind-users on Thu Sep 3 09:51:28 2020
    From Newsgroup: comp.protocols.dns.bind

    On 02.09.20 15:00, Taylor Vierrether via bind-users wrote:
    I am attempting to set up an internal DNS server that is authoritative for internal resources, but also will respond for external resources on the
    same domain that it does not have records for.

    For example, I have a domain sub.example.com , and I want to have internal entries in the BIND zone file for host1.sub.example.com and host2.sub.example.com. That part is working fine. However, there is a publicly available DNS entry for sub.example.com that I want my internal clients to be able to resolve, but I don’t want to have the IP in the BIND zone file, because the IP is dynamic.

    you can delegate that entry elsewhere.

    There are also some hosts (host3.sub.example.com ) and (host4.sub.example.com) that are externally resolvable that I don’t want
    to put in my internal BIND file because they are not controlled by me. (Think CNAME to a SaaS application)

    you can delegate those records somewhere.

    I’ve attempted to do this as follows, and it seems to make sense that it
    would work, but it does not.


    named.conf:

    zone “sub.example.com" IN {
    type master;
    file "/etc/bind/sub.example.com.zone";
    forward first;
    forwarders { 1.1.1.1; 1.0.0.1; };
    };

    forwarding is not used for zone other than "type forward".

    What actually happens, is if I query for sub.example.com I get the following from nslookup:
    *** Can't find sub.example.com: No answer

    if you search for "sub.example.com" record, you can not delegate that one,
    of course.

    you apparently should use redesign your DNS. Easiest way would be using different domain internally.

    And if I query for host3.example.com , I get the following from nslookup:
    ** server can't find host3.sub.example.com: NXDOMAIN

    note that nslookup is very bad program for tracking DNS errors.
    use "host" or "dig" for that case.


    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    I just got lost in thought. It was unfamiliar territory.
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Kevin Darcy@kevin.darcy@fcagroup.com to ML BIND Users on Thu Sep 3 09:00:56 2020
    From Newsgroup: comp.protocols.dns.bind

    --0000000000007df50d05ae685846
    Content-Type: text/plain; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    [ Classification Level: GENERAL BUSINESS ]

    Or, if you absolutely *must* use the same namespace internally and
    externally (oftentimes you can't talk the business out of that), your
    internal version should be a more-or-less a superset of your external
    version.

    How you keep those in sync is up to you. For us, we have a centralized management system that makes the relevant updates in parallel. The big
    caveat with that is, those few situations where the DNS needs to be "schizophrenic", i.e. resolve differently in the internal versus external versions of the zones. We try to keep that nonsense to a minimum, but when
    we can't talk people out of it, we handle it on an exception basis.

    I suppose another approach is to have a backend database which tags each
    record as being "internal", "external" or "both", and then the respective versions of the zones get generated accordingly. You'd need something to
    ensure referential integrity, though, otherwise you might end up with
    dangling references (e.g. CNAME/MX/SRV targets), bad delegations, etc.


    - Kevin

    P.S. No offense to schizophrenics. I guess a more accurate term would be "multiple personality".


    On Thu, Sep 3, 2020 at 3:52 AM Matus UHLAR - fantomas <uhlar@fantomas.sk> wrote:

    On 02.09.20 15:00, Taylor Vierrether via bind-users wrote:
    I am attempting to set up an internal DNS server that is authoritative
    for
    internal resources, but also will respond for external resources on the same domain that it does not have records for.

    For example, I have a domain sub.example.com , and I want to have
    internal
    entries in the BIND zone file for host1.sub.example.com and host2.sub.example.com. That part is working fine. However, there is a publicly available DNS entry for sub.example.com that I want my interna=
    l
    clients to be able to resolve, but I don=E2=80=99t want to have the IP =
    in the
    BIND
    zone file, because the IP is dynamic.

    you can delegate that entry elsewhere.

    There are also some hosts (host3.sub.example.com ) and (host4.sub.example.com) that are externally resolvable that I don=E2=80=
    =99t want
    to put in my internal BIND file because they are not controlled by me. (Think CNAME to a SaaS application)

    you can delegate those records somewhere.

    I=E2=80=99ve attempted to do this as follows, and it seems to make sense=
    that it
    would work, but it does not.


    named.conf:

    zone =E2=80=9Csub.example.com" IN {
    type master;
    file "/etc/bind/sub.example.com.zone";
    forward first;
    forwarders { 1.1.1.1; 1.0.0.1; };
    };

    forwarding is not used for zone other than "type forward".

    What actually happens, is if I query for sub.example.com I get the
    following from nslookup:
    *** Can't find sub.example.com: No answer

    if you search for "sub.example.com" record, you can not delegate that one=
    ,
    of course.

    you apparently should use redesign your DNS. Easiest way would be using different domain internally.

    And if I query for host3.example.com , I get the following from nslookup=
    :
    ** server can't find host3.sub.example.com: NXDOMAIN

    note that nslookup is very bad program for tracking DNS errors.
    use "host" or "dig" for that case.


    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    I just got lost in thought. It was unfamiliar territory. _______________________________________________
    Please visit https://lists.isc.org/mailman/listinfo/bind-users to
    unsubscribe from this list

    ISC funds the development of this software with paid support
    subscriptions. Contact us at https://www.isc.org/contact/ for more information.


    bind-users mailing list
    bind-users@lists.isc.org
    https://lists.isc.org/mailman/listinfo/bind-users


    --0000000000007df50d05ae685846
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div dir=3D"ltr"><div>[ Classification Level: <font color=3D"blue">GENERAL = BUSINESS</font> ]</div><br class=3D"cursAfter">Or, if you absolutely *must*=
    use the same namespace internally and externally (oftentimes you can&#39;t=
    talk the business out of that), your internal version should be a more-or-= less a superset of your external version.<div><br></div><div>How you keep t= hose in sync is up to you. For us, we have a centralized management system = that makes the relevant updates in parallel. The big caveat with that is, t= hose few situations where the DNS needs to be &quot;schizophrenic&quot;, i.=
    e. resolve differently in the internal versus external versions of the zone=
    s. We try to keep that nonsense to a minimum, but when we can&#39;t talk pe= ople out of it, we handle it on an exception basis.</div><div><br></div><di= v>I suppose another approach is to have a backend database=C2=A0which tags = each record as being &quot;internal&quot;, &quot;external&quot; or &quot;bo= th&quot;, and then the respective versions of the zones get generated accor= dingly. You&#39;d need something to ensure referential integrity, though, o= therwise you might end up with dangling references (e.g. CNAME/MX/SRV targe= ts), bad delegations, etc.</div><div><br></div><div>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
    =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
    =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 - Kevin</div><div><br></div><div>P.S. No offense to schizophrenics. =
    I guess a more accurate term would be &quot;multiple personality&quot;.</di= v><div><br><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_a= ttr">On Thu, Sep 3, 2020 at 3:52 AM Matus UHLAR - fantomas &lt;<a href=3D"m= ailto:uhlar@fantomas.sk">uhlar@fantomas.sk</a>&gt; wrote:<br></div><blockqu= ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s= olid;padding-left:1ex">On 02.09.20 15:00, Taylor Vierrether via bind-users = wrote:<br>
    &gt; I am attempting to set up an internal DNS server that is authoritative=
    for<br>
    &gt; internal resources, but also will respond for external resources on th= e<br>
    &gt; same domain that it does not have records for.<br>
    &gt;<br>
    &gt; For example, I have a domain <a href=3D"http://sub.example.com" rel=3D= "noreferrer" target=3D"_blank">sub.example.com</a> , and I want to have int= ernal<br>
    &gt; entries in the BIND zone file for <a href=3D"http://host1.sub.example.= com" rel=3D"noreferrer" target=3D"_blank">host1.sub.example.com</a> and<br> &gt; <a href=3D"http://host2.sub.example.com" rel=3D"noreferrer" target=3D"= _blank">host2.sub.example.com</a>.=C2=A0 That part is working fine.=C2=A0 H= owever, there is a<br>
    &gt; publicly available DNS entry for <a href=3D"http://sub.example.com" re= l=3D"noreferrer" target=3D"_blank">sub.example.com</a> that I want my inter= nal<br>
    &gt; clients to be able to resolve, but I don=E2=80=99t want to have the IP=
    in the BIND<br>
    &gt; zone file, because the IP is dynamic.<br>

    you can delegate that entry elsewhere.<br>

    &gt;=C2=A0 There are also some hosts (<a href=3D"http://host3.sub.example.c= om" rel=3D"noreferrer" target=3D"_blank">host3.sub.example.com</a> ) and<br=

    &gt; (<a href=3D"http://host4.sub.example.com" rel=3D"noreferrer" target=3D= "_blank">host4.sub.example.com</a>) that are externally resolvable that I d= on=E2=80=99t want<br>
    &gt; to put in my internal BIND file because they are not controlled by me.=

    &gt; (Think CNAME to a SaaS application)<br>

    you can delegate those records somewhere.<br>

    &gt;I=E2=80=99ve attempted to do this as follows, and it seems to make sens=
    e that it<br>
    &gt; would work, but it does not.<br>
    &gt;<br>
    &gt;<br>
    &gt;named.conf:<br>
    &gt;<br>
    &gt;zone =E2=80=9C<a href=3D"http://sub.example.com" rel=3D"noreferrer" tar= get=3D"_blank">sub.example.com</a>&quot; IN {<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 type master;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 file &quot;/etc/bind/<a href=3D"http://sub.= example.com" target=3D"_blank">sub.example.com</a>.zone&quot;;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 forward first;<br>
    &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 forwarders { 1.1.1.1; 1.0.0.1; };<br> &gt;};<br>

    forwarding is not used for zone other than &quot;type forward&quot;.<br>

    &gt;What actually happens, is if I query for <a href=3D"http://sub.example.= com" rel=3D"noreferrer" target=3D"_blank">sub.example.com</a> I get the fol= lowing from nslookup:<br>
    &gt;*** Can&#39;t find <a href=3D"http://sub.example.com" rel=3D"noreferrer=
    " target=3D"_blank">sub.example.com</a>: No answer<br>

    if you search for &quot;<a href=3D"http://sub.example.com" rel=3D"noreferre=
    r" target=3D"_blank">sub.example.com</a>&quot; record, you can not delegate=
    that one,<br>
    of course.<br>

    you apparently should use redesign your DNS. Easiest way would be using<br> different domain internally.<br>

    &gt;And if I query for <a href=3D"http://host3.example.com" rel=3D"noreferr= er" target=3D"_blank">host3.example.com</a> , I get the following from nslo= okup:<br>
    &gt;** server can&#39;t find <a href=3D"http://host3.sub.example.com" rel= =3D"noreferrer" target=3D"_blank">host3.sub.example.com</a>: NXDOMAIN<br>

    note that nslookup is very bad program for tracking DNS errors.<br>
    use &quot;host&quot; or &quot;dig&quot; for that case.<br>


    -- <br>
    Matus UHLAR - fantomas, <a href=3D"mailto:uhlar@fantomas.sk" target=3D"_bla= nk">uhlar@fantomas.sk</a> ; <a href=3D"http://www.fantomas.sk/" rel=3D"nore= ferrer" target=3D"_blank">http://www.fantomas.sk/</a><br>
    Warning: I wish NOT to receive e-mail advertising to this address.<br> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.<br>
    I just got lost in thought. It was unfamiliar territory.<br> _______________________________________________<br>
    Please visit <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" = rel=3D"noreferrer" target=3D"_blank">https://lists.isc.org/mailman/listinfo= /bind-users</a> to unsubscribe from this list<br>

    ISC funds the development of this software with paid support subscriptions.=
    Contact us at <a href=3D"https://www.isc.org/contact/" rel=3D"noreferrer" = target=3D"_blank">https://www.isc.org/contact/</a> for more information.<br=



    bind-users mailing list<br>
    <a href=3D"mailto:bind-users@lists.isc.org" target=3D"_blank">bind-users@li= sts.isc.org</a><br>
    <a href=3D"https://lists.isc.org/mailman/listinfo/bind-users" rel=3D"norefe= rrer" target=3D"_blank">https://lists.isc.org/mailman/listinfo/bind-users</= a><br>
    </blockquote></div></div></div>

    --0000000000007df50d05ae685846--
    --- Synchronet 3.18a-Linux NewsLink 1.113