PHWinfo - Afficher un message - Zone "type forward" vs. sub-domain delegation.

19/09/2007, 22h51

"Barry Margolin" <barmar@alum.mit.edu> wrote in message
news:barmar-F86AD9.21105713092007@comcast.dca.giganews.com...
> In article <fccfp1$lhj$1@nnrp.ngi.it>, "Gabriele" <gabro@gabro.net>
> wrote:
>
>> I would like to build a DNS hierarchy with a company-internal
>> "mycompany.com." domain (hosted on name servers running BIND) and an
>> "ad.mycompany.com." subdomain delegated to DNS administrators of a
>> Microsoft
>> Active Directory environment.
>>
>> I've seen that setting either forwarders (1) or zone-delegation (2) make
>> name resolution work even for sub-domain hosts:
>>
>> 1) zone "ad.mycompany.com" IN {
>> type forward;
>> forwarders {10.0.0.1; 10.0.0.2;};
>> };
>>
>> 2) $ORIGIN ad.mycompany.com.
>> @ IN NS ns1.ad.mycompany.com.
>> @ IN NS ns2.ad.mycompany.com.
>> ns1 IN A 10.0.0.1
>> ns2 IN A 10.0.0.2
>>
>> Even if both works, I think option 2 is best as forwarders are set in
>> "named.conf" per-server configuration file, while the delegation is set
>> in
>> the "domain.com" zone file that would be transfered to any secondary
>> (slave)
>> name server.
>>
>> What's your opinion?
>
> Forwarding won't work if you're getting requests from caching
> nameservers. They send non-recursive requests, and forwarding is only
> followed for recursive requests. Also, the caching servers can cache
> the delegation records, so from then on they'll go directly to the
> ad.mycompany.com servers, rather than going through the mycompany.com
> servers.
>
> If the client machines are pointing directly to the mycompany.com
> servers in their resolver configurations then there's not much
> difference, other than the one you point out about only having to change
> things in one place.
>
> --
> Barry Margolin, barmar@alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***

Thanks for your valuable insight about potential problems coming from
caching nameservers.

Is there a way to retrieve configuration information from a DNS server to
understand if a certain zone is set as type-forward or delegated? Can
NSLOOKUP assist in this investigation if I do not have administrative rights
over the parent DNS server?

Thanks in advance.
Gabriele

19/09/2007, 22h51	#3
Gabriele Messages: n/a Hébergeur:	Re: Zone "type forward" vs. sub-domain delegation. "Barry Margolin" <barmar@alum.mit.edu> wrote in message news:barmar-F86AD9.21105713092007@comcast.dca.giganews.com... > In article <fccfp1$lhj$1@nnrp.ngi.it>, "Gabriele" <gabro@gabro.net> > wrote: > >> I would like to build a DNS hierarchy with a company-internal >> "mycompany.com." domain (hosted on name servers running BIND) and an >> "ad.mycompany.com." subdomain delegated to DNS administrators of a >> Microsoft >> Active Directory environment. >> >> I've seen that setting either forwarders (1) or zone-delegation (2) make >> name resolution work even for sub-domain hosts: >> >> 1) zone "ad.mycompany.com" IN { >> type forward; >> forwarders {10.0.0.1; 10.0.0.2;}; >> }; >> >> 2) $ORIGIN ad.mycompany.com. >> @ IN NS ns1.ad.mycompany.com. >> @ IN NS ns2.ad.mycompany.com. >> ns1 IN A 10.0.0.1 >> ns2 IN A 10.0.0.2 >> >> Even if both works, I think option 2 is best as forwarders are set in >> "named.conf" per-server configuration file, while the delegation is set >> in >> the "domain.com" zone file that would be transfered to any secondary >> (slave) >> name server. >> >> What's your opinion? > > Forwarding won't work if you're getting requests from caching > nameservers. They send non-recursive requests, and forwarding is only > followed for recursive requests. Also, the caching servers can cache > the delegation records, so from then on they'll go directly to the > ad.mycompany.com servers, rather than going through the mycompany.com > servers. > > If the client machines are pointing directly to the mycompany.com > servers in their resolver configurations then there's not much > difference, other than the one you point out about only having to change > things in one place. > > -- > Barry Margolin, barmar@alum.mit.edu > Arlington, MA > * PLEASE post questions in newsgroups, not directly to me * > * PLEASE don't copy me on replies, I'll read them in the group * Thanks for your valuable insight about potential problems coming from caching nameservers. Is there a way to retrieve configuration information from a DNS server to understand if a certain zone is set as type-forward or delegated? Can NSLOOKUP assist in this investigation if I do not have administrative rights over the parent DNS server? Thanks in advance. Gabriele