I would like to build a DNS hierarchy with a company-internal
"mycompany.com." domain (hosted on name servers running BIND) and an
"ad.mycompany.com." subdomain delegated to DNS administrators of a Microsoft
Active Directory environment.

I've seen that setting either forwarders (1) or zone-delegation (2) make
name resolution work even for sub-domain hosts:

1) zone "ad.mycompany.com" IN {
type forward;
forwarders {10.0.0.1; 10.0.0.2;};
};

2) $ORIGIN ad.mycompany.com.
@ IN NS ns1.ad.mycompany.com.
@ IN NS ns2.ad.mycompany.com.
ns1 IN A 10.0.0.1
ns2 IN A 10.0.0.2

Even if both works, I think option 2 is best as forwarders are set in
"named.conf" per-server configuration file, while the delegation is set in
the "domain.com" zone file that would be transfered to any secondary (slave)
name server.

What's your opinion?

Thanks in advance. - Gabriele

In article <fccfp1$lhj$1@nnrp.ngi.it>, "Gabriele" <gabro@gabro.net>
wrote:

> I would like to build a DNS hierarchy with a company-internal
> "mycompany.com." domain (hosted on name servers running BIND) and an
> "ad.mycompany.com." subdomain delegated to DNS administrators of a Microsoft
> Active Directory environment.
>
> I've seen that setting either forwarders (1) or zone-delegation (2) make
> name resolution work even for sub-domain hosts:
>
> 1) zone "ad.mycompany.com" IN {
> type forward;
> forwarders {10.0.0.1; 10.0.0.2;};
> };
>
> 2) $ORIGIN ad.mycompany.com.
> @ IN NS ns1.ad.mycompany.com.
> @ IN NS ns2.ad.mycompany.com.
> ns1 IN A 10.0.0.1
> ns2 IN A 10.0.0.2
>
> Even if both works, I think option 2 is best as forwarders are set in
> "named.conf" per-server configuration file, while the delegation is set in
> the "domain.com" zone file that would be transfered to any secondary (slave)
> name server.
>
> What's your opinion?

Forwarding won't work if you're getting requests from caching
nameservers. They send non-recursive requests, and forwarding is only
followed for recursive requests. Also, the caching servers can cache
the delegation records, so from then on they'll go directly to the
ad.mycompany.com servers, rather than going through the mycompany.com
servers.

If the client machines are pointing directly to the mycompany.com
servers in their resolver configurations then there's not much
difference, other than the one you point out about only having to change
things in one place.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

"Barry Margolin" <barmar@alum.mit.edu> wrote in message
news:barmar-F86AD9.21105713092007@comcast.dca.giganews.com...
> In article <fccfp1$lhj$1@nnrp.ngi.it>, "Gabriele" <gabro@gabro.net>
> wrote:
>
>> I would like to build a DNS hierarchy with a company-internal
>> "mycompany.com." domain (hosted on name servers running BIND) and an
>> "ad.mycompany.com." subdomain delegated to DNS administrators of a
>> Microsoft
>> Active Directory environment.
>>
>> I've seen that setting either forwarders (1) or zone-delegation (2) make
>> name resolution work even for sub-domain hosts:
>>
>> 1) zone "ad.mycompany.com" IN {
>> type forward;
>> forwarders {10.0.0.1; 10.0.0.2;};
>> };
>>
>> 2) $ORIGIN ad.mycompany.com.
>> @ IN NS ns1.ad.mycompany.com.
>> @ IN NS ns2.ad.mycompany.com.
>> ns1 IN A 10.0.0.1
>> ns2 IN A 10.0.0.2
>>
>> Even if both works, I think option 2 is best as forwarders are set in
>> "named.conf" per-server configuration file, while the delegation is set
>> in
>> the "domain.com" zone file that would be transfered to any secondary
>> (slave)
>> name server.
>>
>> What's your opinion?
>
> Forwarding won't work if you're getting requests from caching
> nameservers. They send non-recursive requests, and forwarding is only
> followed for recursive requests. Also, the caching servers can cache
> the delegation records, so from then on they'll go directly to the
> ad.mycompany.com servers, rather than going through the mycompany.com
> servers.
>
> If the client machines are pointing directly to the mycompany.com
> servers in their resolver configurations then there's not much
> difference, other than the one you point out about only having to change
> things in one place.
>
> --
> Barry Margolin, barmar@alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***

Thanks for your valuable insight about potential problems coming from
caching nameservers.

Is there a way to retrieve configuration information from a DNS server to
understand if a certain zone is set as type-forward or delegated? Can
NSLOOKUP assist in this investigation if I do not have administrative rights
over the parent DNS server?

Thanks in advance.
Gabriele

In article <fcs5lc$nph$1@nnrp.ngi.it>, "Gabriele" <gabro@gabro.net>
wrote:

> Is there a way to retrieve configuration information from a DNS server to
> understand if a certain zone is set as type-forward or delegated? Can
> NSLOOKUP assist in this investigation if I do not have administrative rights
> over the parent DNS server?

No. If you want to know how a nameserver is configured, you need to
have access to the configuration files.

If you aren't an administrator of the server, why do you care how it
does it? All that matters is that it gives the correct answers.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***