Multiple levels of subdomain delegation

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(New page: == Scenario == In this (admittedly convoluted, but I encountered it at work) example, assume the zone we are authoritative for is '''example.org'''. * We want to delegate '''shiznit.exa...)
Current revision (20:17, 25 September 2008) (edit) (undo)
 
(3 intermediate revisions not shown.)
Line 3: Line 3:
In this (admittedly convoluted, but I encountered it at work) example, assume the zone we are authoritative for is '''example.org'''.
In this (admittedly convoluted, but I encountered it at work) example, assume the zone we are authoritative for is '''example.org'''.
-
* We want to delegate '''shiznit.example.org''' to two name servers, '''ns1.example.org''' and '''ns2.example.org'''.
+
* We want to delegate '''shiznit.example.org''' to two name servers, '''ns1.shiznit.example.org''' and '''ns2.shiznit.example.org'''.
-
* We want to delegate '''subdomain.shiznit.example.org''' to a different name server, '''ns3.example.org'''.
+
* We want to delegate '''subdomain.shiznit.example.org''' to a different name server, '''ns1.subdomain.shiznit.example.org'''.
-
* The name servers for '''shiznit.example.org'''--'''ns1.example.org''' and '''ns2.example.org'''--know nothing about '''subdomain.shiznit.example.org'''.
+
* The name servers for '''shiznit.example.org''' know nothing about '''subdomain.shiznit.example.org''' (this can be a problem with the glue record; see below).
Our '''example.org''' zone will look something like (assuming an ''$ORIGIN'' of '''example.org'''):
Our '''example.org''' zone will look something like (assuming an ''$ORIGIN'' of '''example.org'''):
Line 23: Line 23:
In other words, BIND will attempt to resolve the A record for ''ns1.subdomain.shiznit'' by querying the delegated name servers for the shiznit subdomain, ''ns1.shiznit'' and ''ns2.shiznit''.
In other words, BIND will attempt to resolve the A record for ''ns1.subdomain.shiznit'' by querying the delegated name servers for the shiznit subdomain, ''ns1.shiznit'' and ''ns2.shiznit''.
-
You must have the glue record in its parent in order for this to work; I don't know of any workaround. So to fix delegation in this example, we add the following DNS A record to the ''ns1.shiznit'' and ''ns2.shiznit'' name servers (assuming an ''$ORIGIN'' of ''shiznit.example.org'').
+
To make this work, you can either:
 +
 
 +
* Place the glue record in its parent. i.e., add the following DNS A record to the ''ns1.shiznit'' and ''ns2.shiznit'' name servers (assuming an ''$ORIGIN'' of ''shiznit.example.org'').
ns1.subdomain IN A 192.168.1.102
ns1.subdomain IN A 192.168.1.102
 +
* Configure ''subdomain.shiznit'' as a forward or stub zone.
-
It would probably make the most sense to have the ''shiznit.example.org''' name servers properly delegate the ''subdomain.shiznit.example.org'' subdomain.
+
It probably makes the most sense to have the ''shiznit.example.org'' name servers properly delegate the ''subdomain.shiznit.example.org'' subdomain.

Current revision

Scenario

In this (admittedly convoluted, but I encountered it at work) example, assume the zone we are authoritative for is example.org.

  • We want to delegate shiznit.example.org to two name servers, ns1.shiznit.example.org and ns2.shiznit.example.org.
  • We want to delegate subdomain.shiznit.example.org to a different name server, ns1.subdomain.shiznit.example.org.
  • The name servers for shiznit.example.org know nothing about subdomain.shiznit.example.org (this can be a problem with the glue record; see below).

Our example.org zone will look something like (assuming an $ORIGIN of example.org):

  • Delegations
shiznit IN NS ns1.shiznit
shiznit IN NS ns2.shiznit
subdomain.shiznit IN NS ns1.subdomain.shiznit
  • Glue records
ns1.shiznit IN A 192.168.1.100
ns2.shiznit IN A 192.168.1.101
ns1.subdomain.shiznit IN A 192.168.1.102 (not needed, see below)

There can be a problem with the above configuration. Although BIND 9 (9.3.4-P1 in this example) will correctly following the subdomain delegation of subdomain.shiznit, it will not use the ns1.subdomain.shiznit glue record in the example.org zone.

In other words, BIND will attempt to resolve the A record for ns1.subdomain.shiznit by querying the delegated name servers for the shiznit subdomain, ns1.shiznit and ns2.shiznit.

To make this work, you can either:

  • Place the glue record in its parent. i.e., add the following DNS A record to the ns1.shiznit and ns2.shiznit name servers (assuming an $ORIGIN of shiznit.example.org).
ns1.subdomain IN A 192.168.1.102
  • Configure subdomain.shiznit as a forward or stub zone.

It probably makes the most sense to have the shiznit.example.org name servers properly delegate the subdomain.shiznit.example.org subdomain.

Personal tools