Multiple levels of subdomain delegation

From Brandonhutchinson.com

Revision as of 21:32, 8 August 2008 by Hutch (Talk | contribs)
Jump to: navigation, search

Scenario

In this (admittedly convoluted, but I encountered it at work) example, assume the zone we are authoritative for is example.org.

  • We want to delegate shiznit.example.org to two name servers, ns1.shiznit.example.org and ns2.shiznit.example.org.
  • We want to delegate subdomain.shiznit.example.org to a different name server, ns1.subdomain.shiznit.example.org.
  • The name servers for shiznit.example.org know nothing about subdomain.shiznit.example.org (this can be a problem with the glue record; see below).

Our example.org zone will look something like (assuming an $ORIGIN of example.org):

  • Delegations
shiznit IN NS ns1.shiznit
shiznit IN NS ns2.shiznit
subdomain.shiznit IN NS ns1.subdomain.shiznit
  • Glue records
ns1.shiznit IN A 192.168.1.100
ns2.shiznit IN A 192.168.1.101
ns1.subdomain.shiznit IN A 192.168.1.102 (not needed, see below)

There can be a problem with the above configuration. Although BIND 9 (9.3.4-P1 in this example) will correctly following the subdomain delegation of subdomain.shiznit, it will not use the ns1.subdomain.shiznit glue record in the example.org zone.

In other words, BIND will attempt to resolve the A record for ns1.subdomain.shiznit by querying the delegated name servers for the shiznit subdomain, ns1.shiznit and ns2.shiznit.

You must have the glue record in its parent in order for this to work; I don't know of any workaround. So to fix delegation in this example, we add the following DNS A record to the ns1.shiznit and ns2.shiznit name servers (assuming an $ORIGIN of shiznit.example.org).

ns1.subdomain IN A 192.168.1.102

It would probably make the most sense to have the shiznit.example.org name servers properly delegate the subdomain.shiznit.example.org subdomain.

Personal tools