Re: NS records for subzone cause BIND 9 failures

> >
> > >When a parent zone has subzone data in it, NS records for the subzone
> > >will cause BIND 9 servers to fail to resolve any of the subzone's
> > >data. The problem does not exist with 8.2.3, but does with 9.2.1 and
> > >9.3.0.
> > >
> > Well, it's not a "problem"; it's the way DNS is supposed to work. When
> > you delegate a zone to other nameservers, then those nameservers own the
> > data in the zone, not you. The only exceptions are so-called "glue"
> > records describing the nameservers for the child zone. Ordinary records,
> > like A records which are not associated with nameservers, MX records and
> > so forth, belong to the "closest enclosing zone", i.e. the child (or
> > "child-most") zone.
> >
>
> In our situation, the BIND 9 servers are secondary for the parent
> zone, but not the subzone. The users at our location cannot resolve
> any of the subzone data that is in the parent zone, but users at other
> locations where they are running BIND 8 or Microsoft DNS can resolve
> it. The subzone data in the parent zone are two NS records and A
> records for the two subzone name servers.
>
> It looks like Microsoft DNS will use the data in the parent zone to
> query the subzone name servers for the subzone data, but BIND will
> not. This is the second time I have run into this problem, and have
> solved it by slaving the subzone.
>
> This leaves me with two questions. My original question was why can't
> BIND 9 resolve subzone data from a parent zone when NS records for the
> subzone are in it?

Sounds like you have forwarding enabled and havn't disabled
forwarding for the subzone and/or you have recursion disabled.

> In other words, if you have a bar.com zone with the following in it:
>
> $ORIGIN bar.com
> foo NS ns1.foo
> $ORIGIN foo.bar.com
> ns1 A 1.2.3.4
>
> Why can you resolve both the A and NS records with BIND 8, but nothing
> with BIND 9? If the NS records are removed, the A records will resolve
> with BIND 9.
>
> And the other question is can you delegate a subzone by putting NS and
> A records for the subzone's servers in the parent zone? The answer
> about glue records seems to indicate this is possible and it appears
> that Microsoft DNS supports this, but it does not work with BIND 8 or
> 9. I know Microsoft likes to make their own rules and seem to try to
> be incompatible so they can take over the world, but a lot of the
> people in other parts of my company are pro Microsoft and would like
> to see BIND go away. The perspective "problem" with my BIND 9 servers
> is giving them reason to push for a pure Microsoft solution.
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org