Discussion:
Static-stub zones and forwarding
Mark Picone
2012-08-24 05:45:22 UTC
Permalink
Hi All,

I am in the process of migrating all of our client facing resolver hosts back to BIND (from unbound) and have hit a roadblock.
I wanted to confirm if I have missed something in my BIND configuration or I have hit some sort of limitation in BIND.

It appears as if BIND is ignoring the static-stub zone and just forwarding all queries to the specified forwarders.

The reason that I require a static-stub and not a forward zone is that our internal name servers have delegated zones (to Cisco GSS/F5 devices) which return site-specific answers; If I allow the client facing resolvers to recursively query the internal name servers I will get back the site-specific answer for the internal name server instead of the client facing resolver.
Using a static-stub zone forces the client facing resolver to use iterative queries which will eventually lead it to query the Cisco GSS/F5 device for itself.

Environment info:
- I have obscured hostnames & IP addresses.

Public facing name servers (host the 'external' view of our primary zone & also perform recursive lookups for our internal servers):
- 111.111.111.111
- 222.222.222.222

Internal facing name servers (host the 'internal' view of our primary zone, will perform recursive queries for client facing resolvers):
- 10.0.0.1
- 10.0.0.2
- 10.0.0.3

BIND/Unbound, (client facing resolver) details:

user at host:~ %cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.2 (Santiago)

user at host:~ %rpm -qa | grep ^bind
bind-9.8.2-0.10.rc1.el6_3.2.x86_64
bind-utils-9.8.2-0.10.rc1.el6_3.2.x86_64
bind-libs-9.8.2-0.10.rc1.el6_3.2.x86_64

user at host:~ %rpm -qa | grep unbound
unbound-1.4.14-1.el6.x86_64
unbound-libs-1.4.14-1.el6.x86_64


Unbound config (working):
- http://pastebin.com/MDFwZRLq
- Unbound sends iterative queries to the name servers specified in the stub zone.

BIND config #1 (static-stub zone ignored, all queries are forwarded to 111.111.111.111/222.222.222.222):
- http://pastebin.com/3rcZdxbQ

BIND config #2 (static-stub zone ignored, all queries are forwarded to 111.111.111.111/222.222.222.222):
- http://pastebin.com/cgbxSYph

Note: I have also tried setting 'forwards {};' in the static-stub zone but BIND returns with the error:
- "option 'forwarders' is not allowed in 'static-stub' zone 'obscured.edu.au'"


Regards,

Mark Picone
Unix Administrator
Deakin eSolutions

Deakin University
Geelong Waterfront Campus
1 Gheringhap Street, Geelong, VIC 3220
Phone: +61 3 52278602
Deakin University CRICOS Provider Code 00113B



Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.
Mark Andrews
2012-08-24 05:58:08 UTC
Permalink
This is partially addressed in the upcoming maintainence release.

diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 5d95eda..5891255 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1324,8 +1324,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "also-notify", MASTERZONE | SLAVEZONE },
{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE },
{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
- { "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
- { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
+ { "forward", MASTERZONE | SLAVEZONE | STUBZONE |
+ STATICSTUBZONE | FORWARDZONE },
+ { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE |
+ STATICSTUBZONE | FORWARDZONE },
{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
{ "notify-source", MASTERZONE | SLAVEZONE },
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
Mark Picone
2012-08-30 02:09:26 UTC
Permalink
Hi Mark,

Thanks for the heads up; I have tested this patch in our environment and it fixes the problem for us :).

As we have Red Hat support, I have asked if they would include this patch early for us.

In the meantime, I'm considering just running a hand compiled version of 'named-checkconf' with our supported BIND package.

Regards,

Mark Picone
Unix Administrator
Deakin eSolutions

Deakin University
Geelong Waterfront Campus
1 Gheringhap Street, Geelong, VIC 3220
Phone: +61 3 52278602
Deakin University CRICOS Provider Code 00113B


-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org]
Sent: Friday, 24 August 2012 3:58 PM
To: Mark Picone
Cc: bind-users at lists.isc.org
Subject: Re: Static-stub zones and forwarding


This is partially addressed in the upcoming maintainence release.

diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 5d95eda..5891255 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1324,8 +1324,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
{ "also-notify", MASTERZONE | SLAVEZONE },
{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE },
{ "delegation-only", HINTZONE | STUBZONE | DELEGATIONZONE },
- { "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
- { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE },
+ { "forward", MASTERZONE | SLAVEZONE | STUBZONE |
+ STATICSTUBZONE | FORWARDZONE },
+ { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE |
+ STATICSTUBZONE | FORWARDZONE },
{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
{ "notify-source", MASTERZONE | SLAVEZONE },

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org

Important Notice: The contents of this email are intended solely for the named addressee and are confidential; any unauthorised use, reproduction or storage of the contents is expressly prohibited. If you have received this email in error, please delete it and any attachments immediately and advise the sender by return email or telephone.

Deakin University does not warrant that this email and any attachments are error or virus free.
Michael Hoskins (michoski)
2012-08-24 07:06:19 UTC
Permalink
-----Original Message-----

From: Mark Picone <mark.picone at deakin.edu.au>
Date: Thursday, August 23, 2012 10:45 PM
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Static-stub zones and forwarding
Post by Mark Picone
Hi All,
I am in the process of migrating all of our client facing resolver hosts
back to BIND (from unbound) and have hit a roadblock.
I wanted to confirm if I have missed something in my BIND configuration
or I have hit some sort of limitation in BIND.
It appears as if BIND is ignoring the static-stub zone and just
forwarding all queries to the specified forwarders.
The reason that I require a static-stub and not a forward zone is that
our internal name servers have delegated zones (to Cisco GSS/F5 devices)
which return site-specific answers; If I allow the client facing
resolvers to recursively query the internal name servers I will get back
the site-specific answer for the internal name server instead of the
client facing resolver.
Using a static-stub zone forces the client facing resolver to use
iterative queries which will eventually lead it to query the Cisco GSS/F5
device for itself.
Going out on a limb (we have something similar, but there might be small
implementation details that are different) -- have you tried making master
zones vs stubs, where you can use forwarders {}; to override the global
list, and then place NS delegations and glue pointing to the GSS/F5
devices?
Loading...