0

I'm having trouble with bind9 to configure the following dns setup:

I want to delegate a zone to a remote dns server. But I want to delegate a sub-zone of that zone to a different dns server.

Example:

  • project.example.com -> to dns server dns1
  • prd.project.example.com -> to dns server dns2

For obvious reasons, I don't want to delegate everything to dns1 and then delegate prd.project.example.com to dns2. I could go deeper into the details (dns1 needs dynamic subdomains such as dev, hotfix1 etc.) but I don't think they would help right now.

I was able to successfully set up this solution with cloudflare and with aws route53. But bind does not work as expected. It keeps delegating everything (for example test.prd.project.example.com) to dns1.

What am I missing?

Here is the simplified zone file:

$ORIGIN example.com.
$TTL 300
@       IN  SOA dns.example.com. ( 2021020506 3600 720 1209600 3600 )
        IN  NS  dns.example.com.

dns     IN  A  1.2.3.4

$ORIGIN project.example.com.
$TTL 60
@       IN NS ns-1.awsdns-1.net.
        IN NS ns-1.awsdns-1.co.uk.

$ORIGIN prd.project.example.com.
$TTL 60
@       IN NS ns-2.awsdns-2.net.
        IN NS ns-2.awsdns-2.co.uk.
o0x258
  • 158
  • 5
  • Although valid syntax redefining $ORIGIN half way though a zone file and then relying on DNS short hand and `@` abbreviations might not really help... also AFAIK neither the Cloudflare nor Route 53 web frontends are generating classical zone files either and thus you can do things there that will work as you intuitively expect rather than what would happen in a literal zone file – Bob Feb 05 '21 at 21:27

1 Answers1

0

DNS delegation fundamentals

The combination of delegations in the question is not possible in DNS.
Your zone ends right at the delegation point and you cannot delegate something that is not part of your own zone.

In your example, the delegation for prd.project.example.com would have to be made in the project.example.com zone, it cannot be done in the example.com zone.

AWS Route53 behavior

After some experimentation with AWS Route53, I now understand the basis of the question better:

It appears that AWS Route53 is completely lacking consistency checks with regards to adding out-of-zone records.
For most record types Route53 seems to simply ignore the existence of these out-of-zone records when queried (which makes them largely harmless), but for NS it actually serves them even though that makes for an impossible combination of delegations exposed to the world.

This must clearly be a bug, it exposes an impossible combination of delegations that I expect leads to inconsistent behavior on the client end (based on whichever delegation the resolver gets to see first, essentially) and is not something that is desirable.
I do not expect BIND or anything else to replicate this particular behavior as it is at odds with the fundamental nature of DNS being a tree structure. (I also don't expect that it actually works in practice, so there is no reason to implement it.)

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Why do you think so? As I wrote in the question, the desired behavior can be configured in aws route53. In bind something similar is possible with glue hosts. For example you delegate `project.example.com` but you define an A record which belongs to the delegated zone e.g. `dns.project.example.com`. – o0x258 Feb 07 '21 at 20:47
  • @o0x258 When you delegate `project.example.com` the `example.com` zone ends there. Yes, you can have glue records associated with the delegation itself, but you cannot generally have records outside of the zone. – Håkan Lindqvist Feb 07 '21 at 20:49
  • @o0x258 If you have something specific that you can do with AWS Route53, maybe you can explain that in more detail. As far as I can understand the question, it asks for something that is not possible (and doesn't really seem to make sense logically). – Håkan Lindqvist Feb 07 '21 at 20:52
  • @o0x258 I did a little bit of experimentation with Route53 and have updated my post to reflect my findings – Håkan Lindqvist Feb 07 '21 at 21:33
  • Even tough I understand the reasons why bind does not support what I'm trying to do, I don't think that Route53's behavior is a bug (cloudflare.com has the same behavior). I would rather say that AWS allows this kind of configuration to provide more flexibility. – o0x258 Feb 07 '21 at 23:48
  • @o0x258 I suppose I just don't see what flexibility it offers in practice. To me it seems that if you choose to "use" this, you get something that is broken. – Håkan Lindqvist Feb 08 '21 at 20:44
  • 1
    I opened an AWS Support Case and they confirmed that they know about this behavior and they also confirmed that they consider it as a bug. It will be fixed some day. – o0x258 Feb 09 '21 at 13:52