5

I am setting up a new DNS infrastructure for our internal HPC cluster environment. This involves providing a migration path from our existing DNS authorities and domains.

For sake of example, let's say that we have an institutional domain of example.edu. (We actually have a real .edu domain.) Our group uses the subdomain rc.example.edu. I have set up a new internal authority for this domain at ns1.rc.example.edu, and am forwarding to that authority from our internal resolver.

zone "rc.example.edu" IN {
    type forward;
    forward only;
    forwarders { 10.225.160.10; }; # ip address of ns1.rc.example.edu
};

This works as expected. I can query my resolver1.rc.example.edu and get addresses for names in that domain.

[root@resolver1 ~]# host -t A ns1.rc.colorado.edu
ns1.rc.colorado.edu has address 10.225.160.10

But we have a legacy nameserver at xcatmn.rc.local that I want to also be able to resolve during our migration period. So I added this to resolver1's named.conf to mirror the previous forwarding configuration:

zone "rc.local" IN {
    type forward;
    forward only;
    forwarders { 10.16.0.5; }; # ip address of xcatmn.rc.local
};

But when I try to query records from this domain, I get SERVFAIL.

[root@resolver1 ~]# host -t A xcatmn.rc.local
createfetch: xcatmn.rc.local A
validating @0x7ffba86868d0: xcatmn.rc.local A: bad cache hit (xcatmn.rc.local/DS)
error (broken trust chain) resolving 'xcatmn.rc.local/A/IN': 10.16.0.5#53
client 10.225.160.52#54752 (xcatmn.rc.local): query failed (SERVFAIL) for xcatmn.rc.local/IN/A at query.c:7004
createfetch: xcatmn.rc.local A
validating @0x7ffba86868d0: xcatmn.rc.local A: bad cache hit (xcatmn.rc.local/DS)
error (broken trust chain) resolving 'xcatmn.rc.local/A/IN': 10.16.0.5#53
client 10.225.160.52#37688 (xcatmn.rc.local): query failed (SERVFAIL) for xcatmn.rc.local/IN/A at query.c:7004
Host xcatmn.rc.local not found: 2(SERVFAIL)

If I disable DNSSEC in resolver1 this query succeeds; but I don't really want to disable it for all resolution. At most, I want to disable DNSSEC for the rc.local. domain only.

dnssec-enable no;
dnssec-validation no;

Is this possible? I don't really understand DNSSEC that well, so I don't know why queries to rc.example.edu are successful (without my having done any kind of signing) while queries to rc.local are unsuccessful.

What am I doing wrong? What should I be doing in stead? (I know I shouldn't be using the .local domain. This is an attempt to migrate away from it, while supporting existing names in that domain during the migration period.)

anderbubble
  • 226
  • 3
  • 7
  • Can you get any results for "rc.local" zone at all? What happens when you do ```host -t NS rc.local.``` .edu example refers to the external zone, and query goes online to the root servers, however you need to configure your rc.local on your local resolver as an authoritative zone, so it wouldn't go online for the results. Instead it should provide the result it has in cache or as an authoritative server. – Dmitriy Kupch Nov 06 '18 at 21:41

0 Answers0