[Freeipa-users] Forward first not working
Petr Spacek
pspacek at redhat.com
Thu Feb 26 08:27:40 UTC 2015
On 25.2.2015 19:18, Martin Basti wrote:
> And I'm not sure if forwarding between 2 authoritative zones with the same name
> will work, because the zone is authoritative on IPA side, so IPA will return
> authoritative answer NXDOMAIN and will not try to forward query.
> You may need NS delegation to subzone.
>
> I suggest to create separate zones, there should not be 2 authoritative servers
> with the same zone.
>
> FYI: Forward zones IPA 4.1: http://www.freeipa.org/page/V4/Forward_zones
Martin is right.
Could you clarify what are you trying to achieve? What is the use-case? Maybe
we can recommend something for your particular use-case.
=== Background ===
You are trying to create 'overlay'/mix records from two authoritative zones
together which is not supported by BIND.
(After all, term 'authoritative' is used for a reason :-))
If you look at [1] you can see that in all cases the algorithm starts with
following two steps:
1. search local database for an authoritative answer
2. if local server is authoritative, return the answer (including NXDOMAIN if
DNS name was not found)
In practice it means that BIND will never combine local data with data from
forwarders.
[1]
http://www.freeipa.org/page/V4/Forward_zones#Forwarding_policy_in_forward_and_master_zones
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list