This article provides an overview of the behavior and requirements when configuring external nameservers for a sub-zone within a UCS domain. For example, the UCS domain might be univention.de, and an external sub-zone could be sub.univention.de.
Adding an NS Record in UCS
To delegate a sub-zone to an external nameserver, you can add an NS record using the Univention Management Console (UMC) → DNS → univention.de → Add:
Below is an example of how the resulting NS record might look in the directory for verification:
dn: relativeDomainName=sub,zoneName=univention.de,cn=dns,dc=univention,dc=intranet
zoneName: univention.de
dNSTTL: 79200
objectClass: top
objectClass: univentionObject
objectClass: dNSZone
univentionObjectType: dns/ns_record
relativeDomainName: sub
nSRecord: ns1.sub.univention.de.
Behavior of the Nameserver
1. No Forwarders Defined
If no forwarders are configured, the nameserver will return a SERVFAIL error when attempting to resolve the target nameserver. This issue arises due to the following:
-
Error Example:
adb: fetch of 'ns1.sub.univention.de' A failed: timed out -
Cause: The target nameserver cannot be resolved if it lies within the same zone and is not explicitly defined in the UCS domain.
Solution:
You need to add the target nameserver to the UCS zone manually. For example:
root@ucs-7794:~# univention-ldapsearch relativeDomainName=ns1.sub -LLL
dn: relativeDomainName=ns1.sub,zoneName=univention.de,cn=dns,dc=univention,dc=intranet
zoneName: univention.de
dNSTTL: 10800
aRecord: 10.201.2.61
objectClass: dNSZone
objectClass: univentionObject
objectClass: top
univentionObjectType: dns/host_record
relativeDomainName: ns1.sub
If the target nameserver is not known to UCS and forwarders are not defined, this setup will not work.
2. Forwarders Defined
When forwarders are configured, requests for the sub-zone are forwarded to the root nameservers. However, the target nameserver may still fail to resolve.
Mitigation:
To ensure successful resolution, add the following directive to the proxy configuration file for the sub-zone (e.g., /etc/bind/univention.conf.d/univention.de.proxy):
forwarders {};
This allows the UCS nameserver to resolve the target nameserver and forward requests appropriately.
Current Limitations
Currently, it is not possible to configure the above settings persistently via the UMC. A bug has been reported to address this limitation:
Bug 47176 - Univention Bugzilla
Summary
- If no forwarders are defined, ensure the target nameserver is explicitly added to the UCS zone.
- If forwarders are defined, modify the proxy configuration for the sub-zone to include
forwarders {};. - Persistent configuration of these settings through UMC is not currently supported, but the issue is tracked under Bug 47176.
By following these steps, you can successfully delegate sub-zones to external nameservers in a UCS environment.