# Delegating a subdomain in BIND - Not working

## fincoop

Have been banging my head against the table. Have consulted numerous examples but for being such a simple thing it refuses to work. Wireshark sees no queries going to the delegated NS, ever. The only glimmer of function I have is if I do "set q=any" in nslookup, I get the name server of the delegated subdomain returned - BUT IT WONT QUERY IT!?!?!

NAMED.CONF

```
/*

logging {

    category dnssec   { security_log; };

    category update   { security_log; };

    category security { security_log; };

    category lame-servers { null; };

    channel security_log {

        file "dns-security.log" versions 5 size 20m;

            // every time the log grows over 20 Mbyte, it will

            // backup and rollover. Maximum 5 backups will be kept.

        print-time yes;

        print-category yes;

        print-severity yes;

        severity debug;

    };

};

*/

key dsp.domaina.net {

        algorithm HMAC-MD5;

        secret "c7g6q4/nz7We4+rWps7LzIjAkptxkK8/Kx6rRtcib5TMxj/AaEmxEmn5 b3cCcsFZeMySPDb0ONyc0IvH6prq3A==";

};

options {

        directory "/var/bind";

        forwarders {

                209.226.175.236;

                209.226.175.237;

                142.77.2.36;

        };

        listen-on-v6 { none; };

        listen-on { 

                127.0.0.1;

                192.168.11.1;

                192.168.21.1;

         };

        pid-file "/var/run/named/named.pid";

};

zone "." IN {

        type hint;

        file "named.cache";

};

zone "domaina.net." IN {

        type master;

        file "pri/domaina.net.zone";

        allow-update { key "dsp.domaina.net"; };

        notify no;

};

zone "domainb.net." IN {

        type forward;

        forwarders {

                10.3.9.22;

                10.3.9.23;

        };

        forward only;

};

zone "11.168.192.in-addr.arpa." IN {

        type master;

        file "pri/11.168.192.in-addr.arpa.zone";

        allow-update { key "dsp.domaina.net"; };

        notify no;

};

zone "21.168.192.in-addr.arpa." IN {

        type master;

        file "pri/21.168.192.in-addr.arpa.zone";

        allow-update { key "dsp.domaina.net"; };

        notify no;

};

zone "127.in-addr.arpa." IN {

        type master;

        file "pri/127.zone";

        notify no;

};

zone "com" IN { type delegation-only; };

zone "net" IN { type delegation-only; };

```

DOMAINA.NET.ZONE

```
$ORIGIN .

$TTL 38400      ; 10 hours 40 minutes

domaina.net          IN SOA  domaina.net. root.domaina.net. (

                                20120321   ; serial

                                10800      ; refresh (3 hours)

                                3600       ; retry (1 hour)

                                604800     ; expire (1 week)

                                38400      ; minimum (10 hours 40 minutes)

                                )

                        NS      dsp.five-speed.net.

                        A       192.168.11.1

                        MX      10 five-speed.net.

$ORIGIN domaina.net.

$TTL 38400      ; 10 hours 40 minutes

dsp                     A       192.168.11.1

```

I have tried the following things to get a delegation to work, but when i do nslookup and query the name server nothing happens. If I ping a host in the subdomain I get an Internet IP resolved rather than an internal 192.168.

```

$ORIGIN "subdomain.domaina.net."

               IN            NS             ns1.subdomain.domaina.net

ns1                          A              192.168.11.15

--- OR ----

subdomain       IN         NS            ns1.subdomain.domaina.net

ns1.subdomain               A             192.168.11.15

--- OR ---

$ORIGIN "subdomain.domaina.net."

@          IN             NS             ns1.subdomain.domaina.net

ns1                        A               192.168.11.15

```

This feels like one of those really silly things I've overlooked moments, your help is appreciated.

----------

## pgu

It's been many years since I've used nslookup. But are your sure you're pointing at your server and not using some other server on the net?

I normally use dig where you can specify the server using @ and reverse lookups using -x, much easier than in nslookup (even though nslookup might have changed during the past 10 years or so...)

```
dig @172.30.30.170 -x 172.30.30.50

dig @172.30.30.170 mx home.mydomain.com

```

dig will also give you quite a bit of debug output.

----------

