In addition to authoritative zones, the NIOS appliance allows you to configure delegated, forward, and stub zones. A delegated zone is a zone managed by (delegated to) another name server who owns the authority for the zone. A forward zone is where queries are sent before being forwarded to other remote name servers. A stub zone contains records that identify the authoritative name servers in another zone. This section covers the following topics:

• Configuring a Delegation
• Configuring a Forward Zone
• Configuring Stub Zones

...

Configuring a Delegation

Configuring a Delegation Anchorbookmark1803bookmark1803 Anchorbookmark1804bookmark1804 Configuring a Delegation
Instead of a local name server, re Anchorbookmark1805bookmark1805mote remote name servers (which the local server knows) maintain delegated zone data. When the local name server receives a query for a delegated zone, it either responds with the NS record for the delegated zone server (if recursion is disabled on the local server) or it queries the delegated zone server on behalf of the resolver (if recursion is enabled).
For example, there is a remote office with its own name servers, and you want it to manage its own local data. On the name server at the main corporate office, define the remote office zone as delegated, and then specify the remote office name servers as authorities for the zone.
You can delegate a zone to one or more remote name servers, which are typically the authoritative primary and secondary servers for the zone. If recursion is enabled on the local name server, it queries multiple delegated name servers based on their round-trip times. You can also add arpa as a top-level forward-mapping zone and delegate its subzones.
You can also configure TTL settings of auto-generated NS records and glue A and AAAA records for delegated zones in forward-mapping, IPv4 reverse-mapping, and IPv6 reverse-mapping zones. For information, see About Time To Live Settings.
The delegation must exist within an authoritative zone with a Grid primary server.

...

1. From the DataManagement tab, select the DNS tab -> Zones tab.
2. Click the parent zone to open it.
   Grid Manager displays the Records and Subzones tabs of the zone.
3. From the Subzones tab, click the Add icon -> Zone -> AddDelegation.
4. In the AddDelegation wizard, specify the following:
   • Name: This field displays a dot followed by the domain name of the current zone. Enter one or more labels before the dot to specify the domain name of the subzone.
   • DNSView: This field displays only when there is more than one DNS view in the network view. Displays the DNS view of the current zone.
   • Comment: Optionally, enter additional text about the zone.
   • Disable: Click this check box to temporarily disable this zone. For information, see Enabling and Disabling Zones
   • Lock: Click this check box to lock the zone so that you can make changes to it, and also prevent others from making conflicting changes. For information, see Locking and Unlocking Zones.
5. Click Next to assign a delegation name server group or define the name servers for the zone. Select one of the following:
   • Usethisnameservergroup: Select this to assign a delegation NS group for the delegated zone. You can select the delegation NS group from the drop-down list.
   • Usethissetofnameservers: Select this to define name servers for the delegated zone. In the Name Servers panel, click the Add icon and specify the following information:
     • Name: Enter the name of a remote name server to which you want the local server to redirect queries for zone data. This is a name server that is authoritative for the delegated zone.
     • Address: Enter the IP address of the delegated server.
   For information about delegation NS group, see Using Delegation Name Server Groups.
6. Save the configuration and click Restart if it appears at the top of the screen, or click Next to define extensible attributes as described in Using Extensible Attributes.
   or
   Click the Schedule icon at the top of the wizard to schedule this task. In the ScheduleChange panel, enter a date, time, and time zone. For information, see Scheduling Tasks.

...

Configuring a Delegation for a Reverse-Mapping Zone

...

1. From the DataManagement tab, select the DNS tab -> Zones tab.
2. Click the parent zone to open it.
   Grid Manager displays the Records and Subzones tabs of the zone.
3. From the Subzones tab, click the Add icon -> Zone -> AddDelegation.
4. In the AddDelegation wizard, specify the following:
• • IPv4Network: This field displays if you are creating a delegation zone for an IPv4 reverse-mapping zone. Enter the IPv4 address for the address space for which you want to define the reverse-mapping zone and select a netmask from the Netmask drop-down list. Alternatively, you can specify the address in CIDR format, such as 192/8.
  • To use an RFC 2317 prefix, select a netmask value that is between 25 to 31, inclusive. Grid Manager displays the following fields:
  • RFC2317Prefix: Enter a prefix in this field. Prefixes can include alphanumeric characters.
  • AllowmanualcreationofPTRrecordsinparentzone: Select this check box to allow users to create labels that correspond to IP addresses in the delegated address space in the parent zone.
  • For information about RFC 2317, see Specifying an RFC 2317 Prefix.
  • IPv6NetworkPrefix: This field displays if you are creating a delegation zone for an IPv6 reverse-mapping zone. Enter the IPv6 prefix for the address space for which you want to define the reverse-mapping zone and select the prefix length from the drop-down list.
  • Name: This field displays a dot followed by the domain name of the current zone. Enter one or more labels before the dot to specify the domain name of the subzone.
  • DNS View: This field displays only when there is more than one DNS view in the network view. Select a DNS view from the drop-down list.
  • Comment: Optionally, enter additional text about the zone.
  • Disable: Select this option to temporarily disable this zone.
  • Lock: Select this option to lock the zone so that you can make changes to it and prevent others from making conflicting changes.
5. Click Next to assign a delegation name server group or define the name servers for the zone. Select one of the following:
   • Usethisnameservergroup: Select this to assign a delegation NS group for the delegated zone. You can select the delegation NS group from the drop-down list.
   • Usethissetofnameservers: Select this to define name servers for the delegated zone. In the Name Servers panel, click the Add icon and specify the following information:
     • Name: Enter the name of a remote name server to which you want the local server to redirect queries for zone data. This is a name server that is authoritative for the delegated zone.
     • Address: Enter the IP address of the delegated server.
   For information about delegation NS groups, see Using Delegation Name Server Groups.
6. Save the configuration and click Restart if it appears at the top of the screen, or click Next to define extensible attributes as described in Using Extensible Attributes.
   or
   Click the Schedule icon at the top of the wizard to schedule this task. In the ScheduleChange panel, enter a date, time, and time zone. For information, see Scheduling Tasks.

Anchor
Configuring a Forward Zone Configuring a Forward Zone

Anchor
bookmark1806 bookmark1806

Configuring a Forward

...

Zone

When you want to forward queries for data in a particular zone, define the zone as a forward zone and specify one or more name servers that can resolve queries for the zone. You can also assign one or more external name servers as default forwarders for a forward zone. For example, define a forward zone so that the NIOS appliance forwards queries about a partner's internal site to a name server, which the partner hosts, configured just for other partners to access.
You can override the default forwarders for a forward-mapping zone at a Grid member level and configure custom forwarders. In other words, each Grid member can have its own forwarders for the forward zone. For example: a forward-mapping zone foo.com served by two Grid members M1 and M2 with M1 forwarding queries to 10.1.0.1 and
10.1.0.2 and M2 forwarding queries to 90.3.3.3 and 90.4.4.1. Note that the Grid member uses the default forwarders unless you override them at any level. For more information about domains and zones, see Configuring Authoritative Zone Properties .

...

1. From the Data Management tab, select the DNS tab, expand the Toolbar and click Add -> Zone -> Add Forward Zone.
2. In the Add Forward Zone wizard, click Add a forward forward-mapping zone and click Next.
3. Enter the following information, and then click Next:
   • Name: Enter the domain name of the zone for which you want the NIOS appliance to forward queries.
   • DNS View: This field displays only when there is more than one DNS view in the current network view. Select the DNS view of the forward zone.
   • Comment: Enter a descriptive comment.
   • Disable: Click this check box to temporarily disable this zone.
   • Lock: Click this check box to lock the zone so that you can make changes to it and prevent others from making conflicting changes.
4. Click Next to assign a forward/stub server name server group or define the default zone forwarders to which the NIOS appliance forwards queries for the zone. Select one of the following:
1. • Select Use this name server group to assign a forward/stub server NS group for the zone. You can select the forward/stub server NS group from the drop-down list. For information about forward/stub server NS groups, see Using Forward/Stub Server Name Server Groups.
   • Select Use this set of name servers to specify the default servers for the zone. Click the Add icon and specify the following:
     • Name: Enter a domain name of the server to which you want the NIOS appliance to forward queries.
     • Address: Enter the IP address of the server to which you want the NIOS appliance to forward queries.
     • Select Use Forwarders Only if you want the NIOS appliance to query forwarders only (not root servers) to resolve domain names in the zone.
5. Click Next to assign a forwarding member name server group or define Grid members to serve the forward-mapping zone. Select one of the following:
   
Select Use this name server group to assign a forwarding member NS group for the zone.

6. ---

   Note: If you do not define any Grid members to serve the forward-mapping zone, then the named.conf file will not contain the configuration of the newly created forward zone. Hence, the Infoblox DNS server will not be authoritative to the forward zone and by default, the Infoblox DNS server will query the root servers to resolve queries for the forward zone. 

   ---

1. Select Use this name server group to assign a forwarding member NS group for the zone. You can select the forwarding member NS group from the drop-down list. For information about forwarding member NS groups, see Using Forwarding Member Name Server Groups.
2. Select Use this set of name servers to define the Grid members and use the default forwarders or you can override default forwarders and configure custom forwarders. Click the Add icon to select the NIOS appliance on which the forward zone is configured. For an independent deployment, select the local appliance (it is the only choice). If there are multiple Grid members, the Member Selector dialog box is displayed. Select the required member by clicking the member name.
   The following is displayed for each Grid member:
   • Name: Displays the name of the Grid member.
   • IPv4 Address: Displays the IPv4 address of the Grid member.
   • IPv6 Address: Displays the IPv6 address of the Grid member.
   • Override Default Forwarders: Displays Yes when you override default forwarders. Otherwise, this field displays No.
   • Custom Forwarders: Displays the IP address of the custom forwarders. Otherwise, this field is blank.
     

     ---

     Note: Skip the following two steps if you want to use the default forwarders.
     

     ---

7. Select a member and click the Edit icon.
8. In the Edit Per-Member Forwarders editor, select the Override Default Forwarders check box to override the default forwarders. The Default Zone Forwarders table becomes available only after you select the Override Default Forwarders check box. Click the Add icon to specify the servers to which the NIOS appliance forwards queries for the zone:
   • Name: Enter a domain name for the server to which you want the NIOS appliance to forward queries for the specified domain name.
   • Address: Enter the IP address of the server to which you want the NIOS appliance to forward queries.
   • Select Use Forwarders Only if you want the NIOS appliance to query forwarders only (not root servers) to resolve domain names in the zone.
   • Save the configuration. After successfully saving the configuration, the Override Default Forwarders column displays Yes and the Custom Forwarders column displays the IP address of the forwarders.
     To configure forwarders for multiple members, repeat the steps for each Grid member.
9. Save the configuration, or click Next to continue to the next step where you define extensible attributes as described in Using Extensible Attributes, and then optionally proceed to the next step where you define admin permissions as defined in About Administrative Permissions.
   or
   Click the Schedule icon at the top of the wizard to schedule this task. In the Schedule Change panel, enter a date, time, and time zone. For information, see Scheduling Tasks.
10. Click Restart if it appears at the top of the screen.

...

Stub zones, like secondary zones, obtain their records from other name servers. Their records are read only; therefore, administrators do not manually add, remove, or modify the records.
Stub zone records are also periodically refreshed, just like secondary zone records. However, secondary name servers contain a complete copy of the zone data on the primary server. Therefore, zone transfers from a primary server to a secondary server, or between secondary servers, can increase CPU usage and consume excessive bandwidth. A name server hosting a stub zone maintains a much smaller set of records; therefore, updates are less CPU intensive and consume less bandwidth.
When a name server hosting a stub zone receives a query for a domain name that it determines is in the stub zone, the name server uses the records in the stub zone to locate the correct name server to query, eliminating the need to query the root server.
Figure 19.8 and Figure 19.9 illustrate how the NIOS appliance resolves a query for a domain name for which it is not authoritative. Figure 19.8 illustrates how the appliance resolves a query when it does not have a stub zone.
Figure 19.9 illustrates how the appliance resolves the query with a stub zone.
In Figure 19.8, a client sends a query for ftp.sales.corp200.com to the NIOS appliance. When the appliance receives the request from the client, it checks if it has the data to resolve the query. If the appliance does not have the data, it tries to locate the authoritative name server for the requested domain name. It sends nonrecursive queries to a root name server and to the closest known name servers until it learns the correct authoritative name server to query.

In Figure 19.9, when the NIOS appliance receives the request for the domain name in corp200.com, it determines it does not have the resource records to resolve the query. It does, however, have a list of the authoritative name servers in the stub zone, corp200.com. The appliance then sends a query directly to the name server in corp200.com.

Stub zones facilitate name resolution and alleviate name server traffic in your network. For example, the client in the previous examples is in corpxyz.com. The corpxyz.com and corp200.com zones are partners, and send all their communications through a VPN tunnel, as shown in Figure 19.10. The firewall protecting corpxyz.com is configured to send all messages for the 10.2.2.0/24 network through the VPN tunnel. Infoblox_A hosts the stub zone for corp200.com. Therefore, when the host in corpxyz.com sends a query for ftp.sales.corp200.com, Infoblox_A obtains the IP address of Infoblox_B (10.2.2.7) from its stub zone records and sends the query to the firewall protecting corpxyz.com.
Because the destination of the query is in the 10.2.2.0/24 network, the firewall (configured to encrypt all traffic to the network) sends the request through a VPN tunnel to Infoblox_B. Infoblox_B resolves the query and sends back the response through the VPN tunnel. All name server traffic went through the VPN tunnel to the internal servers, bypassing the root servers and external name servers.

In parent-child zone configurations, using stub zones also eases the administration of name servers in both zones. For example, as shown in Figure 19.10, sales.corp200.com is a child zone of corp200.com. On the corp200.com name servers, you can create either a delegated zone or a stub zone for sales.corp200.com.
When you create a delegated zone, you must first specify the name servers in the delegated zone and manually maintain information about these name servers. For example, if the administrator in sales.corp200.com changes the IP address of a name server or adds a new name server, the sales.corpxyz.com administrator must inform the corp200.com administrator to make the corresponding changes in the delegated zone records.
If, instead, you create a stub zone for sales.corp200.com, you set up the stub zone records once, and updates are then done automatically. The name servers in corp200.com that are hosting a stub zone for sales.corp200.com automatically obtain updates of the authoritative name servers in the child zone.
In addition, a name server that hosts a stub zone can cache the responses it receives. Therefore, when it receives a request for the same resource record, it can respond without querying another name server.

...