From fd40136e2a6643df5acaff80a7e8f1492e4b4840 Mon Sep 17 00:00:00 2001
From: Andrew Watson <andrewmoorewatson@gmail.com>
Date: Tue, 8 Apr 2014 23:56:26 -0400
Subject: [PATCH 1/3] new guide for setting up bind and Consul to play nice

---
 .../docs/guides/forwarding.html.markdown      | 61 +++++++++++++++++++
 .../source/docs/guides/index.html.markdown    |  2 +
 2 files changed, 63 insertions(+)
 create mode 100644 website/source/docs/guides/forwarding.html.markdown

diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown
new file mode 100644
index 000000000..a0c3c343a
--- /dev/null
+++ b/website/source/docs/guides/forwarding.html.markdown
@@ -0,0 +1,61 @@
+---
+layout: "docs"
+page_title: "Forwarding"
+sidebar_current: "docs-guides-forwarding"
+---
+
+# Forwarding DNS queries from Bind To Consul
+
+In order to not have to run Consul as root and bind to port 53 it's best if 
+it's paired with Bind. 
+
+In this example, Bind and Consul are running on the same machine
+
+### DNSSEC
+
+First, you have to disable DNSSEC so that Consul and Bind can communicate
+
+    options {
+        listen-on port 53 { 127.0.0.1; };
+        listen-on-v6 port 53 { ::1; };
+        directory       "/var/named";
+        dump-file       "/var/named/data/cache_dump.db";
+        statistics-file "/var/named/data/named_stats.txt";
+        memstatistics-file "/var/named/data/named_mem_stats.txt";
+        allow-query     { localhost; };
+        recursion yes;
+
+        dnssec-enable no;
+        dnssec-validation no;
+
+        /* Path to ISC DLV key */
+        bindkeys-file "/etc/named.iscdlv.key";
+
+        managed-keys-directory "/var/named/dynamic";
+    };
+
+    include "/etc/named/consul.conf";
+
+Then we set up a zone for our Consul managed records in consul.conf:
+
+    zone "consul" IN {
+        type forward;
+        forward only;
+        forwarders { 127.0.0.1 port 8600; };
+    };
+
+We can extend this even further to make separate zones for different data centers / Consul clusters.
+
+    zone "n-california.consul" IN {
+        type forward;
+        forward only;
+        forwarders { 172.16.0.15 port 8600; 172.16.0.16 port 8600; };
+    }
+
+    zone "oregon.consul" IN {
+        type forward;
+        forward only;
+        forwarders { 172.24.0.1 port 8600; 172.24.0.1 port 8600; };
+    }
+
+
diff --git a/website/source/docs/guides/index.html.markdown b/website/source/docs/guides/index.html.markdown
index 7bd1de6f5..11241ec05 100644
--- a/website/source/docs/guides/index.html.markdown
+++ b/website/source/docs/guides/index.html.markdown
@@ -22,3 +22,5 @@ The following guides are available:
  * [External Services](/docs/guides/external.html) - This guide covers registering
  an external service. This allows using 3rd party services within the Consul framework.
 
+ * [Forwarding](/docs/guides/forwarding.html) DNS queries from Bind to Consul
+

From ef0330a9508673b66c2d10d02c28260f77ae755d Mon Sep 17 00:00:00 2001
From: Andrew Watson <andrewmoorewatson@gmail.com>
Date: Wed, 9 Apr 2014 14:08:32 -0400
Subject: [PATCH 2/3] updated docs to remove multiple zones and provide
 examples of testing

---
 .../docs/guides/forwarding.html.markdown      | 75 ++++++++++++++++---
 1 file changed, 64 insertions(+), 11 deletions(-)

diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown
index a0c3c343a..1da653af4 100644
--- a/website/source/docs/guides/forwarding.html.markdown
+++ b/website/source/docs/guides/forwarding.html.markdown
@@ -36,6 +36,8 @@ First, you have to disable DNSSEC so that Consul and Bind can communicate
 
     include "/etc/named/consul.conf";
 
+### Zone File
+
 Then we set up a zone for our Consul managed records in consul.conf:
 
     zone "consul" IN {
@@ -44,18 +46,69 @@ Then we set up a zone for our Consul managed records in consul.conf:
         forwarders { 127.0.0.1 port 8600; };
     };
 
-We can extend this even further to make separate zones for different data centers / Consul clusters.
+## Complete the Setup
 
-    zone "n-california.consul" IN {
-        type forward;
-        forward only;
-        forwarders { 172.16.0.15 port 8600; 172.16.0.16 port 8600; };
-    }
+Once those files are changed, restarted named (on RHEL this is just 'system named restart') and you should be done.
 
-    zone "oregon.consul" IN {
-        type forward;
-        forward only;
-        forwarders { 172.24.0.1 port 8600; 172.24.0.1 port 8600; };
-    }
+### Testing
 
+First, perform a DNS query against Consul directly to be sure that the record exists:
+
+    [root@localhost ~]# dig @localhost -p 8600  master.redis.service.dc-1.consul. A 
+
+    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> @localhost master.redis.service.dc-1.consul. A
+    ; (1 server found)
+    ;; global options: +cmd
+    ;; Got answer:
+    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11536
+    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
+
+    ;; QUESTION SECTION:
+    ;master.redis.service.dc-1.consul. IN A
+
+    ;; ANSWER SECTION:
+    master.redis.service.dc-1.consul. 0 IN A 172.31.3.234
+
+    ;; Query time: 4 msec
+    ;; SERVER: 127.0.0.1#53(127.0.0.1)
+    ;; WHEN: Wed Apr  9 17:36:12 2014
+    ;; MSG SIZE  rcvd: 76
+
+Then run the same query against your Bind instance and make sure you get a result:
+
+    [root@localhost ~]# dig @localhost -p 53 master.redis.service.dc-1.consul. A 
+
+    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.32.amzn1 <<>> @localhost master.redis.service.dc-1.consul. A
+    ; (1 server found)
+    ;; global options: +cmd
+    ;; Got answer:
+    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11536
+    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
+
+    ;; QUESTION SECTION:
+    ;master.redis.service.dc-1.consul. IN A
+
+    ;; ANSWER SECTION:
+    master.redis.service.dc-1.consul. 0 IN A 172.31.3.234
+
+    ;; Query time: 4 msec
+    ;; SERVER: 127.0.0.1#53(127.0.0.1)
+    ;; WHEN: Wed Apr  9 17:36:12 2014
+    ;; MSG SIZE  rcvd: 76
+
+### Troubleshooting
+
+If you don't get an answer from Bind but you do get an answer from Consul then your best bet is to turn on the query log
+to see what's going on
+
+    [root@localhost ~]# rndc querylog
+    [root@localhost ~]# tail -f /var/log/messages
+
+In there if you see errors like this:
+
+    error (no valid RRSIG) resolving
+    error (no valid DS) resolving
+
+Then DNSSEC is not disabled properly.  If you see errors about network connections then verify that there are no firewall or 
+routing problems between the servers running Bind and Consul
 

From 19d83c5a32a0c9e1911df68e6a5c0323d8a6d35a Mon Sep 17 00:00:00 2001
From: Andrew Watson <andrewmoorewatson@gmail.com>
Date: Wed, 9 Apr 2014 14:12:25 -0400
Subject: [PATCH 3/3] small verbiage update

---
 website/source/docs/guides/forwarding.html.markdown | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/source/docs/guides/forwarding.html.markdown b/website/source/docs/guides/forwarding.html.markdown
index 1da653af4..1f9b637a2 100644
--- a/website/source/docs/guides/forwarding.html.markdown
+++ b/website/source/docs/guides/forwarding.html.markdown
@@ -9,7 +9,7 @@ sidebar_current: "docs-guides-forwarding"
 In order to not have to run Consul as root and bind to port 53 it's best if 
 it's paired with Bind. 
 
-In this example, Bind and Consul are running on the same machine
+In this example, Bind and Consul are running on the same machine for simplicity but you should be able to separate them.
 
 ### DNSSEC