DNS External/Internal Shadow Domains?
Joseph S D Yao
jsdy at cospo.osis.gov
Sat Nov 13 00:18:00 UTC 1999
On Fri, Nov 12, 1999 at 01:56:38PM -0700, Cricket Liu wrote:
> > Kevin was talking about EXTERNAL zones, though, so it is perfectly
> > appropriate for the firewall to use the Internet roots!
> What are you talking about? Kevin was talking about an internal DNS
> architecture based on internal root name servers that allowed you to
> resolve both internal and Internet domain names.
> Also, the model you describe, using zones of type forward, doesn't give you
> iterative name resolution of internal domain names, which is part of what
> Kevin was trying to achieve.
As I understood it, Kevin wanted internal roots, but to forward to the
firewalls to resolve all non-internal domains. My understanding of your
objection to forwarding to firewalls was that they would use external
roots. I may be wrong.
Why doesn't it give iterative resolution of internal domain names?
Perhaps I assumed a different common base from you. My assumption was a
"hints" zone that contained internal roots, the option to forward only
to the firewall, which was turned OFF for internal zones. I know that
you have mentioned that different versions of 8.2 have handled this
differently ... but with this model, ISTM that the resolution of
internal zones would be handled by a miniature version of the same
process that happens on the Internet. All other zones would be
forwarded to the next-up name server or handled without forwarding.
I have not tried this with an internal "." root, but with an internal
"master" name server that forwarded all unresolved queries to the
firewall. To make sure it worked, though, I had two ways of doing
everything, which made this more work but less sensitive to changes
Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
More information about the bind-users