OT: Separate sub zone or two copies of the same zone

Kevin Darcy kcd at daimlerchrysler.com
Fri Aug 18 02:33:17 UTC 2000


Stanley Liu wrote:

> Kevin Darcy wrote:
>
> > Stanley Liu wrote:
> >
> > > Just want some opinions from the group:  let say mydomain.com is a
> > > domain we owned.  Internet DNS (say ns1) has only minimal information on
> > > it - basically just MX records.  This domain is also used internally in
> > > our Intranet and we have our own separate Intranet DNS (say ns2).  Some
> > > of our Business Partners also have access to our Intranet and they are
> > > configured as slave to ns2 for our zone over private network.
> > > Everything works fine until we want to put some servers on the Internet
> > > under the domain name partner.mydomain.com.  All hosts on this sub
> > > domain will be accessible/resolvable to Internet and Intranet.  There
> > > are two options we are considering:
> > >
> > > 1.  Separate sub zone - Create a sub zone partner.mydomain.com and host
> > > it on ns1.  Let ns2 be slave to ns1 for this zone.  The upside is that
> > > we have one copy of zone partner.mydomain.com to maintain.  The down
> > > side is that all current business partners slave to ns2 for mydomain.com
> > > will need to add another slave zone of partner.mydomaina.com.
> > >
> > > 2.  Two copies of the same zone - Maintain two different copies
> > > (mydomain.com or partner.mydomain.com) on ns1 and ns2.  The upside is
> > > that there will be no roll-out issue.  The down side is obviously to
> > > have to maintain two copies of the same zone.
> > >
> > > Which option is better?  Is there a third option?  Any comments would
> > > beappreciated.
> >
> > Bear in mind that with option #1, only the business partners who are unable
> > to resolve Internet names would need to add a new slave definition. If a
> > business partner can resolve Internet names, then it should be able to
> > resolve the partner.mydomain.com names without any special help.
>
> For those business partners who are slaving ns2 (our Intranet DNS) for
> mydomain.com and want to resolve www.partner.mydomain.com,  because their dns
> is authoritative over mydomain.com (slave to zone), my understanding is that
> they will stop at their dns and will not go to Internet to resolve it.  So they
> will have to explicitly slave to the subzone of partner.mydomain.com.

No. partner.mydomain.com is a separate zone from mydomain.com; their servers won't
consider themselves authoritative for it. So, depending on how they are
configured, they will either iterate or forward to resolve names in the zone, just
like any other names in non-authoritative zones. From their servers' point of
view, those names are no different than amazon.com names or yahoo.com names.

> > Another variation on option #1 is to have the business partners convert
> > their slave definition to a per-domain forwarding definition, e.g. "type
> > forward" zone in BIND -- assuming their nameserver software supports such a
> > thing -- which would take care of mydomain.com _and_ partner.mydomain.com
> > and any other subdomains you may wish to add in the future. The downsides
> > would be a) that they wouldn't have the same redundancy that they would as
> > slaves, and b) depending on a variety of factors, forwarding could use more
> > resources than slaving (it could just as easily go the other way though!).
>
> Certainly "type forward" zone looks like a third option for me.  However, apart
> from the downsides that you've highlighted, two configurations will exist among
> the Business Partners - some are "forwarders" and some are "slaves".

Only if some of the business partners' software doesn't support per-domain
forwarding.


- Kevin





More information about the bind-users mailing list