Resticting info in zone transfers

[Kevin Darcy]

Kelly Scroggins wrote:

> I have searched the archives but I haven't found a suitable answer to my
> question.  Hopefully some one on this list can tell if my goal is
> possible or not.
>
> I want to make my name server authoritative for my zone, but use my ISPs
> name server as the Internet presence for our domain.  My ISP told me
> they would config their server to be a slave to mine.
>
> I know I can restrict what servers can transfer zone info with my
> servers, but I don't want my ISPs server to have all of my RRs for the
> world to see.
>
> Is it possible to allow the zone transfers and restrict what RRs are
> transferred?

No, BIND has no such feature. The normal solution is to set up a
"split" DNS, where you have external and internal versions of your zone(s).
Your ISP would just slave the external version(s). Unfortunately, this
approach requires maintaining the external names in two places.

> Also,  I have my name servers running in (test mode) on my production
> network right now.  Zone transfers are working between them just fine.
> My ISPs name servers are still authoritative for my domain.
>
> But I can ping and telnet to devices on my internal netwrok(s), surf the
> web and all that stuff through my internal name servers.  But I CAN NOT
> reach our domains web site, which is on a server OUTSIDE of our network
> (somewhere).
>
> It's probably really simple but I don't understand why I can surf/ping
> all other domains in the world but not my own.  Can someone shed some
> light on this for me too?

You say you are doing zone transfers *between* your internal nameservers.
This implies that you have set up one of them as a master for your domain.
Does that master file contain an entry for your external web site? With a
normal split DNS, the internal version of the zone needs to be a *superset*
of the external version, if the clients are to have a complete view of that
namespace.


- Kevin