stoopid question - split dns

[Kevin Darcy]

Kelly Scroggins wrote:

> Quoting Kevin Darcy <kcd at daimlerchrysler.com>:
>
>    Kelly Scroggins wrote:
>
>    > I'm sorry for the basic question but I'm a little confused.
>    >
>    > system : Red Hat 6.1
>    > bind   : bind 8.2 ....
>    >
>    > I have the 'outside' name server (with the limited database) set up as a
>    > slave and it is not allowed to transfer data from the master.  Because I
>    > don't want the entire world to see the internal network information.
>    > According to the logs (/var/log/messages), all zone files are loading
>    > without errors.
>    >
>    > When setting up a split dns ... does the name server on the 'outside'
>    > (that's the one with the limited database) have to be the master?  Can
>    > it be the slave?
>    >
>    > If it's the slave, then the zone info would expire?  And if it expires,
>    > are the db files deleted from the system?
>    >
>    > What have I mis-understood?
>
>    The db files aren't deleted, but the server will stop answering
>    authoritatively when the zone expires. This can conceivably cause problems
>    with other nameservers.
>
>    What do you hope to achieve by defining it as a slave instead of a master?
>    A master file is where you maintain original zone data. That's what you're
>    doing here, presumably, so why not just say what you mean?
>
> I did say what I meant.  ?
>
> How can I expain this to you?
>
> I do not want all of my internal information to be
> seen by the entire world (Internet).

Okay. So the internal DNS is off-limits to external clients.

> I only want certain devices to be seen be the
> entire world (Internet).

Okay. So the external DNS only contains a subset of the internal DNS, i.e. is a
so-called "shadow" namespace.

> As I understand it, this is called split dns.

Right. Two different versions of DNS -- an internal and an external. Each
version has a master and some number of slaves.

> And I have concluded that the master server can
> not be the server with the database that does not
> have the full zone information in it.  i.e., the
> server that's seen by the entire world (Internet).

This is where you go astray. There isn't just "the master". Each DNS -- internal
and external -- has a *separate* master.

> I am asking this list if my understanding is
> correct.  I am asking for guidance.  I am new to
> this whole thing so please be patient with me.
>
> I have three servers.  One is the master and the
> other two are the slaves.

You need 2 master *instances*. These could run on the same multi-homed machine,
if you want. For redundancy, you should also have at least 1 slave *instance*
for each DNS. These too could run as separate instances on a multi-homed
machine. Or, you could dedicate machines to any of these functions. So you're
looking at 4 instances at a minimum, running on anywhere from 2 to 4 machines.

> One of the slaves is transfering zone info with
> our ISP.  So that (slave) server CANNOT have a full copy
> of my zone info in it's database because I DO NOT
> want all of my internal zone information to be
> seen by the entire world (Internet).

Oh, you mean your ISP is a slave for the external version of your domain? Is
that included in the "three servers" you enumerate above, or is it separate?
Regardless, you still need 2 masters -- an internal and an external.


- Kevin