Proposed [sub 2] new operational mode for primary master

Joseph S D Yao jsdy at cospo.osis.gov
Wed Nov 1 16:09:16 UTC 2000


On Wed, Nov 01, 2000 at 07:40:14AM +0000, wallewek at kmsi.net wrote:
...
> It's an extremely simple change: for private networks only, forward _all_
> unresolved requests to the Internet proper, not just requests regarding
> hosts outside the local domain.  I.e., do not treat the local domain any
> differently from any other.  I haven't looked at the source code for the
> Linux DNS server (yet), but I'd be surprised if it involves more that a
> line or two of code.  Admittedly, a trickier question would be how to
> express that option in a zone file without causing compatibility issues.

This would work for small homogenous private networks under some
circumstances (see below).  ISTM that for larger ones, this would be a
disaster.  Specifically, I not only have my primary domain and its
subdomains inside the private network, but I also have entities inside
my private network that insist on having their own domain names, in
many cases even under different TLDs.  Each internal domain forwards,
not to the Internet, but to an internal "broker".  What each domain
wants visible internally, they define internally.  What each domain
wants visible externally, they define externally.  Same for the primary
domain.  It's parent to a lot of the internal domains, and contains so
few names that it isn't necessary to worry to hard about duplication.
(Actually, I think there is no duplication - what names are the same
inside and out have different addresses.)

I have another problem, that would affect both homogenously and
heterogenously domained networks.  This is the "scan for a name"
effect.  If I find an internal name server that is authoritative for a
domain, even if I get an NXDOMAIN, I don't want it to then go scan for
ANOTHER domain name server to get ITS opinion.  Even if it does happen
to be out on the public Internet instead of on my private internet.
That would add yet another delay while it goes out and searches for a
name server that will give it some kind of response "out there".

And what if all the servers in a given domain do this?  Does it go
scanning for another name server forever?  I don't see where this would
have a real end.  Granted, if a server knows that it is on the public
Internet, by your proposal, it wouldn't do this.  But that is yet
another problem - how does it determine this reliably?

OTOH, this kind of feature is requested enough that it might be worth
considering some kind of OPTION to allow this.  Perhaps an option to
make a zone "mildly authoritative"?  ;-}  It would need some work to
avoid the above problems.  I prefer auth-or-not, myself.

Perhaps better - an option to have the master server for the internal
name server do a zone transfer from one of the external peer servers,
save it in an optional file (like a slave server), discard all names
that have conflicts, and make the rest part of the internal zone.  I
don't like that, because I would still like to have the option to have
some names undefined on the inside.  Maybe have a filter to either
allow "only this" or "all but this"?  It's much more complex to do, BUT
it allows authoritative servers to retain their authority and dignity.
It would also require that changes to the external server somehow
notify the internal server ... no, since it's not a slave, that
wouldn't work.  It would have to be a manual reload, I think.
Especially since, for some systems, DNS will NOT go in through the
firewall.

How's that?

Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.



More information about the bind-users mailing list