forwarders overriding zone delegation.

Fri Sep 22 23:28:30 UTC 2000

Thanks, Joe,
but I don't understand your reply.
If *I* delegate a sub-domain, then *I* *know* who the NS are.
Why should I have to resort to an internal forward zone, *or* a stub
zone.

>I can pull in all the delegations I want through my firewall,

I was referring to "internal" delegations.

>I still won't be able to access them unless I default to forwarding
>through my firewall.

So, in that case, you wouldn't be able to use my "new" option,
just as you might not be able to use any of a number of the other
options
in a particular environment.  But, I would guess that there are far more
internal delegations than "external".

Are you saying that the problem is that once the data is loaded, he
can't distinguish between NS records for domains he delegated and
those he learned somewhere else?
If so, then I guess we would just need another bit to flag this domain
as one of our delegations.  After all, somehow he now flags a zone
as a forward zone.

I'm still don't see the technical reason for this.

-------------------------------------------------
Tks        | <mailto:Bob_Vance at sbm.com>
BV         | <mailto:bobvance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================

-----Original Message-----
From: Joseph S D Yao [mailto:jsdy at cospo.osis.gov]
Sent: Friday, September 22, 2000 5:57 PM
To: Bob Vance
Cc: bind-users at isc.org
Subject: Re: forwarders overriding zone delegation.

On Fri, Sep 22, 2000 at 05:43:08PM -0400, Bob Vance wrote:
> What's the logic behind this?
>
> If we delegate a sub-domain, then we have the NS records for that
> sub-domain, right?
> So why should a global "forwarders" statement in our config override
> that
> knowledge.  It seems silly to me to pass a query on to some other
server
> when we have the necessary info at hand.
>
> I know that we can override the override :) by creating a zone
> of type "forward" for each delegation, but that could be a lot of work
> if there are several delegations.
> Why isn't there just a single option that says,
> "delegations override global forwarding" ?

I can pull in all the delegations I want through my firewall, or even
declare some as being outside my firewall, but I still won't be able to
access them unless I default to forwarding through my firewall.

I _do_ have a lot of internal forwards in my configuration.  I could
also replace them all with stub-type zones that just turn forwarding
off, in the case of delegations (not all are delegations of the master
zone; some even have different TLDs).  But (a) I got the forwarding
working as the universal solution before I understood "stub" zones [I
was coming from V4], and (b) it would be two different solutions for
two groups of internal nodes, and those who come after me might not
understand the difference.  Yes, even if I document it well.

Once set up, it is not that hard to maintain.

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.