using slave NS in glue records

Gregory Hicks ghicks at cadence.com
Wed Dec 11 23:05:14 UTC 2002 

> Date: Tue, 10 Dec 2002 10:22:36 -0500
> From: Kevin Darcy <kcd at daimlerchrysler.com>
> 
> Perhaps it would help if you explained what you're trying to accomplish. It
> looks like you're trying to use zone NS records and/or the contents of the
> hints file as a general-purpose forwarding or "override
> forwarding" mechanism. That's doomed to failure. The hints file should only
> contain information about the root zone, and an authoritative server for a
> zone will never "forward" queries anywhere else, regardless of what the
> zone NS records say.
> 
> 
> - Kevin

1.  What am I trying to accomplish?

I am trying to have a 'mini-root' server in our DMZ that can/will get
request forwarded to it that will 'tie' our various internal subdomains
together.

We currently have one internal master:  iss; with three 'published'
slave servers: cds2, cds238, and granola.

We have another 'global' Win2K domain that in running the MS active
directory services (aka global.cadence.com).

We have a 'stealth' master in our DMZ that has only NS records that is
currently pointed to by the Win2K services only.

I would like the machine iss to have authoritative info on all internal
hosts with gossip only having info on the nameservers...

I am trying to find a way to have gossip have only pointers to the
various subdomains such that it will forward queries correctly to th
various subdomains.  My machine metis is set up as I would like to have
gossip set up, but it does not resolve ANYTHING other than the
nameservers for cadence.com and hosts outside of cadence.com...

2.  The 'hacked' db.cache (hints db...)

The idea was to force all requests for DNS info to go to our external
name server and have it resolve anything other than .cadence.com.
Thus, all internal slaves would point to ns.cadence.com instead of
pointing to the root servers...  Unfortunately, as pointed out already,
this does not work since BIND figures out, on its own, where the REAL
root servers are located...  However, ...

Any ideas?  Any thoughts, ideas, attempts to point me in the right
direction will be appreciated.

Regards,
Gregory Hicks


> Gregory Hicks wrote:
> 
> > > Date: Wed, 04 Dec 2002 01:01:53 +0100
> > > From: Eivind Olsen <eivind at aminor.no>
> > >
> > > Are you thinking about having a hidden master server, like this?
> > >
> > > Hidden master server (master.example.com)
> > > ====================
> > > |
> > > |
> > > +--------slave1 (ns1.example.com)
> > > |
> > > |
> > > +--------slave2 (ns2.example.com)
> > >
> >
> > I am obviously doing something wrong...
> >
> > our 'internet' name server is working.  Our internal name servers
> > work.  However, I am trying to set up one of these 'hidden master
> > servers' by listing all of the 'internal name servers in the
> > db.cadence.ns and using that as the zone master...
> >
> > However, it would appear that I cannot get it to look anywhere else...
> > How to do this?
> >
> > Regards,
> > Gregory Hicks
> > -----------db.cadence.ns -----------
> > $ORIGIN Cadence.COM.
> > @       IN      SOA     metis.Cadence.COM. root.metis.Cadence.COM. (
> >                 2002120914 3600 900 604800 3600 )
> >
> >                 1H IN NS        iss.cadence.com.
> >                 1H IN NS        cds2.cadence.com.
> >                 1H IN NS        cds238.cadence.com.
> >                 1H IN NS        granola.cadence.com.
> >
> > dr              1H IN NS        dc1sjroot.cadence.com.
> >                 1H IN NS        dc2sjroot.cadence.com.
> >
> > catena          1H IN NS        cat0.catena.cadence.com.
> >
> > engineering     1H IN NS        bsd6.cadence.com.
> >                 1H IN NS        bsd21.cadence.com.
> >
> > global          1H IN NS        dc1sjglobal.cadence.com.
> >                 1H IN NS        dc2sjglobal.cadence.com.
> >
> > _msdcs.global   1H IN NS        dc1sjglobal.cadence.com.
> >                 1H IN NS        dc2sjglobal.cadence.com.
> >
> > _tcp.global     1H IN NS        dc1sjglobal.cadence.com.
> >                 1H IN NS        dc2sjglobal.cadence.com.
> >
> > _udp.global     1H IN NS        dc1sjglobal.cadence.com.
> >                 1H IN NS        dc2sjglobal.cadence.com.
> >
> > _sites.global   1H IN NS        dc1sjglobal.cadence.com.
> >                 1H IN NS        dc2sjglobal.cadence.com.
> >
> > bsd21              IN A         158.140.5.139
> > bsd6               IN A         158.140.90.6
> > cat0.catena        IN A         158.140.133.37
> > cds2               IN A         158.140.32.75
> > cds238             IN A         158.140.128.1
> > dc1sjglobal        IN A         158.140.128.140
> > dc1sjroot          IN A         158.140.128.40
> > dc2sjglobal        IN A         158.140.128.141
> > dc2sjroot          IN A         158.140.128.41
> > granola            IN A         158.140.128.35
> > iss                IN A         158.140.32.1
> > metis              IN A         158.140.48.93
> >
> > --------/etc/named.conf --------------------
> > options {
> >         directory        "/var/yp/nameserver";
> >         //
> >         //the db.cache file below references only ns.cadence.com.
> >         //because of the firewall, it does not talk directly with
> >         //the root servers of the internet
> >         //
> >         //
> >         //the forwarder for ns.cadence.com, below is no typo. it is
> >         //mentioned twice to change the behavior of bind. see p. 143
> >         //of the first ed of _dns & bind_
> >         //
> >         forwarders       {
> >                 158.140.128.140;
> >                 158.140.32.1;
> >          };
> >         //
> >         //the slave keyword causes dns to only do recursive queries.
> >         //
> >
> > };
> >
> > key "rndc-key" {
> >         algorithm hmac-md5;
> >         secret "secret-password";
> > };
> >
> > controls {
> >         inet 127.0.0.1 port 953
> >                 allow { 127.0.0.1; } keys { "rndc-key"; };
> > };
> >
> > zone "0.0.127.in-addr.arpa" in {
> >         type master;
> >         file "db.127.0.0";
> >         notify no;
> > };
> >
> >  zone "Cadence.COM" in {
> >         type master;
> >         file "db.Cadence.ns";
> > #       masters { 158.140.128.1; };
> > };
> >
> >  zone "99.139.in-addr.arpa" in {
> >         type slave;
> >         file "db.139.99";
> >         masters { 158.140.128.1; };
> > };
> >
> >  zone "140.158.in-addr.arpa" in {
> >         type slave;
> >         file "db.158.140";
> >         masters { 158.140.128.1; };
> > };
> >
> >  zone "." in {
> >         type hint;
> >         file "db.cache";
> > };
> > ---------- end of /etc/named.conf ----------------
> >
> > ---------- db.cache ------------------------------
> > ; This is a hacked version of the db.cache to fake cds238 into believing
> > ; that all requests should go through the firewall.  If you replace this
> > ; with the db.cache from Internic, it won't work as expected.
> > ;
> > ; grif 9/15/97
> > ;
> >
> > ..                       3600000  IN  NS    ns.cadence.com.
> > ..                       3600000  IN  NS    gossip.cadence.com
> > ns.cadence.com.          3600000  IN  A     158.140.1.253
> > gossip.cadence.com.      3600000  IN  A     158.140.2.50
> > ---------- end of db.cache -----------------------
> >
> 

-------------------------------------------------------------------
Gregory Hicks                        | Principal Systems Engineer
Cadence Design Systems               | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1          | Fax:      408.894.3400
San Jose, CA 95134                   | Internet: ghicks at cadence.com

"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

When a team of dedicated individuals makes a commitment to act as
one...  the sky's the limit.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

More information about the bind-users mailing list