Can I do DNS resolution for my webserver even though my ISP is authorative?

[Kevin Darcy]

Andy Berger wrote:

> My ISP is authorative for my web server's IP address. However I'm using a
> dynamic DNS service (dyndns.org), can I use my own DNS server instead of
> dyndns's even though my ISP's DNS server is authorative? Reverse DNS is
> handled by my ISP now and not by dyndns.org, that's fine, I can live with
> that. I'm just interested in URL to IP adress resolution.

Presumably you're using a dynamic DNS server because you actually have a
dynamic IP address (it may stay the same the *majority* of the time, but you
can't really rely on that, right?). With a dynamic IP, your server cannot
reasonably be a *delegated* nameserver for your domain, because delegations
require time and bureaucracy to change, and I'm assuming you won't want to
be out of business while that process works its way through the system.

Your nameserver could, of course, be a "hidden" master, which is not
delegated but which replicates the zone out to other nameservers which then
serve the Internet. Since all zones must be served by at least 2
nameservers, this means your ISP would have to provide at least that many
nameservers as slaves of your zone.

Regardless of how you deal with the "delegated nameservers should be on
static addresses" issue, if you want to be master of your domain, your
ISP (or someone else) would need to be slave(s) or your zone, and therein
lurks another problem: traditionally, slaves authenticate their masters by
source IP address. But yours is dynamic, so again there would be a problem
with getting your ISP to recognize your new address every time it changes.
Also, there would be a potential security issue: between the time your
IP changes and the time your ISP's slave nameservers catch up to that fact,
whoever gets your old IP address might be able to hijack your domain by
feeding those slaves bogus-perhaps-malicious data. Maybe that risk is
acceptable to you; maybe it isn't.

Offhand, I see only two solutions to these problems: 1) since this is your
ISP, maybe they have (or can easily create) a link between their DHCP system
and their slave nameservers' configuration system, such that whenever your
IP changes their nameservers automatically start fetching your zone from the
new address of the master, or 2) if you can convince your ISP to
authenticate master/slave interactions via TSIG encryption instead of source
IP address, then the whole source-IP issue is mooted (look at the
BIND documentation to see how to set up TSIG authentication for
server-to-server interactions).


- Kevin