Split roots (was: Can someone explain forwarders and why I don't need them?)

[Herb Martin]

"Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
news:bgbuds$s9p$1 at sf1.isc.org...
> I guess I'm missing something here: what exactly is the purpose of
defining
> zones that return nothing but REFUSED or SERVFAIL? Either you have valid

You have to look at the (typical) behavior of an internal
server -- and how we can "fiddle" that to solve the "two
separate (disjoint) namespaces" problem.

An internal server forwards, our forwarder returns the NXDOMAIN
because it cannot find the answer, and the internal server STOPS
looking, considering the NXDOMAIN to be definitive.

If we want our internal server to FORWARD and recurse and internal
namespace from the root down on it's own, we need to prevent the
NXDOMAIN.

REFUSE and SERVERFAIL are two ways to accomplish that.

> "private" data for those zones, or you don't: if you have valid data, why
not
> return it? and if you don't, why not just fetch (via forwarding) whatever
is
> available on the Internet in that domain? Is a REFUSED or SERVFAIL
response
> somehow *better* than a response which yields addresses, albeit
unreachable
> ones? The point of the configuration you described apparently eludes me.

In this case above it is better because the typical behavior of
OTHER (internal) DNS servers is to continue the search
recursively.

Since the forwarder and the internal server have different
root hints, we have tricked them into efficiently searching
two namespaces.

It's only an advantage if you have multiple zones internally
that require you to establish a private root and thereby a
private, disjoint namespace -- but you still want to resolve
Internet (or some other) namespace names.