Puzzling scenario involving views

Peter Rabbitson rabbit at rabbit.us
Tue Aug 17 04:15:10 UTC 2004 

My apologies, didn't shoot to the list

On Mon, Aug 16, 2004 at 10:34:13PM -0400, Kevin Darcy wrote:
> Peter Rabbitson wrote:
> 
> >Hello list, 
> >I have a bind9 serving the domain example.com, with a secondary backup dns
> >(secondary.com) at a remote location. I wanted to achieve redundancy of 
> >both domains provided to each other (example.com has secondary.com as
> >2nd NS, and vice versa), and at the same time I wanted to define internal
> >and external views in example.com for internal network naming purposes. I
> >got it working fairly quick with the example below, however here is my 
> >problem: members of the insiders acl would not receive an AA answer when 
> >inquiring about secondary.com.
> >
> Is this important? I have yet to find an application that cares about 
> the setting of the AA bit.
> 
The AA bit is not important however the WAN overhead is: When members of 
internal query for secondary.com the name server performs the whole 9 yards
of querying the root, then the bind at secondary.com. Granted it caches the
obtained entry for some time, however it will eventually ask again after a
couple of days. So what originally made me ask this question was why bind 
does not do some kind of loopback lookup - after all it IS authoritative for
secondary.com. Either way I completely understand the model you are 
suggesting with the "no second opinion" clause. In this case I assume I 
could do the following, both reducing AXFR transactions to 1 and retaining
authoritativity:

acl "insiders" {
    192.168.0.0/24;
    127.0.0.1;
    };

acl "secondary" {
    xxx.xxx.xxx.xxx;
    };

view "internal" {
    match-clients { insiders; };

    zone "secondary.com" {
    type master;
    file "slave.secondary.com";
    notify  no;
    masters { xxx.xxx.xxx.xxx; };
    };
};

view "external" {
    match-clients { any; };

    zone "secondary.com" {
    type slave;
    file "slave.secondary.com";
    masters { xxx.xxx.xxx.xxx; };
    };
};

Or is this a bad idea...? If it is I guess next choice is to have 
slave.secondary.com.internal and slave.secondary.com.external and
2 transactions per AFXR.

More information about the bind-users mailing list