Order of Responses to Queries from Outside a Network

Martin McCormick martin at dc.cis.okstate.edu
Sun Jan 25 14:55:55 UTC 2004 

Barry Margolin writes:
>Your original message said "Address sorting in bind works beautifully 
>for queries inside our network".  What feature are you using to 
>implement this?

        sortlist {
{"internalnets";};
                { 139.78.224/21; };
                { 139.78.240/21; };
};

	We verified that it worked by hammering our own DNS's and
noting that if the query came from the X network, you always got X's
version of the server's address in question first.

    phn at icke-reklam.ipsec.nu writes:
>It won't work.
>
>Reason is that ousiders uses their nameserver for resources in your netwo=
>rk.
>And while you may have your nameserver sort your RR in any way you want,
>there is no way you can decide how a foreign nameserver will sort=20
>the RRsets it receives from your nameservers.
>
>This is what SRV records are made for. Start implementing SRV support now=
> !

	The popular vernacular for times like these is to call it a
teachable moment.  I have discovered that in the world of bind, when
somebody wants something that seems nearly impossible, there is usually
a way to do it, but one has to use a different approach than first
meets the eye.

	We are trying to configure things so that WindowsXP and 2000
clients on all our branch campuses can download OS upgrades and
patches from servers that are closest to them.  If they are affiliated
with the university, but not on campus, we want them to hit our main
server first and not accidentally try to suck up megs of data from a
server across the state whose network capacity is not robust.

	The Windows clients are about the only ones who use SRV
records.  I am familiar with them as the almost incomprehensible
gibberish dealt out by MS AD controllers while maintaining their
domains, so I didn't even give that route a thought until the last
message.

	Fortunately, we aren't doing all of this today, but we will be
very shortly and all of us in our group want to have our part of the
task done in a robust manner so we don't have to keep revising things
because something came along we hadn't thought of, etc.

	Thank you for the heads-up.  This is new Teri tory for me and
it seems more roadblocks than road right now.

	In all fairness, the MS SRV records are only difficult to
handle on the rare occasion that one needs to manually do something
with one.  They tend to be very long and contain very little data that
are plain-text and easy to verify as valid.  Otherwise, they are
recognizable as another RR.

Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group

More information about the bind-users mailing list