Can it be done?

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 2 03:21:33 UTC 2004


Jure Simsic wrote:

>I have a rather unusual situation i'm trying to solve.
>
>I plan to have a mail server that should send mail (=>resolve) to
>standard internet and at the same time to another network, that uses
>the same naming scheme, only with their private TLD names (aka .foo).
>This network also has a system of root servers as the-world-we-live-in
>does.
>
>The problem is to know which to ask when a "bogus" domain name has to
>be resolved.
>I thought of having some kind of caching bind server running to have
>this correctly resolvable. Is there a way to make bind use two
>different sets of root servers in such a case?
>
No, you can't have two different sets of root servers. Theoretically, 
you could copy all of the data in the Internet root servers to your own 
root servers, along with the delegations for the "fake" TLDs. But that 
would be a pain to maintain: not only would you have to add new 
delegations every time a new Internet TLD was created -- which is one of 
the pitfalls of using internal-root TLD wildcards to route outgoing 
mail, as I do -- but you'd also have to track all delegation *changes* 
in the Internet root zone as well, which would be ugly.

If you have a relatively-small set of mail servers and a 
relatively-small set of fake TLDs, why not just define each fake TLD as 
a slave or stub zone on each mail server? I'm assuming that changes to 
this other internal-root zone are less frequent than changes to the 
Internet root zone. Maybe you could, with their permission, even set up 
a cron job to zone-transfer the internal-root zone and automatically 
update named.conf on your mail servers with the appropriate slave/stub 
zone definitions (but for security's sake, make sure to double-check 
that the fake TLDs are really *fake*, otherwise if those internal-root 
servers are compromised, the hacker could spoof your mail servers into 
redirecting any or all of your messages destined for legitimate Internet 
or possibly even internal domains).

>The other thing that I'm not really sure if it's a problem or not is
>reverse resolution. This other network uses regular IPs that aren't
>used in standard internet (they used some of their assigned blocks for
>this network). How Would reverse lookup work in such a case.
>
If they are internal root, they should have reverse-zone (in-addr.arpa) 
delegations too. So the same advice as above applies to the reverse zones.

                                                                         
                                          - Kevin




More information about the bind-users mailing list