Can it be done?
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jun 2 03:21:33 UTC 2004
Jure Simsic wrote:
>I have a rather unusual situation i'm trying to solve.
>
>I plan to have a mail server that should send mail (=>resolve) to
>standard internet and at the same time to another network, that uses
>the same naming scheme, only with their private TLD names (aka .foo).
>This network also has a system of root servers as the-world-we-live-in
>does.
>
>The problem is to know which to ask when a "bogus" domain name has to
>be resolved.
>I thought of having some kind of caching bind server running to have
>this correctly resolvable. Is there a way to make bind use two
>different sets of root servers in such a case?
>
No, you can't have two different sets of root servers. Theoretically,
you could copy all of the data in the Internet root servers to your own
root servers, along with the delegations for the "fake" TLDs. But that
would be a pain to maintain: not only would you have to add new
delegations every time a new Internet TLD was created -- which is one of
the pitfalls of using internal-root TLD wildcards to route outgoing
mail, as I do -- but you'd also have to track all delegation *changes*
in the Internet root zone as well, which would be ugly.
If you have a relatively-small set of mail servers and a
relatively-small set of fake TLDs, why not just define each fake TLD as
a slave or stub zone on each mail server? I'm assuming that changes to
this other internal-root zone are less frequent than changes to the
Internet root zone. Maybe you could, with their permission, even set up
a cron job to zone-transfer the internal-root zone and automatically
update named.conf on your mail servers with the appropriate slave/stub
zone definitions (but for security's sake, make sure to double-check
that the fake TLDs are really *fake*, otherwise if those internal-root
servers are compromised, the hacker could spoof your mail servers into
redirecting any or all of your messages destined for legitimate Internet
or possibly even internal domains).
>The other thing that I'm not really sure if it's a problem or not is
>reverse resolution. This other network uses regular IPs that aren't
>used in standard internet (they used some of their assigned blocks for
>this network). How Would reverse lookup work in such a case.
>
If they are internal root, they should have reverse-zone (in-addr.arpa)
delegations too. So the same advice as above applies to the reverse zones.
- Kevin
More information about the bind-users
mailing list