designing man dns archit, ? about stub reverse lookup
kcd at daimlerchrysler.com
Thu Jun 30 22:25:56 UTC 2005
>Using subdomains and dns stub capabilities, I am trying to create a DNS
>architecture that will satisfy the multiple subdomain requirements we
>have. Of course this is a mixed legacy and M$ environment. I have
>many sites with multiple departments, and of course each department
>with their own AD-forest domain. ( I inhereted this) Currently we're
>using public addressing and VLSM. So we have user vlans with 23 to 28
>bit masks. With the current ip addressing each dept doesn't necesarily
>have thier own CIDR block.
>So I'm trying to understand the limits of Stub DNS services.
>Can you create a reverse lookup range in a Stub server to resolve half
>a class C say 10.1.1.0-127 and have it forward queries beyond 128 to
>the primary DNS server? I would think this is against the RFCs. Even
>so, is there software that allows this to happen.
>The answer to that question will tell me if we have to re-address.
Simply put, all a stub zone does is replicate the NS records + the SOA
record of a zone automatically from an authoritative -- though not
necessarily *delegated* -- source. Defining a zone as "stub" on your
server does not make it *authoritative* for the zone in any way shape or
form. So, I don't see how stub zones are really relevant to your
situation. What you seem to be looking for is to define part of a zone
as authoritative (i.e. you'd be master for it), and part of it to be
forwarded to some other server(s). Unfortunately, it's not possible
within BIND to "split" authority over a zone in this way. The closest
you can come is to define the zone as master, and then have CNAMEs (e.g.
for each entry in the 128-255 range) in the zone for the "remote" part,
where the targets of those aliases are in some other zone (possibly a
delegated subzone of the main reverse zone) controlled by the other
server(s). This is so-called "classless in-addr.arpa delegation" and RFC
2317 covers it fairly well.
Of course, this "splitting" is only necessary for VLANs that are /25 or
smaller, right? A /24 range stands as a reverse zone by itself, and a
/23 is just 2 delegated /24's...
P.S. Pet peeve of mine: "class C" and "/24" are not synonymous.
10.1.1.0/24 is a subnet of a class *A* network.
More information about the bind-users