Authoritative NS as a proxy to a type forward zone

Kevin Darcy kcd at daimlerchrysler.com
Tue May 17 23:00:25 UTC 2005


Sunny suen wrote:

>>Nope, won't work. Nameserver-to-nameserver traffic is non-recursive
>>(RD=0), and non-recursive queries are never forwarded.
>>    
>>
>
>  
>
>>Just run a network-level NAT of some sort.
>>    
>>
>
>Thanks and fine, but what if those real, hidden name servers are
>publicly addressed? The catch is that we are reluctant to pass these
>addresses to our ISP for the NS records of their DNS server.
>
I don't understand. If you have publicly addressed nameserver, why is 
your ISP involved at all? Just get your zone delegated to your 
nameservers and be done with it. Seems like the most straightforward setup.

If you really *must* get your ISP involved, then have them be slaves to 
your master, or _vice_versa_.

Either way, there is no "authoritative forwarding" between your 
nameservers and those of your ISP. In fact, the very definition of 
"authoritative" is that you have a full copy of the zone data, and you 
can never guarantee that when you're forwarding all of the queries from 
one set of servers to another...

The we add these lines ourselves to named.conf on proxy.bar.com and set
up the real name servers properly.
zone "foo.com" {
	type forward;
	forward	only;
	forwarders {
		202.XXX.XXX.XXX; // Public IP of real master NS
		202.YYY.YYY.YYY; // Public IP of real slave NS
	}
}

Does it mean that proxy.bar.com can't return to a client-side DNS a
referral to the real NS 202.XXX.XXX.XXX or 202.YYY.YYY.YYY, as they are
merely forwarder addresses (BIND specific?), instead of some standard
RR values of the NS type?

I think you're looking at this the wrong way. If you're delegated a part 
of the namespace, then you are expected to be authoritative for that 
point in the namespace, and to provide referrals to zones which are 
*beneath* that delegation point. What you are proposing is a "sideways 
referral" where a delegated nameserver (or set of nameservers) would 
return a referral for *exactly*the*same*point*in*the*namespace* that has 
been delegated to it. This would be a very bad design and it would be a 
very bad policy to allow it, regardless of implementation. Delegations 
are always *down* the hierarchy, so referrals should also always be 
*down* the hierarchy. Not up, and not sideways. Set up a master/slave 
relationship if you want to remain a delegated nameserver but at the 
same time share with your ISP the responsibility of actually answering 
queries for the zone...

                                                                         
                                             - Kevin


                                                                         
                                                   - Kevin




More information about the bind-users mailing list