Authoritative NS as a proxy to a type forward zone
Kevin Darcy
kcd at daimlerchrysler.com
Tue May 17 23:00:25 UTC 2005
Sunny suen wrote:
>>Nope, won't work. Nameserver-to-nameserver traffic is non-recursive
>>(RD=0), and non-recursive queries are never forwarded.
>>
>>
>
>
>
>>Just run a network-level NAT of some sort.
>>
>>
>
>Thanks and fine, but what if those real, hidden name servers are
>publicly addressed? The catch is that we are reluctant to pass these
>addresses to our ISP for the NS records of their DNS server.
>
I don't understand. If you have publicly addressed nameserver, why is
your ISP involved at all? Just get your zone delegated to your
nameservers and be done with it. Seems like the most straightforward setup.
If you really *must* get your ISP involved, then have them be slaves to
your master, or _vice_versa_.
Either way, there is no "authoritative forwarding" between your
nameservers and those of your ISP. In fact, the very definition of
"authoritative" is that you have a full copy of the zone data, and you
can never guarantee that when you're forwarding all of the queries from
one set of servers to another...
The we add these lines ourselves to named.conf on proxy.bar.com and set
up the real name servers properly.
zone "foo.com" {
type forward;
forward only;
forwarders {
202.XXX.XXX.XXX; // Public IP of real master NS
202.YYY.YYY.YYY; // Public IP of real slave NS
}
}
Does it mean that proxy.bar.com can't return to a client-side DNS a
referral to the real NS 202.XXX.XXX.XXX or 202.YYY.YYY.YYY, as they are
merely forwarder addresses (BIND specific?), instead of some standard
RR values of the NS type?
I think you're looking at this the wrong way. If you're delegated a part
of the namespace, then you are expected to be authoritative for that
point in the namespace, and to provide referrals to zones which are
*beneath* that delegation point. What you are proposing is a "sideways
referral" where a delegated nameserver (or set of nameservers) would
return a referral for *exactly*the*same*point*in*the*namespace* that has
been delegated to it. This would be a very bad design and it would be a
very bad policy to allow it, regardless of implementation. Delegations
are always *down* the hierarchy, so referrals should also always be
*down* the hierarchy. Not up, and not sideways. Set up a master/slave
relationship if you want to remain a delegated nameserver but at the
same time share with your ISP the responsibility of actually answering
queries for the zone...
- Kevin
- Kevin
More information about the bind-users
mailing list