DNS design question

Kevin Darcy kcd at daimlerchrysler.com
Sat Sep 10 01:33:37 UTC 2005 

Suzuki Alex wrote:

>Hello list,
>
>Is it possible to serve requests for a zone "foo.domain.com", and if
>the request fails (e.g. bar.foo.domain.com is not found), to delegate
>this request to another server, which is also authorative for
>"foo.domain.com"? This second server is managed by someone else (a
>parent organization), and we have no access to it.
>
>The problem is that some stupid naming policy here dictates that all
>our hosts should be named "$hostname.foo.domain.com", and not
>"$hostname.ourorganization.foo.domain.com". I realize that in the
>latter case all would be well and the DNS server for "foo.domain.com"
>would leave ourorganization.foo.domain.com to be managed by us.
>However, that is unfortunately not the case (politics and all that...)
>
>So what I'm looking for is basically this: Host srv1 is managed by us,
>and unknown to the parent organization.
>
>Now when a request for srv1.foo.domain.com arrives at our server, we
>would like to first check locally on our server. Then if we cannot
>find this host (there are hosts in the parent organization that we do
>not know of), we would like to forward the request to the parent
>organization's DNS server.
>
>I hope I've made more or less clear what I'm trying to do. :-)
>
No, if your nameserver is authoritative for a zone, it considers itself 
authoritative for the whole zone. It'll never ask another server about 
names in the zone.

If you have a small number of names you want to "spoof", you could 
define them individually as subzones in your config, e.g. 
srv1.foo.domain.com could be a zone defined on your server, with A 
records and/or other types of records (but not a CNAME) at its apex. 
This gets to be unmanageable, of course, if you have more than a handful 
of names you want to spoof, particularly since those "special" zones 
would need to be defined explicitly on all nameservers required to 
resolve them -- explicit configuration is necessary because the zones 
wouldn't be delegated from their parent zone, and therefore wouldn't be 
findable using the regular name-resolution algorithm.

                                                                         
                                                         - Kevin

More information about the bind-users mailing list