(no subject)

Sat Sep 17 03:07:21 UTC 2005

Hello,

After setting up split DNS on bind 9.3.1, it doesn't seem to be behaving 
the way I'd hoped.  Allow me to explain the situation, hopefully someone 
can shed some light.

Let's say there's a domain named: parent.ac.jp
Our server is responsible for a subdomain of this domain, let's say: 
child.parent.ac.jp

I want child.parent.ac.jp to be split.  Telling a certain group of hosts 
one thing and telling everybody else something else.  The server is not 
multi-homed or anything, sitting right there on the Internet.

Here's the basic named.conf as it stands now.

# BEGIN
options {
   directory "/etc/namedb";
};

acl "my-ppl" { xxx.yyy.zzz.0/24; " };

view "internal" {
   match-clients { "my-ppl"; };
   zone "child.parent.ac.jp" {
       type master;
       file "master/child-internal";
   }
};

view "external" {
   match-clients { any; };
   zone "child.parent.ac.jp" {
       type master;
       file "master/child";
   }
};
# END

No error messages, named happily starts.

In master/child-internal, I created a test A record, 
bogus.child.parent.ac.jp, and this record never existed in the past.

The name servers SOA for parent.ac.jp is included in my-ppl acl, and I 
can't have them otherwise, since it's out of my jurisdiction.

I'd expect anyone not listed in my-ppl will not resolve 
bogus.child.parent.ac.jp, but they all do!  Granted, when I nslookup from 
home (which is not part of my-ppl acl) using child.parent.ac.jp name 
server, I can't resolve bogus.child.parent.ac.jp.  But as soon as I switch 
back to my ISP's name server or any other, I start resolving it.  I don't 
like that.

I'm somewhat convinced that it may be the parent.ac.jp name servers 
resolving bogus.child.parent.ac.jp for everybody outside of my-ppl, since 
the parent.ac.jp name servers are included in my-ppl acl.  No I can't 
exclude these name servers from my-ppl acl, for there're those in my-ppl 
that use some other name servers also in my-ppl that may depend on them to 
resolve parent.ac.jp and below, and I need them to know about 
bogus.child.parent.ac.jp.  It's a very large community.  In short, I want 
everybody in parent.ac.jp (assuming they use name servers included my-acl) 
to know about bogus.child.parent.ac.jp, but nobody outside.

One of the parent.ac.jp name servers slaves for child.parent.ac.jp.

The assumption that parent.ac.jp name servers are resolving 
bogus.child.parent.ac.jp for those coming from outside recursively is just 
my assumption.  But if that's the case, is there a way out of this?  I'm 
hoping that it's some directive I can just put in the view statement...

Thank you, 
--Koji