(no subject)
Yanagisawa Koji
koji_yanagisawa at hotmail.com
Sat Sep 17 03:07:21 UTC 2005
Hello,
After setting up split DNS on bind 9.3.1, it doesn't seem to be behaving
the way I'd hoped. Allow me to explain the situation, hopefully someone
can shed some light.
Let's say there's a domain named: parent.ac.jp
Our server is responsible for a subdomain of this domain, let's say:
child.parent.ac.jp
I want child.parent.ac.jp to be split. Telling a certain group of hosts
one thing and telling everybody else something else. The server is not
multi-homed or anything, sitting right there on the Internet.
Here's the basic named.conf as it stands now.
# BEGIN
options {
directory "/etc/namedb";
};
acl "my-ppl" { xxx.yyy.zzz.0/24; " };
view "internal" {
match-clients { "my-ppl"; };
zone "child.parent.ac.jp" {
type master;
file "master/child-internal";
}
};
view "external" {
match-clients { any; };
zone "child.parent.ac.jp" {
type master;
file "master/child";
}
};
# END
No error messages, named happily starts.
In master/child-internal, I created a test A record,
bogus.child.parent.ac.jp, and this record never existed in the past.
The name servers SOA for parent.ac.jp is included in my-ppl acl, and I
can't have them otherwise, since it's out of my jurisdiction.
I'd expect anyone not listed in my-ppl will not resolve
bogus.child.parent.ac.jp, but they all do! Granted, when I nslookup from
home (which is not part of my-ppl acl) using child.parent.ac.jp name
server, I can't resolve bogus.child.parent.ac.jp. But as soon as I switch
back to my ISP's name server or any other, I start resolving it. I don't
like that.
I'm somewhat convinced that it may be the parent.ac.jp name servers
resolving bogus.child.parent.ac.jp for everybody outside of my-ppl, since
the parent.ac.jp name servers are included in my-ppl acl. No I can't
exclude these name servers from my-ppl acl, for there're those in my-ppl
that use some other name servers also in my-ppl that may depend on them to
resolve parent.ac.jp and below, and I need them to know about
bogus.child.parent.ac.jp. It's a very large community. In short, I want
everybody in parent.ac.jp (assuming they use name servers included my-acl)
to know about bogus.child.parent.ac.jp, but nobody outside.
One of the parent.ac.jp name servers slaves for child.parent.ac.jp.
The assumption that parent.ac.jp name servers are resolving
bogus.child.parent.ac.jp for those coming from outside recursively is just
my assumption. But if that's the case, is there a way out of this? I'm
hoping that it's some directive I can just put in the view statement...
Thank you,
--Koji
More information about the bind-users
mailing list