No authoritative and authoritative replies for the same zone.
Kevin Darcy
kcd at daimlerchrysler.com
Mon Apr 24 23:20:48 UTC 2006
Olivier.Khazem at equant.com wrote:
>Hello
>We use ISC Bind 9.2.3rc1 for Window NT/2000
>This is for use of a platform that have access to two type of networks:
> - Internet;
> - private world.
>
>We have a domain name example.com for which we want
>some hosts to be
>searched by ISC Bind as no authoritative replies
>(Internet replies)
>
>some other hosts to be
>searched by ISC Bind as authoritative replies
>(in order to get the private network area)
>
>How to do that?
>
Well, you can't configure BIND to disclaim authority for
arbitrarily-defined records in an authoritative zone, and that would in
any case violate the spirit, if not the exact wording of the DNS RFCs.
I don't think *authoritativeness* _per_se_ is really what you care about
anyway. Very few things other than DNS servers/resolvers themselves care
about the setting of the AA flag.
What I think you really meant to ask was how to allow internal clients
to resolve names in a particular domain, where some of names in that
domain resolve to internal addresses and some of them resolve to
Internet-accessible addresses. The usual answer to that is to populate
the internal version of your zone with all of the entries from the
external version that would otherwise not be resolvable. The internal
and external versions of the zone would need to be maintained in
parallel. Of course, then that would not satisfy your _stated_
requirement that the "Internet replies" be given as non-authoritative,
since *all* of the names under example.com would then be given as
authoritative.
The only way to meet your requirements as stated seems offhand to me to
be to define all of the internal-only names beneath example.com as
separate zones in the internal DNS, e.g. host1.example.com could be
defined as a zone in named.conf, with only SOA/NS/A records at its apex.
That seems like an even bigger maintenance headache than maintaining the
external entries in parallel. example.com itself, if you're not already
forwarding to the Internet by default, would then need to be defined as
either "type forward" (pointing to recursors that can resolve names from
the external version of example.com by following the delegation chain
down from the root) or "type stub" (pointing directly to authoritative
nameservers for the external version of example.com).
- Kevin
More information about the bind-users
mailing list