Nameservers not reachable by the roots

Barry Margolin barmar at
Wed Feb 22 02:26:48 UTC 2006

In article <dtfodk$17e5$1 at>, ewilts at wrote:

> Do nameservers have to be reachable by the roots?  I've got a weird
> case where the nameservers are behind firewalls and should only be
> reachable for users who tunnel in.  So, for example, I'd like to have a
> domain with DNS server entries and  When
> the tunnel is up, these are reachable.  When the tunnel is done,
> they're not.  However, nobody will be able to determine the validity of
> the domain unless they have a tunnel.  Is this allowed in DNSland?  We
> seem to recall that registrars don't want you to register a domain
> without a valid DNS server - in this case, it doesn't appear valid to
> the registrar even though it is for the people that have the
> authorization to look up the entries in the domain.

It depends on the registrar.  Some registrars, in an attempt to prevent 
lame delegations, will check whether the registered servers are 
authoritative for the zone before fulfilling the registration request.  
Some may even check again periodically -- I remember about 5 or so years 
ago Network Solutions announced a plan to do this, but I don't think 
they went through with it.

Would it be possible for you to have VPN clients use your internal DNS 
rather than the public DNS?  That way you wouldn't need public 
registration for domains that are only reachable by VPN users.

Barry Margolin, barmar at
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list