Nameservers not reachable by the roots
barmar at alum.mit.edu
Wed Feb 22 02:26:48 UTC 2006
In article <dtfodk$17e5$1 at sf1.isc.org>, ewilts at ewilts.org wrote:
> Do nameservers have to be reachable by the roots? I've got a weird
> case where the nameservers are behind firewalls and should only be
> reachable for users who tunnel in. So, for example, I'd like to have a
> domain example.com with DNS server entries 10.0.0.1 and 10.0.0.2. When
> the tunnel is up, these are reachable. When the tunnel is done,
> they're not. However, nobody will be able to determine the validity of
> the domain unless they have a tunnel. Is this allowed in DNSland? We
> seem to recall that registrars don't want you to register a domain
> without a valid DNS server - in this case, it doesn't appear valid to
> the registrar even though it is for the people that have the
> authorization to look up the entries in the domain.
It depends on the registrar. Some registrars, in an attempt to prevent
lame delegations, will check whether the registered servers are
authoritative for the zone before fulfilling the registration request.
Some may even check again periodically -- I remember about 5 or so years
ago Network Solutions announced a plan to do this, but I don't think
they went through with it.
Would it be possible for you to have VPN clients use your internal DNS
rather than the public DNS? That way you wouldn't need public
registration for domains that are only reachable by VPN users.
Barry Margolin, barmar at alum.mit.edu
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users