Delegation, parenting, and slaves/stubs

Norman P. B. Joseph joseph at ctc.com
Fri May 19 12:48:53 UTC 2006 

On Thu, 2006-05-18 at 22:10 -0400, Barry Margolin wrote:
> In article <e4i4t2$2j9u$1 at sf1.isc.org>,
>  "Norman Joseph" <norman.pb.joseph at gmail.com> wrote:
> 
> > We run a split DNS setup, with separate external DNS authority for our
> > public face, and internal DNS authority behind a firewall, with
> > forwarders for external resolution.  Internally, the authoritative DNS
> > servers for forward & reverse zones are Linux, but subdelegations from
> > these zones are made to internal Windows boxes.
> > 
> > When we delegate a subdomain (forward or reverse), is it necessary for
> > the parent zone servers to also run slave zones for the delegation?  If
> > not necessary, is there any benefit in doing so?  And does it matter
> > whether you use a "slave" zone or a "stub" zone for this purpose?
> 
> You need to configure the parent servers as slaves for the subzones or 
> add forward zones for them.  Otherwise, when the server needs to recurse 
> for a subdomain, it will send to its forwarders, which are outside and 
> can't access the internal Windows boxes.

Is the following configuration on the internal parent server for the
slave zone correct?  Optimal?  And what difference would there be
between a "slave" zone like this and a "stub" zone like this?

Internal parent server /etc/named.conf:

.
.
.
options {
    .
    .
    .
    forwarders {	// external DNS servers in our DMZ
        147.160.99.44;
        147.160.99.125;
    };
    forward only;
    .
    .
    .
};
.
.
.
zone "160.147.in-addr.arpa" {	// we are master for this /16 inside
    type master;
    file "zones/master/160.147.in-addr.arpa";
    forwarders {};
};
.
.
.
zone "3.160.147.in-addr.arpa" {	// we have delegated this /24 inside
    type slave;			// what happens if this is "type stub"?
    file "zones/slave/147.160.3";
    masters { list; of; delegated; internal; servers; };
    forwarders {};
};
.
.
.

Thanks for any insights.

-norm



-- 
 Norman Joseph, System Engineer             joseph at ctc.com        IC|XC
 Concurrent Technologies Corporation         814/269.2633         --+--
 Information Systems Management Office (ISMO)                     NI|KA
  --=: It's not the voting that's democracy, it's the counting. :=--

More information about the bind-users mailing list