Delegation, parenting, and slaves/stubs

Sat May 20 00:03:15 UTC 2006

In article <e4kg9p$1o1s$1 at sf1.isc.org>,
 "Norman P. B. Joseph" <joseph at ctc.com> wrote:

> On Thu, 2006-05-18 at 22:10 -0400, Barry Margolin wrote:
> > In article <e4i4t2$2j9u$1 at sf1.isc.org>,
> >  "Norman Joseph" <norman.pb.joseph at gmail.com> wrote:
> > 
> > > We run a split DNS setup, with separate external DNS authority for our
> > > public face, and internal DNS authority behind a firewall, with
> > > forwarders for external resolution.  Internally, the authoritative DNS
> > > servers for forward & reverse zones are Linux, but subdelegations from
> > > these zones are made to internal Windows boxes.
> > > 
> > > When we delegate a subdomain (forward or reverse), is it necessary for
> > > the parent zone servers to also run slave zones for the delegation?  If
> > > not necessary, is there any benefit in doing so?  And does it matter
> > > whether you use a "slave" zone or a "stub" zone for this purpose?
> > 
> > You need to configure the parent servers as slaves for the subzones or 
> > add forward zones for them.  Otherwise, when the server needs to recurse 
> > for a subdomain, it will send to its forwarders, which are outside and 
> > can't access the internal Windows boxes.
> 
> Is the following configuration on the internal parent server for the
> slave zone correct?  Optimal?  And what difference would there be

Yes.

> between a "slave" zone like this and a "stub" zone like this?

A stub zone automatically copies the subdomain's delegation records from 
the masters, but not the whole zone.  But the delegation records won't 
be followed when forwarding is enabled -- that's why you have to be a 
slave.

> 
> Internal parent server /etc/named.conf:
> 
> .
> .
> .
> options {
>     .
>     .
>     .
>     forwarders {	// external DNS servers in our DMZ
>         147.160.99.44;
>         147.160.99.125;
>     };
>     forward only;
>     .
>     .
>     .
> };
> .
> .
> .
> zone "160.147.in-addr.arpa" {	// we are master for this /16 inside
>     type master;
>     file "zones/master/160.147.in-addr.arpa";
>     forwarders {};
> };
> .
> .
> .
> zone "3.160.147.in-addr.arpa" {	// we have delegated this /24 inside
>     type slave;			// what happens if this is "type stub"?
>     file "zones/slave/147.160.3";
>     masters { list; of; delegated; internal; servers; };
>     forwarders {};
> };
> .
> .
> .
> 
> Thanks for any insights.
> 
> -norm

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***