Is there a way to exclude a RR during a zone transfer?
waltpark at gmail.com
Sun Nov 19 03:02:56 UTC 2006
branchoffice.mainoffice.com will have it's own SRV records.
We're trying to keep the branchoffice AD a separate entity, because of
But, we want to share namespace because it's still one company that will
have internal connections.
So, I want to use mainoffice.com.countrycode on the net, and
I've been told by my Windows admins that because of the way AD works, if we
push mainoffice.com namespace to branchoffice.mainoffice.com, then the
branchoffice.mainoffice.com AD will allow mainoffice.com auth to work
because it assumes that it is a child of mainoffice.com because of a
child.parent.domain naming convention in Windows.
So, if I want to use country.mainoffice.com convention internally, I need to
make sure that the name servers at country.mainoffice.com never get SRV
records from mainoffice.com
On 11/17/06, Kevin Darcy <kcd at daimlerchrysler.com> wrote:
> Walt Park wrote:
> > Hello and thanks in advance for any advice.
> > We have 2 locations that we'd like to share name space.
> > Lets say mainoffice and branchoffice.
> > I'd like names in branchoffice to be branchoffice.mainoffice.com, and
> > like to
> > zone transfer from mainoffice to branchoffice.
> > The problem I'm trying to solve is that both locations run different
> > Microsoft
> > active directories, that we'd like to segregate. If the whole file is
> > transfered,
> > then the SRV records in the mainoffice.com forward lookup will allow
> > in the mainoffice.com AD domain authenticate on the
> > branchoffice.mainoffice.com
> > AD domain, which is something we dont want.
> > When we zone transfer, I'd like to exclude SRV records from the forward
> > file.
> > Or conversely, if we could only include certain types of records in the
> > transfer
> > that would be even better. All I want to transfer is A, CNAME, TXT, and
> > in the forward file.
> > Is there a way to limit what record types can be transfered either by
> > exclusion
> > or include, or is it only the whole enchilada?
> No, that's not a feature of BIND, and I don't think it'll ever be a
> feature, since it fragments namespaces in a way that is confusing,
> error-prone and dangerous.
> But, I have to ask: why doesn't the branchoffice AD have their own SRV
> records in the branchoffice.mainoffice.com subdomain? If the clients
> found _those_ SRV records, then they presumably wouldn't look for SRV
> records in mainoffice.com and you wouldn't have an issue. Maybe I'm
> misunderstanding something about your design...
> - Kevin
More information about the bind-users