Is there a way to exclude a RR during a zone transfer?

Walt Park waltpark at
Sun Nov 19 03:02:56 UTC 2006

Hi Kevin. will have it's own SRV records.

We're trying to keep the branchoffice AD a separate entity, because of
country borders.
But, we want to share namespace because it's still one company that will
have internal connections.

So, I want to use on the net, and internally.

I've been told by my Windows admins that because of the way AD works, if we
push namespace to,  then the AD will allow auth to work
because it assumes that it is a child of because of a
child.parent.domain naming convention in Windows.

So, if I want to use convention internally, I need to
make sure that the name servers at never get SRV
records from

On 11/17/06, Kevin Darcy <kcd at> wrote:
> Walt Park wrote:
> > Hello and thanks in advance for any advice.
> > We have 2 locations that we'd like to share name space.
> >
> > Lets say mainoffice and branchoffice.
> >
> > I'd like names in branchoffice to be, and
> I'd
> > like to
> > zone transfer from mainoffice to branchoffice.
> >
> > The problem I'm trying to solve is that both locations run different
> > Microsoft
> > active directories, that we'd like to segregate. If the whole file is
> > transfered,
> > then the SRV records in the forward lookup will allow
> people
> > in the AD domain authenticate on the
> >
> > AD domain, which is something we dont want.
> >
> > When we zone transfer, I'd like to exclude SRV records from the forward
> > file.
> >
> > Or conversely, if we could only include certain types of records in the
> > transfer
> > that would be even better. All I want to transfer is A, CNAME, TXT, and
> MX
> > in the forward file.
> >
> > Is there a way to limit what record types can be transfered either by
> > exclusion
> > or include, or is it only the whole enchilada?
> >
> >
> No, that's not a feature of BIND, and I don't think it'll ever be a
> feature, since it fragments namespaces in a way that is confusing,
> error-prone and dangerous.
> But, I have to ask: why doesn't the branchoffice AD have their own SRV
> records in the subdomain? If the clients
> found _those_ SRV records, then they presumably wouldn't look for SRV
> records in and you wouldn't have an issue. Maybe I'm
> misunderstanding something about your design...
>                   - Kevin

More information about the bind-users mailing list