Is it possible to specify a fallback NS?

Kevin Darcy kcd at daimlerchrysler.com
Tue Oct 24 02:02:25 UTC 2006


linuxnewbie1234 wrote:
> Suppose I have a company ONE for which I am serving the domain .one.com
> I know the A addresses of a computer like www.one.com
> however my company recently splitted and now there is an independent 
> branch, which is two.one.com  .
>
> At TWO-ONE They have their computers (e.g. three.two.one.com), and their 
> NS which is ns.two.one.com . All the IP addresses can change without 
> them informing me. In addition they can split further and make a 
> THREE-ONE branch with the domain three.one.com . TWO-ONE will be 
> informed of the split but not me.
>
> Since I have the top level NS ns.one.com BUT I don't have control on 
> what the other people do, is there a way to configure my zone file so 
> that for everything of the form X.one.com it first goes looking in my 
> zone file and then if this finds nothing, either
> -goes asking recursively to ns.two.one.com OR
> -tells the client to refer to ns.two.one.com
> ?
>
> Note that I cannot simply put an NS entry specifying X.two.one.com NS 
> ns.two.one.com because if they split again forming "three" I wouldn't 
> catch that one. I really want a fallback on ns.two.one.com if the 
> computer is not found in my zone. Is that possible?
>
>   
No, not possible with BIND. Administrators of parent and child domains 
need to work together if they are to provide reliable resolution service 
to their customers. The child-domain administrators can't reasonably 
expect to change all of their stuff around without informing you and 
without causing a break in service. That would be like them sawing 
themselves off of a branch and still expecting to stay aloft. Nor can 
they expect to be able to create arbitrary subzones of the parent zone 
without you giving them full write access to the zone data (which 
presumably you're not willing to do).

Think about this too: even *if* BIND had this capability -- kind of a 
"wildcarded forwarding" mechanism -- if they changed all of their IP 
addresses around without telling you, you'd *still* be just as unable to 
resolve names in their subzones, until you could update your "wildcarded 
forwarding" configuration. So what would such a feature buy you really, 
over simple delegation? Any way you cut it, if they control subzones of 
one.com, they *must* co-ordinate any changes to the nameservers of those 
subzones, with the administrator of the parent zone (you).

Sounds like what they _really_ want is to control the parent zone. 
Unless you can collectively come up with some sort of shared-maintenance 
regime that you can both live with, looks like you might have a 
political battle on your hands over who controls one.com. But that's 
getting somewhat off-topic for this list...

                                                                         
            - Kevin




More information about the bind-users mailing list