Is it possible to specify a fallback NS?
Kevin Darcy
kcd at daimlerchrysler.com
Tue Oct 24 02:02:25 UTC 2006
linuxnewbie1234 wrote:
> Suppose I have a company ONE for which I am serving the domain .one.com
> I know the A addresses of a computer like www.one.com
> however my company recently splitted and now there is an independent
> branch, which is two.one.com .
>
> At TWO-ONE They have their computers (e.g. three.two.one.com), and their
> NS which is ns.two.one.com . All the IP addresses can change without
> them informing me. In addition they can split further and make a
> THREE-ONE branch with the domain three.one.com . TWO-ONE will be
> informed of the split but not me.
>
> Since I have the top level NS ns.one.com BUT I don't have control on
> what the other people do, is there a way to configure my zone file so
> that for everything of the form X.one.com it first goes looking in my
> zone file and then if this finds nothing, either
> -goes asking recursively to ns.two.one.com OR
> -tells the client to refer to ns.two.one.com
> ?
>
> Note that I cannot simply put an NS entry specifying X.two.one.com NS
> ns.two.one.com because if they split again forming "three" I wouldn't
> catch that one. I really want a fallback on ns.two.one.com if the
> computer is not found in my zone. Is that possible?
>
>
No, not possible with BIND. Administrators of parent and child domains
need to work together if they are to provide reliable resolution service
to their customers. The child-domain administrators can't reasonably
expect to change all of their stuff around without informing you and
without causing a break in service. That would be like them sawing
themselves off of a branch and still expecting to stay aloft. Nor can
they expect to be able to create arbitrary subzones of the parent zone
without you giving them full write access to the zone data (which
presumably you're not willing to do).
Think about this too: even *if* BIND had this capability -- kind of a
"wildcarded forwarding" mechanism -- if they changed all of their IP
addresses around without telling you, you'd *still* be just as unable to
resolve names in their subzones, until you could update your "wildcarded
forwarding" configuration. So what would such a feature buy you really,
over simple delegation? Any way you cut it, if they control subzones of
one.com, they *must* co-ordinate any changes to the nameservers of those
subzones, with the administrator of the parent zone (you).
Sounds like what they _really_ want is to control the parent zone.
Unless you can collectively come up with some sort of shared-maintenance
regime that you can both live with, looks like you might have a
political battle on your hands over who controls one.com. But that's
getting somewhat off-topic for this list...
- Kevin
More information about the bind-users
mailing list