bind selective delegation, is it possible?

Kevin Darcy kcd at daimlerchrysler.com
Wed Mar 28 01:23:09 UTC 2007 

Mark Andrews wrote:
>> Hi,
>>
>> I am trying to solve a DNS problem.   I am trying to delegate my
>> domain.com to another nameserver for the A record  but I still want
>> the MX record to be served by the original server.  The reason for
>> this is that I have load balancers and they expect to be delegated the
>> NS authority for the domain of the website (so I have delegated
>> www.domain.com with no problem)  Now the problem I am having is that I
>> also want to be able to load balance http://domain.com/  since it is
>> quite common not to use the wwws nowadays.  The nameserver
>> functionality on these loadbalancers is primitive and they only
>> support A records.  If I put in an NS record on the master dns server
>> and delegate domain.com to my load balancers, my email breaks because
>> the DNS engines on the load balancers dont serve up MX records, only A
>> records, but the delegation is relinquishing authority from the master
>> server.  If I use a CNAME, its the same thing, it delegates the entire
>> domain and the master server becomes no longer authoritative for the
>> MX record.  Is there a way I can delegate domain.com to my load
>> balancer for A records only but retain authority for the MX records?
>> Or is there some other better way to accomplish this?
>>
>> Thank you very much.
>>
>> Zach
>>     
>
> 	That is not possible in the DNS.  In the DNS you delegate
> 	the entire namespace.
>
> 	Some load balancers can let querys fall through to another
> 	name server.  Note you have to take care to set such systems
> 	up correctly.
>   
Hmmm... Not sure what you mean by "fall through", but I'm challenged 
with a load-balancer implementation that _proxies_ queries for QTYPEs it 
doesn't support to a configured set of nameservers, passing back the 
result. One problem I've run into is that if A records exist for a 
particular name in the load-balancer, but a query comes in for some 
other record type (e.g. MX), for which no RRSet exists anywhere, then, 
after proxying, the NXDOMAIN response from the "backend" nameservers is 
sent, unaltered, to the original requestor, thus poisoning its cache 
against even A-record queries for TTL seconds. If the load-balancer is 
Internet-facing, then I suppose this could even be considered a security 
vulnerability, since it allows arbitrary attackers to trivially poison 
caches and thus perpetrate a cache-specific DoS.

A workaround is to create a bogus wildcard in the zone so that all 
negative responses will be of the NODATA variety, instead of NXDOMAIN. 
The load-balancer vendor (who shall go nameless) has promised much 
better DNS support in the next, impending release of their product, so 
hopefully we don't have to keep those wildcard records around much longer.

Is this what you had in mind by "properly" setting up such systems? Or 
were you referring to something else?

                                                                         
                                 - Kevin

More information about the bind-users mailing list