bind selective delegation, is it possible?

Mark Andrews Mark_Andrews at isc.org
Wed Mar 28 01:52:01 UTC 2007 

> Mark Andrews wrote:
> >> Hi,
> >>
> >> I am trying to solve a DNS problem.   I am trying to delegate my
> >> domain.com to another nameserver for the A record  but I still want
> >> the MX record to be served by the original server.  The reason for
> >> this is that I have load balancers and they expect to be delegated the
> >> NS authority for the domain of the website (so I have delegated
> >> www.domain.com with no problem)  Now the problem I am having is that I
> >> also want to be able to load balance http://domain.com/  since it is
> >> quite common not to use the wwws nowadays.  The nameserver
> >> functionality on these loadbalancers is primitive and they only
> >> support A records.  If I put in an NS record on the master dns server
> >> and delegate domain.com to my load balancers, my email breaks because
> >> the DNS engines on the load balancers dont serve up MX records, only A
> >> records, but the delegation is relinquishing authority from the master
> >> server.  If I use a CNAME, its the same thing, it delegates the entire
> >> domain and the master server becomes no longer authoritative for the
> >> MX record.  Is there a way I can delegate domain.com to my load
> >> balancer for A records only but retain authority for the MX records?
> >> Or is there some other better way to accomplish this?
> >>
> >> Thank you very much.
> >>
> >> Zach
> >>     
> >
> > 	That is not possible in the DNS.  In the DNS you delegate
> > 	the entire namespace.
> >
> > 	Some load balancers can let querys fall through to another
> > 	name server.  Note you have to take care to set such systems
> > 	up correctly.
> >   
> Hmmm... Not sure what you mean by "fall through", but I'm challenged 
> with a load-balancer implementation that _proxies_ queries for QTYPEs it 
> doesn't support to a configured set of nameservers, passing back the 
> result. One problem I've run into is that if A records exist for a 
> particular name in the load-balancer, but a query comes in for some 
> other record type (e.g. MX), for which no RRSet exists anywhere, then, 
> after proxying, the NXDOMAIN response from the "backend" nameservers is 
> sent, unaltered, to the original requestor, thus poisoning its cache 
> against even A-record queries for TTL seconds. If the load-balancer is 
> Internet-facing, then I suppose this could even be considered a security 
> vulnerability, since it allows arbitrary attackers to trivially poison 
> caches and thus perpetrate a cache-specific DoS.
>
> A workaround is to create a bogus wildcard in the zone so that all 
> negative responses will be of the NODATA variety, instead of NXDOMAIN. 
> The load-balancer vendor (who shall go nameless) has promised much 
> better DNS support in the next, impending release of their product, so 
> hopefully we don't have to keep those wildcard records around much longer.
> 
> Is this what you had in mind by "properly" setting up such systems? Or 
> were you referring to something else?

	Whatever records are being load balanced have to appear in
	the backing zone.  The zone delegations have to match.  The
	backing server can't be a server for a parent zone.  There
	may well be other conditions that have to be met. e.g. EDNS
	advertised buffer sizes need to be the same. etc.

	Fix the version string of the backing server so that innocent
	parties don't get blamed for load balancer weirdness.
 
	A load balancer done properly should be indistinguishable from
	a plain DNS server.

>                                  - Kevin
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list