Delegating and slaving of same zone - good idea or just plain stupid?

Kevin Darcy kcd at chrysler.com
Wed Oct 8 01:09:32 UTC 2008


Peter Laws wrote:
> OK, so for historical reasons, we have servers that serve records for a 
> fake internal-only domain whose hosts are all in RFC-1918 space (call those 
> "Internal").  They're different from the servers that host our real domain 
> on real address space (call those "External").
>
> A while back, we made our External servers slaves for the forward and 
> reverse zones on the Internal server.
>
> Now it turns out that I need to delegate off a part of 10.in-addr.arpa. 
> Thing is, we never actually delegated that space or the other RFC-1918 
> stuff officially

> Clearly, I need to do that before I go delegating some zone off those 
> parents (we really should only have one root, even if the Internal stuff 
> never goes anywhere - outside, BLACKHOLE-1.IANA.ORG owns 10.in-addr.arpa. 
> after all).
>
> My quandary is that I don't think everything pointed at the External 
> servers can see (network-wise) those Internal servers, so they wouldn't be 
> able to follow the delegation ...
>
> So can I keep slaving and still delegate?  I'm thinking not, but I can't 
> find any examples where it's OK or warnings that it's not in some light 
> googling this afternoon.
>
> I fear causing the internets to implode and no one wants that.
>
>   
Slave the 10.in-addr.arpa subzones on your "external" servers and ensure 
-- as you should already be doing -- that only your own 
clients/resolvers see the RFC 1918 stuff. The rest of us shouldn't and 
don't want to see your RFC 1918 dirty laundry.

If a zone is slaved on all of the nameserver instances that a given 
community of resolvers is using to resolve names in the zone, then 
delegations are kind of superfluous. You can add them, for aesthetic 
purposes, but they're not, strictly speaking, necessary.

As for your *internal* DNS, you can if you wish delegate 10.in-addr.arpa 
directly from your internal root zone or delegate twice, from root to 
in-addr.arpa, and then again to 10.in-addr.arpa. If you _have_ an 
internal root zone, that is: it's not clear from your post whether you 
have one or not.

                                                                         
                           - Kevin



More information about the bind-users mailing list