Delegating and slaving of same zone - good idea or just plain stupid?

Kevin Darcy kcd at chrysler.com
Thu Oct 9 03:31:29 UTC 2008


Peter Laws wrote:
> Kevin Darcy wrote:
>
>
>   
>> Slave the 10.in-addr.arpa subzones on your "external" servers and ensure
>> -- as you should already be doing -- that only your own
>> clients/resolvers see the RFC 1918 stuff. The rest of us shouldn't and
>> don't want to see your RFC 1918 dirty laundry.
>>     
>
> Done, and of course you can't see it.  What good would it do you anyway?
>
>
>   
>> As for your *internal* DNS, you can if you wish delegate 10.in-addr.arpa
>> directly from your internal root zone or delegate twice, from root to
>> in-addr.arpa, and then again to 10.in-addr.arpa. If you _have_ an
>> internal root zone, that is: it's not clear from your post whether you
>> have one or not.
>>     
>
> Well, no, it's not set up as root if you mean zone "."  It's just another 
> zone on the server.  And if I do a dig +trace, it doesn't work of course 
> (the root servers have no idea what I'm smoking when I ask).  I've not seen 
> an example of how we'd do that
>   
dig +trace assumes an unbroken delegation chain all the way down from 
the root zone. If that's what you want, then you need a) a root zone 
(obviously), and b) delegations at each and every step of the chain.

There are plenty of examples out there of how to delegate, or just read 
the _Parenting_ chapter of the _DNS_and_BIND_ book.

As I pointed out in my previous post, however, it's not strictly 
necessary to delegate if all of the nameserver instances in question are 
slaves for the relevant zone, so if that's the way you're set up, then 
the delegations would be optional.

                                                                         
                     - Kevin



More information about the bind-users mailing list