Combined master + forward zone

Petteri Heinonen petteri.j.heinonen at kolumbus.fi
Mon Apr 20 07:39:59 UTC 2009 

Chris Buxton [cbuxton at menandmice.com] wrote: 
> On Apr 19, 2009, at 8:06 AM, Petteri Heinonen wrote:
> 
> > Hello all. I have been struggling with a seeming simple Bind related  
> > problem. My main goal would be to have dynamically added RRs served  
> > by different server than the normal statically configured RRs.  
> > Essentially, the zone's RRs would be divided on two Bind servers.  
> > Here is the setup I would like to achieve:
> >
> > - Primary master for our zone, serving the statically configured DNS  
> > entries. This server would not be used directly by the clients. This  
> > server would not accept DDNS update requests either.
> > - Second server for the same zone as the first one. This server  
> > would then accept DDNS update requests, and store the entries for  
> > those locally.
> >
> > Now, upon a normal DNS query, the second server would need to work  
> > as follows:
> >
> > 1. Check if the name queries exists locally. If yes (in the case the  
> > name has been dynamically added), send the response to the client.
> > 2. If not, forward the query to Primary master of the zone.
> > 3. If not found there either, response with NXDOMAIN.
> 
> Can't be done. A server's authority for a zone is either true or  
> false, not "maybe".
> 
> What you could do would be to move the dynamic entries into a subzone:
> 
> - Primary master server for your zone has the zone itself, plus a  
> delegation of a subzone (something like "dyn.your.zone.") pointing to  
> the second server.
> 
> - Second server, primary master for the subzone, would accept dynamic  
> updates and store them locally.
> 
> To answer queries:
> 
> 1. Check if the name exists locally, in the subzone. If yes, send the  
> response to the client.
> 
> 2. Recurse normally. There might be a stub zone configuration to point  
> upstream to server 1, but this may not be necessary.
> 
> Chris Buxton
> Professional Services
> Men & Mice
> 
> 

Ok, thanks for confirming my doubts. As a related issue, how is Bind supposed to be used in a domain where Windows Domain Controllers are used for Windows domain services, but Bind is used for DNS? I mean, in a Windows domain DDNS updates are used by both Domain Controllers and by normal domain clients. For Domain Controllers, it is essential that they can register their SRV records dynamically in DNS. Now in case of distributed domain (several Domain Controllers on separate sites, but all still belonging to the same Windows domain and all using the same DNS zone), there should be also own DNS service for each site (for fault tolerance and redundancy etc). But, as only one site can host the master DNS server which accepts DDNS update requests, all sites' machines have to be configured to use that single Bind instance as their primary DNS server?

So the actual question: if DDNS update functionality is needed, am I bound to use only one Bind instance as the primary DNS server for all the hosts, on all the separate sites?

regards, Petteri Heinonen

More information about the bind-users mailing list