Better solution than making a recursive nameserver authoritative?
davec at columbia.edu
Fri Jun 24 17:39:49 UTC 2011
Currently the two recursive caching nameservers for clients on our network are also authoritative for a few zones. In particular, they are authoritative for:
1) our main forward zone (columbia.edu) in order to provide an internal view of the zone
2) RFC 1918 reverse zones (e.g., 10.in-addr.arpa)
I would like to follow best practices by separating authoritative & recursive functionality. Also, when I sign these zones, I would like the recursive nameservers to respond with the AD bit set instead of AA.
But I'm struggling to find a way to do this with some of the constraints I'm facing:
a) I can't move the internal-only RRs into a separate subdomain/zone
b) Some of our authoritative secondaries are provided by other institutions that I cannot expect to configure views
c) The zones include delegations for subdomains to other nameservers
One solution suggested to me is to have our clients point to nameservers that are authoritative for the internal zones & forward all other queries to a new pair of recursive-only caching nameservers. Is this actually better/more secure than our current setup to justify the additional hardware? Also, as best I can tell, when the clients query for data in the internal zones they would still receive responses with the AA bit set instead of the AD bit.
I've also considered configuring the internal zones as type forward on the recursive nameservers forwarding to authoritative-only nameservers for the internal zones. The concern I have with this is if I configure a zone on the authoritative nameserver with a delegation to another set of nameservers. If the forward zone on the recursive nameserver is configured with forward only, it will only get the delegation NS RRset & therefore returns a SERVFAIL. If I configure the zone as forward first, the recursive nameserver gets back the NS delegation & then uses that to perform an iterative query against the authoritative nameserver for the subdomain. This actually seems like it might solve my issues. Are there any problems with this setup I'm not seeing (other than the quirk of sending a recursive query to the forwarder when it is authoritative only)?
There have been a few other, slightly crazier, ideas I've thought of or have been suggested to me. But I figured I would start with these as they are likely the simplest. However, other recommended solutions are always appreciated.
More information about the bind-users