matt at conundrum.com
Thu Aug 11 16:52:07 UTC 2016
On 11 August 2016 at 09:13, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> I have a child domain that is delegated to a second site. Pretty
> straightforward situation. In the parent zone I have NS records that point
> to the DNS servers at the second site.
> The issue comes up when a slaved copy of the parent domain is running at a
> third site and that third site doesn't have a rule in their firewall
> allowing DNS access to the second site (where the child domain is
> The question is this; can I use stub zones to reference the child domain
> on the master server (instead of delegation) and the use forwarding at the
> third site to direct queries for the child domain through the master
> I hope the picture I've tried to describe is somewhat clear.
If the setup is exactly as you describe, then there's probably no reason
for a name server authoritative for the parent zone to ever need to contact
a server authoritative for the child zone. Delegation from A to B doesn't
imply direct communication between A and B.
That said, you never know where on the Internet queries for a zone will
arrive from. If you want the Internet at large to be able to resolve names
in your zone, then you can't firewall yourself off from parts of the
If any of the servers in this scenario are also acting as recursive
servers, then you have the same problem; you never know where on the
Internet an authoritative server you need to speak to is going to be, so
you can't firewall your recursive server off from speaking to parts of the
Internet and expect it to work reliably.
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users