What is the proper way to delegate to a private / hidden sub-domain?

Grant Taylor gtaylor at tnetconsulting.net
Wed May 6 17:01:19 UTC 2020


What is the proper way to delegate to a private / hidden sub-domain?

I have a globally registered domain, call it example.net for this 
thread, that has multiple sub-domains that I'd like to be properly 
delegated to internal labs; lab#.example.net.

Example.net itself is following all the industry standards and best 
practices that I'm aware of; registered (read: rented), delegated from 
roots to multiple public DNS servers which respond to the world.

I would like to delegate lab1.example.net in such a way that the outside 
world sees a delegation to what is effectively an empty zone (save for 
SOA / NS / etc.) on a public server.  However I'd like the internal lab 
systems see a delegation to a private zone that has all the necessary 
records in the lab.

One hack that comes to mind is to have the example.net parent zone 
delegate to a separate name server with a separate IP and then to 
anycast that IP & name server inside the lab.  But that would require an 
additional globally routed IP on the external public Internet.

I'm not currently worried about supporting DNSSEC, but it would be nice 
if the solution would allow DNSSEC signing both the public and private 
zones.  With the obvious assumption being the DNS servers would have 
shared keys to be able to sing their copies of the zone correctly.

Does anybody have any ProTip(s) on how to go about doing this?  What 
about gotchas to avoid?

Thank you and have a nice day.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200506/85f589e2/attachment.bin>

More information about the bind-users mailing list