What is the proper way to delegate to a private / hidden sub-domain?

Grant Taylor gtaylor at tnetconsulting.net
Wed May 6 19:28:10 UTC 2020

On 5/6/20 11:38 AM, Sten Carlsen wrote:
> I have been doing that for quite some time without knowing it should be 
> difficult.

I'm not saying that it should be difficult.  I'm asking what people 
think the proper method is.

> I have a domain (in the mail address) which is properly delegated to 
> servers and signed. Internally in house I have a number of other 
> internal both hosts and one subdomain.

It looks like your domain is delegated to Gratis DNS servers and that 
they resolve specific records to your external IP.

I'm not seeing a delegation beyond that.  But that could simply be 
because I don't know what name to query.  (AXFRs are properly refused.)

> The internal versions have RFC1812 IPs and the outside ones have public IPs.
> Both sides are signed by the same key.
> The way this is organised is that I use two views, one internal and one 
> external, I set both to be signed using:
> options {
> directory "/var/named/data";
> auth-nxdomain no;
> dnssec-enable yes;
> dnssec-validation auto;
> allow-query { any; };
> allow-transfer { any; };
> listen-on-v6  { any; };
> sig-validity-interval 30 20;
> dnssec-loadkeys-interval 60;
> };
> Never caused any problems. The downside is that I use views and have to 
> manage both sides.

Your scenario, presuming I understand it correctly, does not match what 
I'm asking about.

I'll try to restate.

I want example.net to:
  - Follow all standard DNS best practices.
  - Delegate lab1.example.net to <something> using the same standard DNS 
best practices.
  - <something>, which is publicly accessible, to host the public 
version of the lab1.example.net zone.
  - <something(Else)>, which is not publicly accessible, to host the 
private version of the lab1.example.net zone.

I want clients on the Internet, e.g. you, to be able to "dig +trace a 
host.lab1.example.net" and get a proper DNS delegation chain from root 
zone through net zone through example zone to lab1 zone on the external 
publicly accessible DNS servers.

I want clients in the lab to be able to do the same "dig +trace a 
host.lab1.example.net" and get a proper DNS delegation chain from root 
zone through net zone through example zone to lab1 zone on the internal 
private accessible DNS servers.

The difference is that the external publicly accessible lab1 DNS server 
is a separate server from the internal private accessible lab1 DNS 
server.  Separate in the sense that external can be a zone on a VPS 
server and the internal being an isolated VM in the lab.  More 
specifically, external public and internal private are NOT even remotely 
the same system thus can't use views or multiple instances of BIND.

E:  "." ({a..m}.root-servers.net) -> "net." ({a..m}.root-servers.net) -> 
"example.net." (ns{1,2}.example.net) -> lab1.example.net 
I:  "." ({a..m}.root-servers.net) -> "net." ({a..m}.root-servers.net) -> 
"example.net." (ns{1,2}.example.net) -> lab1.example.net 

As I type the previous lines, I think that the delegation from 
example.net to lab1.example.net will need to be to the same named & 
addressed servers.  However, the external and internal servers for 
lab1.example.net are completely different systems and could easily be in 
different parts of the Internet / country / world.

The only way that I see how to make this work is to anycast the names 
and IPs of the name servers that lab1.example.net is delegated to.  One 
anycast instance being external publicly accessible and the other 
anycast instance being internal private accessible.

I don't see another way to delegate the same zone to different (sets of) 
name servers without using anycast.  Hence my email to the list asking 
if anyone had any suggestions.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200506/89c06ac6/attachment-0001.bin>

More information about the bind-users mailing list