What is the proper way to delegate to a private / hidden sub-domain?

Bob Harold rharolde at umich.edu
Wed May 6 19:44:34 UTC 2020


On Wed, May 6, 2020 at 3:28 PM Grant Taylor via bind-users <
bind-users at lists.isc.org> wrote:

> On 5/6/20 11:38 AM, Sten Carlsen wrote:
> > I have been doing that for quite some time without knowing it should be
> > difficult.
>
> I'm not saying that it should be difficult.  I'm asking what people
> think the proper method is.
>
> > I have a domain (in the mail address) which is properly delegated to
> > servers and signed. Internally in house I have a number of other
> > internal both hosts and one subdomain.
>
> It looks like your domain is delegated to Gratis DNS servers and that
> they resolve specific records to your external IP.
>
> I'm not seeing a delegation beyond that.  But that could simply be
> because I don't know what name to query.  (AXFRs are properly refused.)
>
> > The internal versions have RFC1812 IPs and the outside ones have public
> IPs.
> >
> > Both sides are signed by the same key.
> >
> > The way this is organised is that I use two views, one internal and one
> > external, I set both to be signed using:
> >
> > options {
> > directory "/var/named/data";
> > auth-nxdomain no;
> > dnssec-enable yes;
> > dnssec-validation auto;
> > allow-query { any; };
> > allow-transfer { any; };
> > listen-on-v6  { any; };
> > sig-validity-interval 30 20;
> > dnssec-loadkeys-interval 60;
> > };
> >
> > Never caused any problems. The downside is that I use views and have to
> > manage both sides.
>
> Your scenario, presuming I understand it correctly, does not match what
> I'm asking about.
>
> I'll try to restate.
>
> I want example.net to:
>   - Follow all standard DNS best practices.
>   - Delegate lab1.example.net to <something> using the same standard DNS
> best practices.
>   - <something>, which is publicly accessible, to host the public
> version of the lab1.example.net zone.
>   - <something(Else)>, which is not publicly accessible, to host the
> private version of the lab1.example.net zone.
>
> I want clients on the Internet, e.g. you, to be able to "dig +trace a
> host.lab1.example.net" and get a proper DNS delegation chain from root
> zone through net zone through example zone to lab1 zone on the external
> publicly accessible DNS servers.
>
> I want clients in the lab to be able to do the same "dig +trace a
> host.lab1.example.net" and get a proper DNS delegation chain from root
> zone through net zone through example zone to lab1 zone on the internal
> private accessible DNS servers.
>
> The difference is that the external publicly accessible lab1 DNS server
> is a separate server from the internal private accessible lab1 DNS
> server.  Separate in the sense that external can be a zone on a VPS
> server and the internal being an isolated VM in the lab.  More
> specifically, external public and internal private are NOT even remotely
> the same system thus can't use views or multiple instances of BIND.
>
> E:  "." ({a..m}.root-servers.net) -> "net." ({a..m}.root-servers.net) ->
> "example.net." (ns{1,2}.example.net) -> lab1.example.net
> (extns{1,2}.lab1.example.net)
> I:  "." ({a..m}.root-servers.net) -> "net." ({a..m}.root-servers.net) ->
> "example.net." (ns{1,2}.example.net) -> lab1.example.net
> (intns{a,b}.lab1.example.net)
>
> As I type the previous lines, I think that the delegation from
> example.net to lab1.example.net will need to be to the same named &
> addressed servers.  However, the external and internal servers for
> lab1.example.net are completely different systems and could easily be in
> different parts of the Internet / country / world.
>
> The only way that I see how to make this work is to anycast the names
> and IPs of the name servers that lab1.example.net is delegated to.  One
> anycast instance being external publicly accessible and the other
> anycast instance being internal private accessible.
>
> I don't see another way to delegate the same zone to different (sets of)
> name servers without using anycast.  Hence my email to the list asking
> if anyone had any suggestions.
>
>
>
> --
> Grant. . . .
> unix || die
>

Good questions.  I think one possibility (to avoid anycast) is to have an
internal and external view for the "example.net" zone, so it can delegate
the lab zones to different servers internally and externally.  But that can
make the "example.net" zone harder to manage.
It would be easier to have a split view for "split.example.net" and lab
zones "lab#.split.example.net", if the extra level was acceptable.

-- 
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200506/7bfd0d0a/attachment.htm>


More information about the bind-users mailing list