<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.5626" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009>Mani,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009>That's a very general question, and </SPAN></FONT><FONT
face=Verdana color=#0000ff size=2><SPAN class=484015712-26032009>I don't claim
to be an expert on all aspects of dns security, so hopefully those who are
will chime in on this point. I think most of those who
are knowledge about dns would probably recommend separating your
authoritative and caching servers, especially if you're a big dns shop hosting
lots of domains, but I'm not sure if that's for security reasons or for
performance reasons. If you're a small shop
and host relatively few domains and you want to present the
same records for public domains to both internal and external
clients, then I personally don't see that it would hurt to make one server both
authoritative and caching from a security standpoint. You'd want to be
careful about allowing recursion to only your internal clients, of course, and
you'd want to restrict access to private zones to only your internal clients
(see below). If you want to have public and private views of the same
zones (which is often the case), then it might be just as easy to have
separate authoritative and caching servers.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009>If you want your abc.com server to be purely
authoritative, then you'll want to restore your original "recursion=no" in the
options. You should also move the "10.168.192.in-addr.arpa" zone
to your caching server. That's private address space, so you don't want to
serve that data to internet hosts. (If you decide to make abc.com both
authoritative and caching, you'll want to add an "allow-query" statement to that
zone restricting it to only internal clients.)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009>For a caching server, the only zones you should need
are the root hints zone and any zones you may have for internal clients
(like "10.168.192.in-addr.arpa" and internal versions of other zones
like "abc.com"). You'd want "allow-query" and "allow-recursion" statements
in your global options restricting queries and recursion to your internal
clients. (I suppose you could use "recursion=yes" instead of
"allow-recursion { internal-clients; }", but "allow-recursion" seems safer to
me.)</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009>Ben</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Verdana color=#0000ff size=2><SPAN
class=484015712-26032009></SPAN></FONT> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> bind-users-bounces@lists.isc.org
[mailto:bind-users-bounces@lists.isc.org] <B>On Behalf Of </B>T
MANIKANDAN-PKXR74<BR><B>Sent:</B> Thursday, March 26, 2009 6:57
AM<BR><B>To:</B> bind-users@lists.isc.org<BR><B>Subject:</B> RE: Root Server
Simulation Communication Problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=765595011-26032009>Ben,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=765595011-26032009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=765595011-26032009> In that case if I want an authoritative server
and also a caching name server, is it fine if I place both the functionalities
together as a best practice of implementation, how about security issues
?,</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=765595011-26032009>If I want to introduce one more server for
caching functionality alone how will I separate both in two different
servers what are the changes I will be making in my abc.com server and what
configuration should be there for the new caching name server, so that my
clients can do a external query. </SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=765595011-26032009></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=765595011-26032009>Regards</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=765595011-26032009>Mani</SPAN></FONT></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Ben Bridges
[mailto:bbridges@springnet.net] <BR><B>Sent:</B> Tuesday, March 24, 2009 7:26
PM<BR><B>To:</B> T MANIKANDAN-PKXR74;
bind-users@lists.isc.org<BR><B>Subject:</B> RE: Root Server Simulation
Communication Problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=578181513-24032009><FONT face=Verdana
color=#0000ff size=2>Mani,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=578181513-24032009><FONT face=Verdana
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=578181513-24032009><FONT face=Verdana
color=#0000ff size=2>With recursion enabled, your abc.com server is both
authoritative (for the zones configured in named.conf) and caching. If
you want it to be purely authoritative, you'll need to disable
recursion. But if you want to be able to query it for the root
server (which is why you started this thread), you're going to have to allow
recursion for at least your internal hosts because the server
is not authoritative for ".". Why are you wanting to be able <SPAN
class=578181513-24032009><FONT face=Verdana color=#0000ff size=2>to query it
for the root server? </FONT></SPAN></FONT></SPAN><SPAN
class=578181513-24032009><FONT face=Verdana color=#0000ff size=2>To
want to be able to query a purely authoritative server for
something for which it is not authoritative is a bit of a
self-contradiction.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=578181513-24032009><FONT face=Verdana
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=578181513-24032009><FONT face=Verdana
color=#0000ff size=2>Ben</FONT></SPAN></DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> bind-users-bounces@lists.isc.org
[mailto:bind-users-bounces@lists.isc.org] <B>On Behalf Of </B>T
MANIKANDAN-PKXR74<BR><B>Sent:</B> Tuesday, March 24, 2009 12:52
AM<BR><B>To:</B> bind-users@lists.isc.org<BR><B>Subject:</B> RE: Root Server
Simulation Communication Problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=375364805-24032009><FONT face=Arial
color=#0000ff size=2>Hi Ben,</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV><SPAN class=375364805-24032009></SPAN><FONT face=Arial><FONT
color=#0000ff><FONT size=2>T<SPAN class=375364805-24032009>hanks for reply
now my root server (rootns.man) is responding to abc.com. after enabling the
recursion to Yes in abc.com server, now my question is, Is my abc.com still
called authoritative Name server or a caching name server I was intend to
set up a authoritative name server, and hope by enabling recursion iam still
authoritative server.</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=375364805-24032009></SPAN></FONT></FONT></FONT> </DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=375364805-24032009>Regards</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT color=#0000ff><FONT size=2><SPAN
class=375364805-24032009>Mani</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT><BR></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Ben Bridges
[mailto:bbridges@springnet.net] <BR><B>Sent:</B> Friday, March 20, 2009 8:35
PM<BR><B>To:</B> T MANIKANDAN-PKXR74;
bind-users@lists.isc.org<BR><B>Subject:</B> RE: Root Server Simulation
Communication Problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=109093214-20032009><FONT face=Verdana
color=#0000ff size=2>You have recursion disabled on your abc.com server, and
I believe that is preventing your query from succeeding. My
understanding is that the contents of the root hints file are not stored in
the server's cache (which means, I think, that they are not themselves
returned in response to queries for those records). Since you have
recursion disabled on abc.com, it is never using its root hints to
query your root server (rootns.man) for the NS and A records for the
root zone (which sounds obfuscated, but it is done that way because the root
servers themselves have the most current list of servers for the root
zone).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=109093214-20032009><FONT face=Verdana
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=109093214-20032009><FONT face=Verdana
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
bind-users-bounces@lists.isc.org [mailto:bind-users-bounces@lists.isc.org]
<B>On Behalf Of </B>T MANIKANDAN-PKXR74<BR><B>Sent:</B> Friday, March 20,
2009 8:30 AM<BR><B>To:</B> bind-users@lists.isc.org<BR><B>Subject:</B> Root
Server Simulation Communication Problem<BR></FONT><BR></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT size=2>Hi,<BR><BR> I
am trying to set up lab which replicates the root server also. ( DNS with
Root server simulation for Intranet),</FONT></FONT></DIV>
<DIV><FONT face=Arial><FONT size=2>Basically I have two servers one
abc.com as authoritative server and the other rootns.man acting as root
server. running BIND 9 on both.</FONT></FONT><FONT face=Arial><FONT
size=2><SPAN class=798352813-20032009> </SPAN></FONT></FONT></DIV>
<P><BR><FONT face=Arial size=2> I have done the following things in
my named.conf file<BR><BR></FONT><FONT size=2><FONT face=Arial><FONT
color=#0000ff>options {<BR>directory "/var/named";<BR>recursion
no;<BR>};<BR><BR>zone "." {<BR>type hint;<BR>file
"root";<BR>};<BR><BR>zone "abc.com" IN {<BR>type master;<BR>file
"forward";<BR>};<BR><BR>zone "10.168.192.in-addr.arpa" IN {<BR>type
master;<BR>file "reverse";<BR>};<BR></FONT><BR></FONT></FONT><FONT
size=2><FONT face=Arial><STRONG><U>My root File (Points to another DNS
acting as Root server let us call
rootns.man)<BR></U></STRONG><BR></FONT></FONT><FONT size=2><FONT
face=Arial><FONT
color=#0000ff>.
86400
IN NS
rootns.man.<BR>rootns.man.
86400
IN A
1.2.3.4</FONT><BR><BR></FONT></FONT><FONT size=2><FONT
face=Arial><STRONG><U>My Forward and reverse
file<BR></U></STRONG><BR></FONT></FONT><FONT size=2><FONT face=Arial><FONT
color=#0000ff>$TTL 3600<BR>@ IN SOA abc.com. root.abc.com.
(<BR>
42 ;
serial<BR>
3H ;
refresh<BR>
15M ;
retry<BR>
1W ;
expiry<BR>
1D) ;
minimum<BR>
IN NS abc.com.<BR>abc.com. IN A 192.168.10.12<BR><BR><BR>$TTL 3600<BR>@ IN
SOA abc.com.
root.abc.com.(<BR>
42 ;
serial<BR>
3H ;
refresh<BR>
15M ;
retry<BR>
1W ;
expiry<BR>
1D) ; minimum<BR><BR> IN NS abc.com.<BR>12 IN
PTR abc.com.<BR></FONT><BR></FONT></FONT><FONT size=2><FONT
face=Arial><STRONG><U>In the other DNS server rootns.man (acting root
server)<BR></U></STRONG><BR></FONT></FONT><FONT size=2><FONT
face=Arial><FONT color=#0000ff>zone "." IN {<BR>type master;<BR>file
"forward";<BR>};<BR></FONT><BR><BR></FONT></FONT><FONT size=2><FONT
face=Arial><STRONG><U>Forward file in roons.man
server<BR><BR></U></STRONG><BR></FONT></FONT><FONT size=2><FONT
face=Arial><FONT color=#0000ff>$TTL
86400<BR>@
IN SOA rootns.man
root.rootns.man (<BR>
42
; serial (d.
adams)<BR>
3H
;
refresh<BR>
15M
;
retry<BR>
1W
;
expiry<BR>
1D )
;
minimum<BR>.
IN NS
rootns.man.<BR>rootns.man. IN A
1.2.3.4</FONT><FONT
color=#0000ff> </FONT></FONT></FONT></P>
<P><FONT face=Arial size=2></FONT> </P>
<P><FONT face=Arial size=2><STRONG>Once completing this I have a minor
problem that is my abc.com server is not able to determine the root server
(rootns.man) IP address. attached the DIG output from abc.com server. can
any one please help me in resolving this issue.</STRONG></FONT></P>
<P><FONT face=Arial size=2><STRONG></STRONG></FONT> </P>
<P><FONT face=Arial size=2>Regards</FONT></P>
<P><FONT face=Arial
size=2>Mani</FONT></P></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>