Design Question

[JINMEI Tatuya / 神明達哉]

At Mon, 25 Mar 2013 21:24:22 +0100,
Konstantin Agouros <elwood at agouros.de> wrote:

> since Resolver and Auth server are no longer destined to run on the same box or as one process for that matter
> how is one supposed to set up a Nameserver in a typical enterprise environment where I have a split DNS setting with
> zone for the LAN only visible on the inside and normally that nameserver that all the clients get pointed to also does
> recursive resolving at least in part (yes it might make sense from a security point of view not to allow this to the clients
> but the sad truth is, that in 90% of the companies I see this is the case). So using DHCP I can point the clients either to the
> resolver or the auth server assigning both would lead to connection timeouts depending on the client implementation if they
> ask the wrong one for the address to resolve. If the resolver is queried it only know servers on the outside where the local zones are
> not known and are not supposed to be known.
> 
> How do I set this up with just bind10?

If you can assign multiple IP addresses (even if you use a single
physical server), one obvious solution is to have auth and resolver
listen on different IP addresses.  If you can't do this, BIND 10
currently cannot be used to implement this mode of operation.  In our
revised version of the resolver, we'll probably introduce another
process that dispatch the queries to auth or resolver, depending on
the RD bit of the queries.  At this point you'll be able to achieve
that behavior.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.