Splitting Authority For Forward and Reverse DNS
Barry Margolin
barmar at genuity.net
Thu Apr 27 22:24:55 UTC 2000
In article <Pine.BSI.4.05L.10004271707460.10859-100000 at milk.sover.net>,
Clifford Seifer <clifdisc at sover.net> wrote:
>Here's a problem that's becoming increasingly common. I wonder if anyone
>else runs into this and what they do to get around in.
>
>I work for an ISP and we often have customers who want their domains
>hosted here with web services hosted elsewhere. We've always had a very
>strict policy against splitting forward and reverse DNS and to get around
>this we've either delegated a subdomain for the web services or CNAMEd web
>services to a host with valid forward and reverse definition on the other
>end. e.g.,:
>
>www.example.com. IN NS ns1.remoteprovidor.com.
> IN NS ns2.remoteprovidor.com.
>
> or
>
>www.example.com. IN CNAME www.example.remoteprovidor.com.
>
>Unfortunately, we are running into more and more cases where the remote
>providor is willing to co-operate and insists on our simply setting up
>split forward and reverse DNS like this:
>
>www.example.com. IN A xxx.xxx.xxx.xxx
>
>where xxx.xxx.xxx.xxx is an IP for which we are not authoritative.
>
>So the question is, is there a non-bogus way to achieve this end without
>the remote providor's co-operation? Are we being overly rigid or is our
>policy sound?
IMHO, you're being too rigid. While there are circumstances where it's
useful to delegate DNS for individual hosts (e.g. when you're using
something like a Cisco Distributed Director to implement load sharing),
most of the time it's overkill.
What benefit do you feel you get from this policy? I can see that it
simplifies things if the address changes, since the remote provider can
update both forward and reverse DNS at once. This benefit is mainly for
the web hosting provider, since they don't have to depend on the customer
to pass on DNS changes to you; if they don't want this, that's their
problem, not yours.
--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list