Same zone, separate views, on different servers

[Kevin Darcy]

those who know me have no need of my name wrote:

> in comp.protocols.dns.bind i read:
> >"Sasso, John IT" wrote:
>
> >> Say you have a domain xyz.com, and you want to configure two different
> >> nameservers to provide name records for the zone: one for non-public records
> >> just for the private network, and the other for public records accessible
> >> from Internet hosts.  The private nameserver must not be accessible from the
> >> 'net, although the public and private nameservers should be able to talk to
> >> each other so the public one can pass resolved Internet names to the private
> >> one (i.e. those that the private one requested), including names in xyz.com
> >> that are publicly accessible but the private nameserver is not authoritative
> >> for.
>
> >Sure, this is possible.
>
> no, the private server will be authoritative for xyz.com so it will never
> forward requests to the public server.  at least not without using annoying
> tricks (make each internal host it's own zone).

Okay, after re-reading the original poster's message, I agree it's not possible to
do what he wants, exactly the way he described it. The private nameserver can't be
configured in BIND to "selectively" forward just the names that don't exist in the
internal version of the zone, to the public nameserver unless -- as "those who
know me" points out -- one engages in unnatural perversions like making each name
a separate zone.

However, the *effect* that the original poster is looking for -- having some names
resolve differently on the inside of the network versus the outside -- can be
accomplished using the standard "split DNS" techniques, with the familiar drawback
that one has to maintain multiple versions of the same zone, of course.


- Kevin