DNS design question
Kevin Darcy
kcd at daimlerchrysler.com
Sat Sep 10 01:33:37 UTC 2005
Suzuki Alex wrote:
>Hello list,
>
>Is it possible to serve requests for a zone "foo.domain.com", and if
>the request fails (e.g. bar.foo.domain.com is not found), to delegate
>this request to another server, which is also authorative for
>"foo.domain.com"? This second server is managed by someone else (a
>parent organization), and we have no access to it.
>
>The problem is that some stupid naming policy here dictates that all
>our hosts should be named "$hostname.foo.domain.com", and not
>"$hostname.ourorganization.foo.domain.com". I realize that in the
>latter case all would be well and the DNS server for "foo.domain.com"
>would leave ourorganization.foo.domain.com to be managed by us.
>However, that is unfortunately not the case (politics and all that...)
>
>So what I'm looking for is basically this: Host srv1 is managed by us,
>and unknown to the parent organization.
>
>Now when a request for srv1.foo.domain.com arrives at our server, we
>would like to first check locally on our server. Then if we cannot
>find this host (there are hosts in the parent organization that we do
>not know of), we would like to forward the request to the parent
>organization's DNS server.
>
>I hope I've made more or less clear what I'm trying to do. :-)
>
No, if your nameserver is authoritative for a zone, it considers itself
authoritative for the whole zone. It'll never ask another server about
names in the zone.
If you have a small number of names you want to "spoof", you could
define them individually as subzones in your config, e.g.
srv1.foo.domain.com could be a zone defined on your server, with A
records and/or other types of records (but not a CNAME) at its apex.
This gets to be unmanageable, of course, if you have more than a handful
of names you want to spoof, particularly since those "special" zones
would need to be defined explicitly on all nameservers required to
resolve them -- explicit configuration is necessary because the zones
wouldn't be delegated from their parent zone, and therefore wouldn't be
findable using the regular name-resolution algorithm.
- Kevin
More information about the bind-users
mailing list