Nameservers not reachable by the roots
Kevin Darcy
kcd at daimlerchrysler.com
Tue Feb 21 22:19:14 UTC 2006
ewilts at ewilts.org wrote:
>Do nameservers have to be reachable by the roots? I've got a weird
>case where the nameservers are behind firewalls and should only be
>reachable for users who tunnel in. So, for example, I'd like to have a
>domain example.com with DNS server entries 10.0.0.1 and 10.0.0.2. When
>the tunnel is up, these are reachable. When the tunnel is done,
>they're not. However, nobody will be able to determine the validity of
>the domain unless they have a tunnel. Is this allowed in DNSland? We
>seem to recall that registrars don't want you to register a domain
>without a valid DNS server - in this case, it doesn't appear valid to
>the registrar even though it is for the people that have the
>authorization to look up the entries in the domain.'
>
No, the root nameservers are, to all appearances at least,
non-recursive, meaning they don't provide resolution of any zones
outside of the ones they host. They would never be trying to query your
nameservers.
You *may*, however, run into problems if you're trying to run a regular
iterative resolver at the far end of the tunnel, since presumably there
will be no delegation in the Internet DNS for whatever domain(s) you're
using through the tunnel, so it will have no way to know to ask the
nameservers on your end of the tunnel. You might have to "spike" that
iterative resolver with some selective slave/stub/forwarder definitions,
so it knows where to resolve what.
As for your registry questions I think it's fairly common to just
"reserve" or "park" a domain, without actually hosting anything for it.
Or, a lot of registrars will throw in some minimal domain hosting for
free or very low cost. Bear in mind that if the Internet DNS
infrastructure is not necessary to resolve names in the domain in
question, the only reason for registering it at all is just to make sure
that no-one else does -- an eventuality which could cause complications
if sites get set up under that domain, that your users may actually want
to get to someday. Another, cheaper route, is to pick a "bogus" TLD such
.internal for your "private" domain(s). Then you don't have to register
anything with anybody.
- Kevin
More information about the bind-users
mailing list