"Hidden Master" visible slave

Kevin Darcy kcd at daimlerchrysler.com
Thu Jan 12 20:10:42 UTC 2006 

Barry Finkel wrote:

>"carcarx at hotmail.com" <carcarx at hotmail.com> wrote:
>
>  
>
>>We want to set up a DNS server for departmental administrators to
>>maintain
>>their own zones, but not "mess" with our primary nameservers.
>>
>>Our idea is to have that "departmental" nameserver master some zones
>>with our primary nameservers being the slaves for those zones, but
>>we don't want the departmental server to be visible to the internet.
>>
>>Since the authoritative server for those zones won't be visible the
>>clients should look to the visible ones (with some delay).
>>
>>Any docs about how to automatically avoid referrals to the departmental
>>server (aside from tcp/ip rerouting trickery).
>>    
>>
>
>Kevin Darcy has already responded, but I think that he is misreading
>your request, or reading too much into it.  But I may be wrong.
>
>Make your departmental name servers hidden; do not put their names in
>NS records.  Slave those zones on your name servers, the servers listed
>in the NS records.  When any departmental zone is updated, the DNS
>NOTIFY process should cause a quick reload of the changed zone on the
>slave servers, which your clients will be using for DNS resolution.
>Also, if you do not want people querying the departmental name servers,
>then do not include those servers in the TCP/IP definition
>(i.e, resolv.conf) on the client machines.
>
>I do not see anything more complicated here, such as departmental
>nodenames that you want hidden from the Internet.
>
Barry,
            If the NS records for the internal, departmental nameservers 
are missing from the relevant zone(s), then how can you ever run a 
caching-only config on an internal resolver, without giving it access to 
the Internet-facing nameservers, which may not be feasible/manageable 
because of routing restrictions, firewall rules, etc. and creates a 
perhaps-undesirable dependency between your internal infrastructure and 
your Internet-facing infrastructure?

At a certain critical mass, rather than maintaining "special" 
configurations in all of one's internal resolvers, it makes more sense 
to bite the bullet and just implement a split namespace. Then one can 
put whatever NS records, or other kinds of records one wants in the 
internal zones, without worrying about any consequences for Internet 
clients. It's actually quite liberating. Until one reaches that critical 
mass, though, the time and effort required to set up a parallel 
maintenance regime, is not worth the long-term benefit of a clean 
separation.

                                                                         
                                             - Kevin

More information about the bind-users mailing list