Root server cannot be a forwarder?
Kevin Darcy
kcd at daimlerchrysler.com
Tue Oct 24 20:51:43 UTC 2006
John Hascall wrote:
>> ... You can be both a root server and a forwarder, but your
>> forwarding would need to be limited and specific. You can't be a
>> "general" forwarder.
>>
>
>
>> Why on earth someone would want to combine those functions, I have no
>> idea. Worse come to worst, just set up separate views for the separate
>> functions (assuming you can differentiate your clients somehow).
>>
>
> One place where it gets used is in "NetReg" type systems
> where the DNS for DHCP-unknown systems lies about the
> address of almost every name (sending back the ip of the
> NetReg server), BUT where you want to allow a limited
> amount of leakage out of the NetReg Sandbox network
> so people can do windows/virus updates before being
> registered and let out on the "real internet".
>
> So, for example, from /var/chroot/named/etc/named.conf on
> my NetReg DNS box:
>
> zone "." in {
> type master;
> file "db.root";
> };
>
> // needed windowsupdate domains
> // Dear Microsoft, This list is ridiculous!
>
> zone "akadns.com" {
> type forward;
> forwarders { 129.186.1.200; 129.186.140.200; 129.186.142.200; };
> };
> :
> (about 18 more zones)
> :
> zone "wustat.windows.com" {
> type forward;
> forwarders { 129.186.1.200; 129.186.140.200; 129.186.142.200; };
> };
>
> :
> :
> (etc)
>
> Where, after NS records for all the forwarder zones, db.root ends up with:
>
> *. IN A 129.186.6.16
> *.edu. IN A 129.186.6.16
> *.com. IN A 129.186.6.16
> *.net. IN A 129.186.6.16
>
>
>
Hmmm... I can see it being useful for that subsystem. From a DNS
infrastructure perspective, of course, it would be much simpler and
cleaner if the NetReg server could also perform a simple HTTP proxy
function for a specific, configurable list of domains; then you'd only
need a single wildcard entry for everything.
- Kevin
More information about the bind-users
mailing list