Delegating and slaving of same zone - good idea or just plain stupid?
Kevin Darcy
kcd at chrysler.com
Thu Oct 9 03:31:29 UTC 2008
Peter Laws wrote:
> Kevin Darcy wrote:
>
>
>
>> Slave the 10.in-addr.arpa subzones on your "external" servers and ensure
>> -- as you should already be doing -- that only your own
>> clients/resolvers see the RFC 1918 stuff. The rest of us shouldn't and
>> don't want to see your RFC 1918 dirty laundry.
>>
>
> Done, and of course you can't see it. What good would it do you anyway?
>
>
>
>> As for your *internal* DNS, you can if you wish delegate 10.in-addr.arpa
>> directly from your internal root zone or delegate twice, from root to
>> in-addr.arpa, and then again to 10.in-addr.arpa. If you _have_ an
>> internal root zone, that is: it's not clear from your post whether you
>> have one or not.
>>
>
> Well, no, it's not set up as root if you mean zone "." It's just another
> zone on the server. And if I do a dig +trace, it doesn't work of course
> (the root servers have no idea what I'm smoking when I ask). I've not seen
> an example of how we'd do that
>
dig +trace assumes an unbroken delegation chain all the way down from
the root zone. If that's what you want, then you need a) a root zone
(obviously), and b) delegations at each and every step of the chain.
There are plenty of examples out there of how to delegate, or just read
the _Parenting_ chapter of the _DNS_and_BIND_ book.
As I pointed out in my previous post, however, it's not strictly
necessary to delegate if all of the nameserver instances in question are
slaves for the relevant zone, so if that's the way you're set up, then
the delegations would be optional.
- Kevin
More information about the bind-users
mailing list