writeable secondary zone?

Nex6 n6ghost at gmail.com
Wed Jan 4 16:31:43 UTC 2017 

On Tue, Jan 03, 2017 at 05:22:56PM -0800, Carl Byington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On Tue, 2017-01-03 at 16:35 -0800, Nex6 wrote:
> I have a very specific issue, where a partner org, wants me to add an
> > SRV record for there org. (i dont want to)
> 
> If I understand the question, we have
> 
> nex6.example.com -- under your dns control
> 
> partner.example.com -- dns under the control of your partner, and they
> want *you* to see something like:
> 
> _http._tcp.partner.example.com.  SRV  0 5 80  www.example.com.
> 
> but they don't want to add that record in their own partner.example.com
> zone where it would be visible to the world.
> 
> You could use RPZ on your recursive resolvers for that, to add that SRV
> record into their zone (assuming that they are not DNSSEC signing their
> zones). Of course, that record would then be visible to all of your
> users, not just the ones using that application. But does the existance
> of that extra SRV record hurt any of those users?

both orgs, have Internal private DNS, which include "active
Directory" zones. 

the partner org, has a cloud based app that they are integrated with.
that now some of our users need access to. and they need to use the
partner org domain cred. 

so they wanted me to add more or less

SRV _appname ->ad.partnerdomain.org

becuase said, app might exist on on network and or we might have to
add that record in the future i dont want to add the record. since
you can only have one SRV record. and having another orgs SRV pointing
back to there Active Directory just seems like an all bad idea.

the problem is, when our users on our network connect to this app. for
it to authenicate it needs the SRV record telling the app where AD is. 
since our network/NS does not have the record ... fail....

we tryed host files but that does not seem to work with SRV records.
and not sure if I create a forward zone and point directly to there NS 
if that would work.

-Nex6





> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
> 
> iEYEAREKAAYFAlhsTkIACgkQL6j7milTFsGwfACeNi6U4lBSKetOjHZ6yk1fnZF3
> 4+gAn2JwvxmNv8fksTd20Y8mW+o7QOdZ
> =Snhu
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list