Rely on Recursive "De-forwarding" Behavior?

Barry Margolin barmar at bbnplanet.com
Thu Jul 8 01:16:22 UTC 1999 

In article <3783E4AF.2AF3469F at daimlerchrysler.com>,
Kevin Darcy  <kcd at daimlerchrysler.com> wrote:
>            I have been experimenting with the "de-forwarding" feature
>of BIND 8.2, i.e. where you specify a null forwarders list for a given
>zone in order to override the global forwarding behavior. What I have
>noticed is that the "de-forwarding" specification seems to apply not
>only to a given zone, but to subzones as well. For example, if
>I deforward "bar.com", and then I happen to get some NS RR's in my cache
>for "foo.bar.com", which is not mentioned in my named.conf file, I'll
>still not forward for that zone, even though I now know it is a separate
>zone from its parent.
>
>    My question is: is this behavior intentional, or just accidental? We
>here at DaimlerChrysler are in the throes of a massive DNS integration
>and would not want to rely on behavior that may quietly disappear in a
>subsequent release. A purist argument could be made, I suppose, that
>deforwarding should only apply to a given zone, and not apply
>recursively. But the current recursive behavior seems more useful for
>us, since our zone hierarchies go fairly deep in places.

I think this was intentional, as it's something that many sites needed.
It's quite common in split-DNS configurations to have global forwarding to
the firewall, but still want to be able to access all the internal
subdomains.  In the past it was necessary to configure the internal servers
as slaves of each other so that they wouldn't forward for the internal
subdomains.  This meant that they all had to know about all the internal
subdomains, which is a maintenance nightmare.

Now they can simply configure their company.com domain as non-forwarding,
and it will be pervasive down the hierarchy.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list