Internal roots and forwarding.

Scott Morizot tmorizot at ccsi.com
Wed Oct 27 12:48:02 UTC 1999 

On Tue, 26 Oct 1999, Cricket Liu wrote:
> > The following is a quote from an earlier post:
> >
> > "While specifics vary, the key thing to keep in mind is that
> > forwarders and internal roots are mutually exclusive configurations.
> > A root server believes it is authoritative for anything
> > (either directly or with a delegation).  There is no
> > such thing as a better server (forwarder).  If your current
> > setup revolves around forwarders, a change to internal roots will
> > likely impact a lot more than just the DNS."
> >
> > Is this the case?  We would like to forward requests for specific external
> > zones to an internet aware name server.  We are using internal root
> servers.
> > Is this possible?  I have tried creating some forward only zones on the
> > 8.2.1 servers but it doesn't appear to work.
> >
> > I guess I'm looking for a 3rd opinion.
> 
> Well, this is hardly a third opinion, because I think someone from Acme
> Byte & Wire posted the snippet you quoted, but yes, it's correct.
> Forwarding and internal root name servers are mutually exclusive.  One
> very fundamental problem is that, with forwarders configured, you send
> your system query to your forwarder, not a root name server.
> Consequently, you end up with the list of Internet root name servers,
> not your internal root name servers, and you can't reach the Internet
> root name servers.


Actually, I think I may have written the above quote.  I know I've
said something similar very recently and it looks awfully familiar.

However, the specific scenario he mentions may work if he forwards
those requests to a name server that's authoritative for them.

I work in a government agency with a large internal network and
internal roots.  Generally everything is separate from the
Department and other agencies.  However, there are a few
zones that we do need to resolve systems from.  They are
resources accessible to everyone within the Department.

We've done any number of things in the past.  But with BIND
8.2 we've experimented with delegated those zones internally
to a specific server and then having that server declare
a forward zone for the zone and forward the requests to
the real authoritative server for the zone.  (One that,
while not an internet aware name server, is part of a different
DNS and is not aware of our root name servers.)

So, in that limited, narrow approach, it may work.  Like
I said, we have no reason to try it with an internet
aware name server, but the same principle may hold.
And the general statement that forwarders and internal roots
are mutually exclusive still holds.

Scott

More information about the bind-users mailing list