Split DNS?

Thu Jul 20 09:07:37 UTC 2000

>>>>> "Rob" == Rob Egan <rob at artistdirect.com> writes:

    Rob> Thanks for your reply. One of my goals for using split DNS
    Rob> was to avoid having to make updates to DNS records on two
    Rob> machines. However, split DNS still requires updates to two
    Rob> sets of files whether there on one machine or two. Does the
    Rob> support for split DNS in BIND 9 alleviate any of this?
    Rob> Somehow I envisioned "split DNS" as allowing some way to
    Rob> identify records as those that should be visible to external
    Rob> hosts, and those that are visible to only internal users, but
    Rob> all the records exist in a single file (sounds like a neat
    Rob> idea, anyway).

You can do this with $INCLUDE directives in zone files, but it will
get messy. Another possibility would be to use some sort of meta file
and write scripts that process it to churn out internal and external
versions of the zone files. This is messy too. You have to think about
maintenance and support issues as well as documenting your procedures.
If you have some wierd way of mananging your zone files, it will make
life hard, especially for your colleagues and successors.

Usually doing one change exactly once is the right thing to do. But I
don't think this isn't one of them. When you have split DNS, you
really have different zones (albeit with the same name). It therefore
makes sense to isolate those zones from each other and keep them
seperated. The internal and external versions of your zone are
different - if they'e not, why deploy split DNS? - so they should be
administered independently of each other. They shouldn't be sharing
(bits of) the same zone file or a change procedure. What if the two
versions of the zone have to be managed from physically seperate
computers?

    Rob> Also, where is everybody learning about split DNS? I have the
    Rob> 3rd edition DNS and BIND O'Reilly book, and I read about BIND
    Rob> 8 and 9 on the isc.org website, but I've seen no mention of
    Rob> split DNS (other than the fact that it's a feature in BIND 9).

Split DNS has been around for a long time and is documented somewhere
Cricket's book(s): pp394-398 of the third edition for instance. Split
DNS is not a feature of BIND9 per se: any group of name servers can be
configured to implement it. [After all it's possible to configure any
name server as master (primary) for any zone and contain whatever data
the DNS administrator chooses to put in that zone.] Views in BIND9
allow one name server to present different pictures of some zone or
zones depending on the IP address that makes the query. BIND9 just
offers the possibility of a different way of implementing split DNS:
split DNS in a single box/process. And it's still possible to do split
DNS in BIND9 the old way. It doesn't *have* to be implemented using
the new views mechanism.