secondary vs. delegation

[Kevin Darcy]

It wasn't very clear from your original message that foo.com was on a security
boundary. That makes a *world* of difference. If you want to hide the fact that
the corp.foo.com domain *exists*, then obviously you can't put a delegation for
it in the publically-accessible foo.com zone. But the downside of running an
"undelegated subzone" is that every internal nameserver then needs to have
*explicit* knowledge about how to resolve names in the corp.foo.com domain,
since it's not possible to just follow the delegation chain down, i.e. very
single one of those nameservers would have to have, at a minimum, a zone
definition for the apex zone, i.e. corp.foo.com. This could be a bear to manage
throughout the intranet.

If you want the best of both worlds, i.e. the flexibility of delegation but the
privacy of not exposing the delegation, then you probably need to go the "split
DNS" route. The internal version of foo.com would have the delegation, but the
external version would not. Unfortunately, split DNS usually requires dual
maintenance of the entries which need to be visible in both versions of the
zone. If you're running both versions of foo.com on the same box, though, you
might be able to use BIND 9's "view" mechanism in conjunction with an
$INCLUDE file of the records which are shared between both versions of the
zone, to reduce that maintenance overhead to a minimum.


- Kevin

Brian Noecker wrote:

> >>
> >>I've gotten myself confused a bit on justifying delegation.  We do DNS
> >>service for a company foo.com that wants to run their own DNS servers for
> >>internal corp.foo.com.  We are looking at delgating the corp.foo.com to
> >>their name server so they can administer the zone file how they want.
> Their
> >>internal corp.foo.com servers are all internal IP address 192.168.x.x
> >>servers.
> >>
> >>My question is, why justification is there to delegate rather than to just
> >>be a secondary for a subdomain?
>
> >The two issues are independent.  In order for them to administer the
> >subdomain themselves, you *have* to delegate it;
>
> This applies, even if the corp.foo.com network is in total an internal
> domain?  Any external access to the internal servers can be CNAME'd to a
> record in the parent foo.com domain.  Lookups to the corp.foo.com domain
> would only come from members of that domain, and possibly those of us who
> administer their network.  In that case, as secondaries, using search lists,
> we are able to find their resources.  This setup is meant to hide this
> internal corp.foo.com network from the outside world, while keeping any
> public servers in accissible via the foo.com domain.
>
> >...otherwise, you'll just
> >look in the foo.com zone for everything.  If you want, you can also be
> >secondary for the subdomain, but this doesn't remove the need to delegate
> >it.
>
> Would delegating solve the issue of having to use search lists for these
> subdomains?
>
> Thanks!!!
>
> --
> Barry Margolin, barmar at genuity.net
> Genuity, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't posted to the
> group.