Forwarding pre-empts subdomains?

Tue Jun 19 09:06:14 UTC 2001

Jack,
You can't specify exceptions.  This refusal to follow authoritative
delegations is one of the snags of forwarding.  Your current situation is a
bit wierd anyway.  You seem to have a root DNS which is doing all the
recursion.  The normal setup is that the root does no recursion and the
lower level servers are expected to do the work.

If your proxy is transparent then:
For all your local DNS currently auth for someoffice.state.gov, make them
each also auth for state.gov and therefore carry the full list of
delegations.  One could be master and the others slaves for this zone (or
use a hidden master and have all of them slaves).  Remove the forwarding to
the root.  Get rid of your internal root server and put a real Internet
root hints file on each server and configure default routes to the proxy.
Simple.

If your proxy is non-transparent i.e. all services provided at a loacl IP
address, then keep you current config but replace the internal root with
the proxy.  Configure the proxy to be auth for the state.gov zone and
delgate (and recurse) for the internal zones.  Not so simple.

Marc TXK
________________________________________________________________________
The views expressed are personal and do not necessarily reflect those of
the organisation providing the mail address from which this message was
sent

                    "Jack Aubert"                                                                                                 
                    <jaubert at cpcug.        To:     comp-protocols-dns-bind at moderators.isc.org                                     
                    org>                   cc:                                                                                    
                    Sent by:               Subject:     Forwarding pre-empts subdomains?                                          
                    bind-users-boun                                                                                               
                    ce at isc.org                                                                                                    

                    19/06/2001                                                                                                    
                    04:00                                                                                                         

I'm running a large internal DNS domain (state.gov) with an extensive, but
flat, list of subdomains: (paris.state.gov, rome.state.gov,
someoffice.state.gov and so forth).  These subdomains are all delegated
from
the internal root to local authoritative DNS servers, all of which are set
to forward back up to the internal root server.  All this is  behind a
firewall and we are using Cisco Network Registrar's (dynamic) DNS.

We are finally about to permit a proxy server to allow internal users some
outside access to the Internet and I am trying to set up a split-brain DNS
that resolves outside names via a proxy firewall and inside names
internally.  My problem seems to be that if I set the internal root
server(s) to forward to the proxy firewall, the system stops resolving
internal delegated subdomains.  It will resolve Internet domains and
domains
for which the internal root is authoritative, but will not resolve the
internally delegated domains.   It knows that subdomain have been delegated
and has the glue records for the delegations, but ignores this information
and forwards for everything it is not personally authoritative for.  Is
this
normal behavior?  Shouldn't forwarding not apply to delegated subdomains?
Do I have to specify an exception for every delegated subdomain?