Multiple roots?

Dave Wreski dave at guardiandigital.com
Tue Jul 9 02:46:14 UTC 2002 

Hi all,

I'm trying to configure an internal name server that is to become 
authoritative for a top-level domain that is different than the 
top-level of the company to which it belongs.

In other words, I have something like this:


[Internet]-----[DMZ]----[ns.inside.companyA.com]
		 |		|
	[ns.companyA.com]  [internal network]
				|
				|
			   [ns.bigcompany.com]

ns.inside.companyA.com is also a proxy server. Hosts on the internal 
network need to be able to resolve hosts within the bigcompany.com 
domain using the bigcompany.com internal domain servers, not the one's 
authoritative for the top-level domain.

ns.bigcompany.com has no knowledge of ns.inside.companyA.com.

The problem is that when clients on the internal network try to resolve 
www.internal.bigcompany.com using ns.inside.companyA.com, the nameserver 
  seeks its answer from the public DNS servers on the Internet.

If I use forwarders on ns.inside.companyA.com with name servers capable 
of resolving hosts in the private.bigcompany.com domain and a root cache 
file containing the correct bigcompany-root.net servers, it works 
correctly but then of course it's unable to resolve public Internet hosts.

If I use forwarders on ns.inside.companyA.com with a name server defined 
in the public DMZ and public root servers, I'm of course able to resolve 
hosts on the Internet but not the bigcompany.com internal hosts.

If I use the name server in the public DMZ as a forwarder combined with 
the internal root servers, I receive the following for each of the 6 
defined root servers:

08-Jul-2002 22:26:26.084 default: check_hints: no A records for 
c.bigcompany-root.net class 1 in hints

What am I doing wrong? Is this even possible? Is it possible to somehow 
define multiple roots or configure forwarders correctly?

Thanks,
Dave

-- 
Dave Wreski
Corporate Manager                           Guardian Digital, Inc.
(201) 934-9230                Pioneering.  Open Source.  Security.
dave at guardiandigital.com            http://www.guardiandigital.com

More information about the bind-users mailing list