use named.ca or forwarder statement?

Kevin Darcy kcd at daimlerchrysler.com
Wed Jul 24 23:35:49 UTC 2002 

vickun at hotmail.com wrote:

> Is it okay to not use any "forwarder" statement, but just stick in the
> "named.ca" file the next DNS to query for resolution information?
>
> We are setting up a tiered structure of DNS's.
>
> We have a domain, let's say, "company.com".  We have hosts that are
> either available only internally, or available both internally and
> externally.
>
> That means some hosts will only have a "10.x.x.x" IP address, while
> others will have both a "10.x.x.x" IP address, as well as a real world
> IP address like "64.x.x.x".
>
> This means I will have an intranet DNS that resolves "company.com"
> hostnames with the "10.x.x.x" IP addresses, as well as an internet DNS
> that resolves "64.x.x.x" IP addresses.
>
> Question 1:
> In my intranet DNS's "named.ca" file, is it okay to just put my
> internet DNS as the sole entry?

No, you need to either a) forward or b) put valid, authoritative root
nameservers into named.ca. It doesn't work to put arbitrary caching-only
servers into hints, since they are incapable of responding
authoritatively for the root zone, which is all that the hints file is
used for.

> Question 2:
> Is the "forwarder" statement just a convenient way of accessing DNS
> information quickly for the other domains you normally look for?  Like
> for example if I'm at a sporting goods company, should I stick in
> espn.com's DNS servers into my "forwarder" statement?

No, it is rude to forward to other people's servers without their
knowledge or consent. Think about it: would you want a bunch of
miscreants forwarding to *your* nameservers?

There are only 2 scenarios in which forwarding makes sense: 1) ("forward
only" mode) to get around some sort of connectivity issue, typically
internal servers wanting to resolve Internet names where the firewall
doesn't allow DNS queries to pass through it, or 2) ("forward
first" mode) an attempt to increase performance by forwarding to a
(consenting!) central cache server or set of servers, which presumably
have better connectivity to the Internet backbone, plenty of spare
capacity, and a rich cache.


- Kevin

More information about the bind-users mailing list