hint file versus forwarded

[Barry Margolin]

In article <abes1e$b8e8$1 at isrv4.isc.org>,
Kevin Darcy  <kcd at daimlerchrysler.com> wrote:
>
>Armin Safarians wrote:
>
>> Hello all, I have a quick question for you all.
>>
>> We have two level of dns. internal and external. Today we forward any
>> queries that is not known by the internal dns servers to the external
>> dns servers and they point to the root servers with the hint file for
>> internet queries.
>>
>> The question is how is that different/better/worst than having the hint
>> file on the internal server point to the external dns.
>> Hint file versus forwarders.
>
>When is forwarding *ever* desirable, when direct connectivity is
>available? The same arguments against forwarding apply here as in any
>other context. Search the archives for my previous diatribes against
>forwarding.

I don't think your response is appropriate, since it sounds like his
internal servers don't have direct connectivity.  The firewall only allows
them to connect to the external servers.

So the question is why not to put the external servers in the root hints
file.  The root hints file is only used as an initial hint about the root
servers, not as the permanent list.  One of the first things that named
does is send a query to one of those servers, asking it for the current
list of root servers.  If you put your external servers in the hints file,
the internal server will ask the external server for the root servers.  The
external server will reply with the *real* root server list, and the
internal server will then replace the list from the hints file with this
list.  From then on, it won't be able to look up remote names, because the
firewall will block connections to the root servers.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.