Internal roots vs Internet roots

Michael E. Hanson MEHanson at GryphonsGate.com
Mon Sep 23 19:15:07 UTC 2002 

I don't have a lot of personal experience with internal roots, except in one
area.

If you're using M$ DNS, and you've set an internal root zone, you no longer
have access to setup a forwarder (hey, I'm THE root, why would I want to
forward anything? I know about the "WHOLE" world!).  I don't know how BIND
works in this scenario, so I can't speak to that.

My position has always been that UNLESS you are truly running an Internet
root, OR your LAN NEVER has and NEVER will connect to the Internet, you have
no business setting a root zone.

I suppose you might be able to justify a root zone on an M$ DNS in the
scenario where the M$ DNS is handling an Active Directory sub-zone that's
been delegated to it, and you never want that DNS to talk to the outside
world, but I'm not sure how you would make that function correctly.  An AD
Domain Controller that's handling/serving an AD Integrated DNS Zone needs to
have itself as its primary DNS or users will never be able to "find" the DC
when they try to login.  I suppose you could cover this with manual entries
for all the SVC resources but that's opening yourself up to more work,
especially in a large and/or dynamic organization.

Anyway, that's my 2 cents worth....
_______________
Michael E. Hanson
President, Gryphon Consulting  Services
(http://www.GryphonsGate.com)
P.O. Box 1151
Bellevue, NE  68005-1151
(402) 871-9622

MEHanson at GryphonsGate.com (primary)
Gryphons_Master at yahoo.com
----- Original Message -----
From: <phn at icke-reklam.ipsec.nu>
Newsgroups: comp.protocols.dns.bind
To: <comp-protocols-dns-bind at isc.org>
Sent: Monday, September 23, 2002 11:20 AM
Subject: Internal roots vs Internet roots


>
> I would like to ask the group about the collective wizdom
> of using internal root-servers within larger organizations
> versus a "transparent with split-dns" scenario.
>
>
> When to use internal roots, when not to. Whats the
> biggest problem with either ( using Internet roots and
> hidden internal zones demands a massive forwarding ??)
>
>
> Any hints and examples from your networks are welcome.
>
> ( I'm collecting background for a larger corporation and would
> like to broaden my own view)
>
>
>
> Thanks in advance
>
> /PS
>  anyone interested can mail me direct : peter (a t ) ipsec.se ,
> if you want to stay anonumus that's ok with me, I won't
> give out details.
>
> /DS
> --
> Peter Håkanson
>         IPSec  Sverige      ( At Gothenburg Riverside )
>            Sorry about my e-mail address, but i'm trying to keep spam out,
>    remove "icke-reklam" if you feel for mailing me. Thanx.
>
>

More information about the bind-users mailing list