Many A-records

John S. Giltner, Jr. giltjr at earthlink.net
Sun Apr 11 02:45:05 UTC 2004 

fih wrote:
> Clarification:
> 
> First of all we do everything webhosting, mailrouting, server hosting and so
> on and our customers are always direct connected to us.
> 

They do not use the Internet?

> What i ment in this part of the dicussion was that:
> 
> If we have a customer that don't see the external DNS namespace from their
> inside. That means they can't resolve external DNS names from their inside
> and only sees thier own internal DNS zones and most probably have internal
> root nameservers. They will not be able to see the external zones we have
> that we use to provide services for our other customers than can resolve
> external DNS names from their inside. To solve this i have recomended these
> customers to either forward queires about our external zone to a DNS
> provided by us or to slave up our external zone on their internal DNS
> servers. If they do this they will be able to reach our services using the
> same name as everybody else. This will cause all our certificates to
> function and when we decide to change an IP of a server they will see that
> change without doing anything.
> 

If you are providing servers for them are your host names in their name 
space or yours?  If yours, then they should do what you are asking.  If 
the name is in their namespace, that causes problems.

> I have been asked if it's OK that our customer adds a DNS record in their
> internal namespace pointing out the IP of our service. If they do that our
> service will get a different name since that customer (of cource) don't have
> the same zone names on their inside as we use for our services. If they do
> that our certificates will not work correctly, when we change an IP they
> won't see it and if the code in our applications includes references to the
> namespace our customer can't see that application will fail.

If the host name is in their namespace, this is how it should be done. 
If the host name is in your namespace, then this should not be done, 
because they are now creating a "fake" authoritive zone for your namespace.

> 
> Happy eastern!
> 
> Time for another beer!
> 
> fih
> 
>

More information about the bind-users mailing list