forwarding rfc1918 queries, stub zones

Kevin Darcy kcd at daimlerchrysler.com
Mon Feb 2 23:01:24 UTC 2004 

Will Yardley wrote:

>Maybe a FAQ, but what's the simplest way (if you have a split
>caching-only / authoritative setup) to forward queries for rfc1918
>reverse lookups to the authoritative machine? Can I just setup a stub
>zone for 10.in-addr.arpa. and forward all those queries to the
>authoritative nameservers (even if the zones we're running are actually
>more specific)?
>
>Also, what should the "master" of a stub zone be set to - the server
>it's forwarding queries to?
>
Set up a 10.in-addr.arpa on a master. For redundancy, have one or more 
other nameservers be published slaves for the zone. Delegate any 
subzones that are necessary. If you have an internal root architecture, 
you're done at this point. Otherwise, if you're forwarding towards the 
Internet, you'll need to make sure that 10.in-addr.arpa and everything 
underneath it is "redirected" from the regular forwarding path, somehow. 
How to accomplish this "redirection" basically breaks down into two 
general tasks: 1) how does one deal with 10.in-addr.arpa itself, and 2) 
how does one deal with descendant (i.e. child and/or grandchild) zones 
of 10.in-addr.arpa? For #1, you can define 10.in-addr.arpa as a slave, 
stub or "type forward" zone. For #2, you could a) cancel forwarding for 
that whole part of the hierarchy by defining 10.in-addr.arpa as a stub 
or slave with "forwarders { };" (this will force the forwarders to use 
iterative resolution for everything under 10.in-addr.arpa), or b) define 
all of the descendant zones as slave zones (which can be a maintenance 
nightmare, you might not be able to do zone transfers of all of those 
zones, or it would use up too much bandwidth), or c) define 
10.in-addr.arpa itself as a "type forward" zone, pointing to alternate 
forwarders which can resolve all names in that part of the namespace 
(just be sure these alternate forwarders either honor recursion or are 
authoritative for all of the descendant zones as in (b) above).

Hybrid approaches, i.e. some combination of forwarding/stubbing/slaving, 
are also possible....

                                                                         
                                                - Kevin

More information about the bind-users mailing list