Please advice on making external zone visible on inside.

Kevin Darcy kcd at daimlerchrysler.com
Fri May 14 23:14:36 UTC 2004 

Fredrik H=E5kansson wrote:

>On Thu, 13 May 2004 15:26:29 -0400, Barry Margolin wrote:
>
> =20
>
>>In article <c80g8b$ufj$1 at sf1.isc.org>,
>> Fredrik Hakansson <fredrik at spamme.younix.se> wrote:
>>
>>   =20
>>
>>>Hello good people!
>>>
>>>I have a customer with internal root name-servers. Now they need to be
>>>able to see one of their external DNS zones hosted on their own extern=
al
>>>name servers.
>>>
>>>To complicate this further they use the same zones on the inside as on=
 the
>>>out side. They have decided to migrate out from dual copies of the
>>>zone files.
>>>
>>>Lets say they have zone.com on their inside and zone.com on the out si=
de.
>>>They want to start use foo.zone.com on the out side but also see it fr=
om
>>>the inside. To solve this and without having to double administer i ha=
ve
>>>thoughts about delegate from the inside this sub zone foo.zone.com to
>>>their external name servers. One thing i am scared of is what if for s=
ome
>>>reason the internal name-servers could learn the NS pointers from the
>>>external zone.com. If this happens chaos will ensure.
>>>
>>>Forwarding is not an option since this is a huge company spread global=
ly
>>>with hundreds of name-servers.
>>>
>>>Have anybody done similar things and have some tips or is there other =
ways
>>>of doing this.
>>>     =20
>>>
>>You could have the external nameserver move foo.zone.com into a separat=
e=20
>>zone, so that the NS records will match the expectations.
>>   =20
>>
>
>Yes but just the thought of that there are NS pointers in the
>external copy of zone.com that must never end up in internal name server=
s
>caches makes me scared of doing this. I think that under normal
>circumstances the NS records in the external zone.com file will never en=
d
>up on the inside since the external name servers should only get questio=
ns
>about foo.zone.com. =20
>
Yes, if you have back-level caching nameservers, this form of cache=20
poisoning *is* a valid concern. You might be able to kludge around it=20
somewhat using the "minimal-responses" option of BIND 9, which will=20
prevent it from putting unnecessary information into responses.=20
Ultimately, though, I haven't found a good reliable way to deal with=20
this issue, so I've built parallel-maintenance into all of my DNS update=20
processes...

                                                                        =20
                                             - Kevin

More information about the bind-users mailing list