Please advice on making external zone visible on inside.

Sat May 15 06:19:28 UTC 2004

On Fri, 14 May 2004 19:14:36 -0400, Kevin Darcy wrote:

> Fredrik H=E5kansson wrote:
> 
>>On Thu, 13 May 2004 15:26:29 -0400, Barry Margolin wrote:
>>
>> =20
>>
>>>In article <c80g8b$ufj$1 at sf1.isc.org>,
>>> Fredrik Hakansson <fredrik at spamme.younix.se> wrote:
>>>
>>>   =20
>>>
>>>>Hello good people!
>>>>
>>>>I have a customer with internal root name-servers. Now they need to be
>>>>able to see one of their external DNS zones hosted on their own extern=
> al
>>>>name servers.
>>>>
>>>>To complicate this further they use the same zones on the inside as on=
>  the
>>>>out side. They have decided to migrate out from dual copies of the
>>>>zone files.
>>>>
>>>>Lets say they have zone.com on their inside and zone.com on the out si=
> de.
>>>>They want to start use foo.zone.com on the out side but also see it fr=
> om
>>>>the inside. To solve this and without having to double administer i ha=
> ve
>>>>thoughts about delegate from the inside this sub zone foo.zone.com to
>>>>their external name servers. One thing i am scared of is what if for s=
> ome
>>>>reason the internal name-servers could learn the NS pointers from the
>>>>external zone.com. If this happens chaos will ensure.
>>>>
>>>>Forwarding is not an option since this is a huge company spread global=
> ly
>>>>with hundreds of name-servers.
>>>>
>>>>Have anybody done similar things and have some tips or is there other =
> ways
>>>>of doing this.
>>>>     =20
>>>>
>>>You could have the external nameserver move foo.zone.com into a separat=
> e=20
>>>zone, so that the NS records will match the expectations.
>>>   =20
>>>
>>
>>Yes but just the thought of that there are NS pointers in the
>>external copy of zone.com that must never end up in internal name server=
> s
>>caches makes me scared of doing this. I think that under normal
>>circumstances the NS records in the external zone.com file will never en=
> d
>>up on the inside since the external name servers should only get questio=
> ns
>>about foo.zone.com. =20
>>
> Yes, if you have back-level caching nameservers, this form of cache=20
> poisoning *is* a valid concern. You might be able to kludge around it=20
> somewhat using the "minimal-responses" option of BIND 9, which will=20
> prevent it from putting unnecessary information into responses.=20
> Ultimately, though, I haven't found a good reliable way to deal with=20
> this issue, so I've built parallel-maintenance into all of my DNS update=20
> processes...
> 
>                                                                         =20
>                                              - Kevin
Thanks for commenting!
What if we delegate the zone away to another external name-server. And the
server will only have foo.zone.com but not zone.com. It will of course
have external roots. This other server we have will get
recursive queries from stub resolvers so it will cache the NS pointers i
don't want to end up in the inside. So i guess there is a risk that it
might deliver additional data i don't want on my inside.

More comments are highly appreciated.