Subnet without delegation

bind at foxengines.net bind at foxengines.net
Wed Apr 13 00:31:15 UTC 2005 

Hi,

I am working with a network setup where the network itself is composed of
several class C address spaces all under one single domain.

E.g. The network looks like:
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
10.0.4.0/24
10.0.5.0/24

And all falls under the domain of foo.bar.

The problem is that I need to set up a DNS server and SMTP server for a
logical subnetwork (in fact, a single class C address space), but we can
not subnet/subdomain the address space. Furthermore, although I need
independent DNS and SMTP for 10.0.3.0/24, however, there are many
important machines in the other subnets that users on my subnet will need
to access periodically.
The reason that I want to do this is because the network stability in this
organization is such that the uplinks that connect my address space to
the rest of the organization will periodically disappear. It's not a
problem for the users on my subnet since they roll their eyes and mutter
something about our upstream IT staff, however the servers that we run
(over 70 currently and another 35 are on their way) get rather annoyed
when DNS and SMTP vanish for extended periods.

What's more,  the IT staff of this organization will not allow me to do
zone transfers from their DNS systems, and even if they did, the DNS
transfers would describe MX records and NS records that I am trying to
avoid, specifically the MX and NS records we get from them would point at
*their* nameservers and smtp servers. Defeating the purpose.

So my question...
Is it possible for me to set up my DNS server so that it is authoritative
for only part of it's domain and another server can be used to fill in the
gaps? Can this also apply to MX records?

If I set up a master record with such as...

foo.bar. IN SOA substitute.foo.bar. whatever.foo.bar. (
					blah
					blah
					blah);

names.foo.bar.          86400    IN    NS     10.0.3.2
mailer.foo.bar.         86400    IN    MX     10.0.3.3
speedy.foo.bar.         86400    IN    A      10.0.3.67
pokey.foo.bar.          86400    IN    A      10.0.3.223

Pokey and Speedy both use names.foo.bar in their resolv.conf. I would also
like both of them to route all of their smtp traffic through
mailer.foo.bar. 
(FWIW, names.foo.bar has the upstream DNS servers in it's resolv.conf so
it can access the upstream mailservers, dns, etc.)

If I am on pokey and I query for speedy's IP address it returns it
correctly. However, if I query for a valid hostname that is outside of
this logical subnet (say, on 10.0.1 subnet), it can never find it because
the authoritative nameserver in this case, names.foo.bar, doesn't know
about anything that isn't in it's database.
I have tried a number of different combinations of named options to no
avail. I have not been able to convince names.foo.bar to turn around ask
the upstream servers if they happen to know anything about these other
hostnames that the client apparently thinks are part of the domain.

In DNS and BIND 3rd edition by Paul Albitz and Cricket Liu, there is some
talk about conditional forwarding (p.394) but as I read the BIND9
Administrator's Reference Manual, it is unclear to me whether or not this
sort of functionality was implemented.

A hack alternative that I came up with was to write a simple script that I
can use to generate a named.conf and ~200 forward zone files and ~200
reverse zone files, each file mapping a separate IP address and
hostname. This gives me very similar functionality because the local
nameserver can be authoritative for each host that it has a zone file
for. Anything outside of this it asks the upstream DNS for.
I know this sounds kind of nuts, but this is easy for me because of the
script. The problem that I have is that I don't understand how to roll the
MX record in. Since each zone file declares authority over a single
fully qualified host name, putting an MX record in there will only
re-route mail to the local server if it happened to be be addressed for
one of the hosts. That is mail to joe at pokey.foo.bar
would get routed to mailer.foo.bar if the originating machine was using
names.foo.bar. However, since the organization uses one single flat domain
space there are no emails for any users that are directed at a specific
machine. Instead all of the emails look like: joe at foo.bar. If the mx
record is for the domain and not for the  host, then BIND will complain
about out-of-zone data and ignore it.
Finally, if I create a zone file that claims authority for the domain but
only has the MX record in it (to go with my other 445 other FQDN zone
files), then bang, the rest of the domain that is outside of my little
Class C world is no longer accessible.

Can anyone point me in the right direction for how to deal with both of
these issues? How to only be authoritative for some of the addresses in a
domain without splitting the domain into subdomains and *still* be
able to use another DNS to fill in the rest of the domain? And How to
add/deal with MX records in this case?

Thanks,
Rich.

More information about the bind-users mailing list