Split DNS and use of include Statements

Martin McCormick martin at dc.cis.okstate.edu
Mon Apr 25 16:29:20 UTC 2005 

	Our site was exploring views a couple of years ago and I went
through many of the same mental quandaries.  I had the AHA! moment,
the same sort of elation that probably drove Archimedes to run naked
in to the streets shouting "eureka!" when I thought of using an include
to join the public data base file to the private file and then I
realized that we use DDNS extensively on the public side so that
wasn't going to work after all.

	Fortunately, my exuberance wasn't as demonstrable as
Archimedes so I didn't have to stop in mid shout and quietly slink
back inside before being picked up by the folks in white coats.

	Includes are one of a long list of brilliant mechanisms in
bind that make life better for us.  If your site supports Microsoft
Active Directory for Windows2003, you've got seven zones for each AD
domain.  That's the ad.domain.tld, _msdcs.ad.domain.tld, etc zones.
You can put your list of AD controllers in a snippet of file called
ad.domain.controllers and use an include in each zone to make sure you
get all the list.  Later, if somebody needs you to add or remove a
controller, you only have to modify that snippet and you get all 7
changed.  In named.conf are lines like:

include "./etc/addomainname.midlev.zones";

addomain.midlev.zones is a block of lines that could just as easily
reside as one of the zones defined in named.conf except it is
enough lines to define the seven AD zones.  One of the zones follows
the format:

zone "_msdcs.addomain.midlev.tld" {
	type master;
	file "_msdcs.addomain.zone";
include "./etc/addomain.midlev.controllers";
include "./etc/scnotify";
	notify yes;
        allow-query { any; };
};

include "./etc/scnotify";

is a syntactically correct also-notify block.

include "./etc/addomain.midlev.controllers";

Reads a file whose contents are:

            allow-update {
key shsh_dont_tell;
192.168.2.1;
192.168.2.2;
 };

	Note the ./etc path.  If you are running bind in a chroot
jail, /var/named is the top of the tree and that path insures no
ambiguity.  If you reference anything not in the /var/named tree, it
might as well not exist to the running bind process, so keep that in
mind if you are still a bit new to all this.


Martin McCormick WB5AGZ  Stillwater, OK 
OSU Information Technology Division Network Operations Group

Back on April 8, Kevin Darcy wrote:
>I stand corrected. The "shared include file" trick can be used to 
>duplicate the same data across nameserver instances or views, and thus 
>reduce the maintenance burden. I keep forgetting this trick, since we 
>use Dynamic Update for everything and therefore can't "include" zonefiles...
>
>- Kevin
>
>
>

More information about the bind-users mailing list