Partial domain nameserver and forwarder, [was Special-case resolution]

Thu Jul 28 15:04:11 UTC 2005

Phrased differently: is it possible to set up two nameservers, each
knowing only part of a domain, in such a way that nameserver1 would know
that anything it cannot resolve should be referred to nameserver2.  And
vice-versa I suppose.  I do not mean by delegation to a subdomain, but
two authoritative nameservers for example.com, each with half the
records.

On Tue, 2005-07-26 at 14:14 -0400, Jeff Hardy wrote:
> Obviously I had trouble coming up with a subject:)  I am trying to
> create a nameserver on localbox that can answer requests for
> example.com, but also have the ability to answer some requests for hosts
> in that zone differently out of a local zone file.
> 
> With Bind 9.2.x, the only way I could think to accomplish this was to
> use multiple views.  The first thing I tried on localbox (somewhat
> successfully) was to have an "internal" view matching clients on my
> subnet, containing a zone of type master for example.com.  Then an
> "external" view with match-clients set to "none" that was a slave for
> example.com, pointing to our domain's primary master.  The zone file in
> the internal view was nothing more than a few A records for these
> special resolution cases, and an INCLUDE statement pointing to the
> entire correct zone I had pulled in as a master.
> 
> In named.conf:
> 
> view "internal" {
>         match-clients { "trusted"; };
> 
>         zone "example.com" {
>                 type master;
>                 file "masters/db.example.com";
>         };
> };
> 
> view "external" {
>         match-clients { "none"; };
> 
>         zone "example.com" {
>                
>                 type slave;
>                 file "slaves/db.example.com";
>                 masters { 192.168.1.1; };
>         };
> };
> 
> 
> In masters/db.example.com:
> 
> $INCLUDE slaves/db.example.com		;gets the SOA from slave zone
> $ORIGIN example.com.
> host1                  A       192.168.0.1
> host2                  A       192.168.0.2
> host3                  A       192.168.0.3
> 
> 
> This works, but the drawback is that if the same hostname is specified
> in my little zone file here with a different address, the host resolves
> to multiple addresses.
> 
> The natural thought would be to use some kind of forwarding facility,
> but this does not work because this server is authoritative for
> example.com, and requests are only forwarded from a nameserver when it
> is not authoritative for a domain.  Also there doesn't seem to be a way
> to mix and match local zone data with a zone that does forwarding.
> 
> I also tried creating two views with identical match-clients acls, but
> pointing to different files.  This doesn't work either.
> 
> Essentially, the scenario I thought of was a little administrator's
> shell box running a nameserver doing this kind of stuff, firewalled off
> from the world (and most of the subnet), that allowed for special-case
> resolution within the same domain for a subnet full of administrative
> interfaces on electronics, servers, and so forth.
> 
> I know there are multiple approaches to allow for this, including a
> separate nameserver, delegating to a new zone, etc.  However it seems to
> me that this is a nifty approach and should be doable.  Am I overlooking
> something?  Thanks.
> 
> 