Partial domain nameserver and forwarder, [was Special-case resolution]
Jeff Hardy
hardyjm at potsdam.edu
Thu Jul 28 15:04:11 UTC 2005
Phrased differently: is it possible to set up two nameservers, each
knowing only part of a domain, in such a way that nameserver1 would know
that anything it cannot resolve should be referred to nameserver2. And
vice-versa I suppose. I do not mean by delegation to a subdomain, but
two authoritative nameservers for example.com, each with half the
records.
On Tue, 2005-07-26 at 14:14 -0400, Jeff Hardy wrote:
> Obviously I had trouble coming up with a subject:) I am trying to
> create a nameserver on localbox that can answer requests for
> example.com, but also have the ability to answer some requests for hosts
> in that zone differently out of a local zone file.
>
> With Bind 9.2.x, the only way I could think to accomplish this was to
> use multiple views. The first thing I tried on localbox (somewhat
> successfully) was to have an "internal" view matching clients on my
> subnet, containing a zone of type master for example.com. Then an
> "external" view with match-clients set to "none" that was a slave for
> example.com, pointing to our domain's primary master. The zone file in
> the internal view was nothing more than a few A records for these
> special resolution cases, and an INCLUDE statement pointing to the
> entire correct zone I had pulled in as a master.
>
> In named.conf:
>
> view "internal" {
> match-clients { "trusted"; };
>
> zone "example.com" {
> type master;
> file "masters/db.example.com";
> };
> };
>
> view "external" {
> match-clients { "none"; };
>
> zone "example.com" {
>
> type slave;
> file "slaves/db.example.com";
> masters { 192.168.1.1; };
> };
> };
>
>
> In masters/db.example.com:
>
> $INCLUDE slaves/db.example.com ;gets the SOA from slave zone
> $ORIGIN example.com.
> host1 A 192.168.0.1
> host2 A 192.168.0.2
> host3 A 192.168.0.3
>
>
> This works, but the drawback is that if the same hostname is specified
> in my little zone file here with a different address, the host resolves
> to multiple addresses.
>
> The natural thought would be to use some kind of forwarding facility,
> but this does not work because this server is authoritative for
> example.com, and requests are only forwarded from a nameserver when it
> is not authoritative for a domain. Also there doesn't seem to be a way
> to mix and match local zone data with a zone that does forwarding.
>
> I also tried creating two views with identical match-clients acls, but
> pointing to different files. This doesn't work either.
>
> Essentially, the scenario I thought of was a little administrator's
> shell box running a nameserver doing this kind of stuff, firewalled off
> from the world (and most of the subnet), that allowed for special-case
> resolution within the same domain for a subnet full of administrative
> interfaces on electronics, servers, and so forth.
>
> I know there are multiple approaches to allow for this, including a
> separate nameserver, delegating to a new zone, etc. However it seems to
> me that this is a nifty approach and should be doable. Am I overlooking
> something? Thanks.
>
>
More information about the bind-users
mailing list