Splitting from a subdomain
Barry Margolin
barmar at alum.mit.edu
Sat Sep 17 05:48:10 UTC 2005
In article <dgg4kl$2lr0$1 at sf1.isc.org>,
"Yanagisawa Koji" <koji_yanagisawa at hotmail.com> wrote:
> (Sorry the previous posting didn't have subject.)
>
> Hello,
>
> After setting up split DNS on bind 9.3.1, it doesn't seem to be behaving
> the way I'd hoped. Allow me to explain the situation, hopefully someone
> can shed some light.
>
> Let's say there's a domain named: parent.ac.jp
> Our server is responsible for a subdomain of this domain, let's say:
> child.parent.ac.jp
>
> I want child.parent.ac.jp to be split. Telling a certain group of hosts
> one thing and telling everybody else something else. The server is not
> multi-homed or anything, sitting right there on the Internet.
>
> Here's the basic named.conf as it stands now.
>
> # BEGIN
> options {
> directory "/etc/namedb";
> };
>
> acl "my-ppl" { xxx.yyy.zzz.0/24; " };
>
> view "internal" {
> match-clients { "my-ppl"; };
> zone "child.parent.ac.jp" {
> type master;
> file "master/child-internal";
> }
> };
>
> view "external" {
> match-clients { any; };
> zone "child.parent.ac.jp" {
> type master;
> file "master/child";
> }
> };
> # END
>
> No error messages, named happily starts.
>
> In master/child-internal, I created a test A record,
> bogus.child.parent.ac.jp, and this record never existed in the past.
>
> The name servers SOA for parent.ac.jp is included in my-ppl acl, and I
> can't have them otherwise, since it's out of my jurisdiction.
>
> I'd expect anyone not listed in my-ppl will not resolve
> bogus.child.parent.ac.jp, but they all do! Granted, when I nslookup from
> home (which is not part of my-ppl acl) using child.parent.ac.jp name
> server, I can't resolve bogus.child.parent.ac.jp. But as soon as I switch
> back to my ISP's name server or any other, I start resolving it. I don't
> like that.
>
> I'm somewhat convinced that it may be the parent.ac.jp name servers
> resolving bogus.child.parent.ac.jp for everybody outside of my-ppl, since
> the parent.ac.jp name servers are included in my-ppl acl. No I can't
> exclude these name servers from my-ppl acl, for there're those in my-ppl
> that use some other name servers also in my-ppl that may depend on them to
> resolve parent.ac.jp and below, and I need them to know about
> bogus.child.parent.ac.jp. It's a very large community. In short, I want
> everybody in parent.ac.jp (assuming they use name servers included my-acl)
> to know about bogus.child.parent.ac.jp, but nobody outside.
>
> One of the parent.ac.jp name servers slaves for child.parent.ac.jp.
That's the problem. When it transfers the zone, it gets the internal
version. Since it doesn't have views configured, it allows anyone to
resolve the names in this zone.
>
> The assumption that parent.ac.jp name servers are resolving
> bogus.child.parent.ac.jp for those coming from outside recursively is just
> my assumption. But if that's the case, is there a way out of this? I'm
> hoping that it's some directive I can just put in the view statement...
The solution is to *not* make the parent zone servers be slaves for the
child zone. Or they have to have zones configured, so that they know
about the internal and external versions of the child zone.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list