subdomain/split dns question

Kevin Darcy kcd at chrysler.com
Fri Oct 12 17:14:17 UTC 2007 

Chris Rizzo wrote:
> The interesting thing about this, is that what you have below will work, if
> I point to a name server that is allowed to do recursion (only my internal
> dns servers are allowed to do recursion against this server). If I point my
> host directly to the server (acting as any Internet based client or dns
> server on the Internet), I get the following...."Served by:" and then a list
> of the name servers authoritative for the subdomain. 

Yes, that's how nslookup represents a referral response, what you'd 
typically get from a non-recursive nameserver or a nameserver that is 
not honoring recursion for you. Iterative resolvers can handle such 
responses. You shouldn't point a *stub* resolver at a nameserver that 
doesn't provide recursion. If you have "exception" clients in the 
Internet address space that need recursion, you'll need to add their 
addresses or address ranges to your "internal" view, have a separate 
(third) view, or go back to the drawing board on your design.

                                                                         
                                 - Kevin

> It look like it only
> works with recursion, which I don't want.
> On 10/11/07, Kevin Darcy <kcd at chrysler.com> wrote:
>   
>> Chris Rizzo wrote:
>>     
>>> I have begun the process of creating a split external/internal dns
>>>       
>> setup. I
>>     
>>> am using bind views so that internal users can see the full zone list,
>>>       
>> but
>>     
>>> external users only see the Internet routable addresses. It seems to be
>>> working except for one small issue....I have a subdomain that is
>>>       
>> delegated
>>     
>>> out to my load balancing devices, i.e.  global.company.com - the load
>>> balancers are running bind, and are authoritative, for the global
>>>       
>> subdomain.
>>     
>>> When a user queries www.company.com, it is actually an alias to
>>> www.global.company.com. It looks like the only way that I can get this
>>>       
>> to
>>     
>>> work is to turn on recursion for the external view, but would rather
>>>       
>> not. Is
>>     
>>> there some way to do this that I'm missing??? I tried forwarders and
>>>       
>> stub
>>     
>>> zones but nothing seems to work....Thanks for any help....
>>>
>>>       
>> It'll work as is, but only because resolvers are persistent:
>> 1) they'll query the company.com nameservers for www.company.com and get
>> back only the CNAME record,
>> 2) they'll turn around and query the alias target
>> (www.global.company.com), which may entail talking, coincidentally,
>> again to the same company.com nameservers, which will give them a
>> referral for global.company.com
>> 3) they'll get the A records for www.global.company.com from the
>> global.company.com nameservers
>> 4) they'll merge both the CNAME and A records into the response and pass
>> it back to the end-user client
>>
>>
>>                        - Kevin
>>
>>
>>
>>
>>     
>
>
>
>
>
>

More information about the bind-users mailing list