delegation of subdomains

Fri Oct 12 22:48:53 UTC 2007

Well, you need the delegation on the inside version of the zone, unless 
you want to configure *every* internal nameserver with explicit 
knowledge of the zone (type slave or stub). If you add the delegations 
for internal use, however, and they are private addresses, then you 
should *not* also add them externally, because it's a bad practice, as 
mentioned previously. Logically, then, you would need separate views, or 
different versions of the parent zone running in different instances of 
"named" on the same box, or on different boxes.

The typical "view" setup looks something like

view "internal" {
match-clients { <internal addresses and/or ranges>; };

zone "xxxx" { (internal version)
type master;
file "xxxxx";
};

zone "yyyy.xxxx" { (internal version)
type master;
file "yyyy.xxxx";
};
(etc.)
};

view "external" {
match-clients { any; };
recursion no;

zone "xxxx" { (external version)
type master;
file "xxxx";
};
zone "yyyy.xxxx" { (external version)
type master;
file "yyyy.xxxx";
};
(etc.)
};

- Kevin

Markus Boehmer wrote:
> -------- Original-Nachricht --------
>   
>> Datum: Thu, 11 Oct 2007 18:55:18 -0400
>> Von: Kevin Darcy <kcd at chrysler.com>
>> An: bind-users at isc.org
>> Betreff: Re: delegation of subdomains
>>     
>
>   
>> It's a bad practice to put private addresses in publically-visible 
>> zones, because it results in bogus DNS traffic. This is the kind of 
>> thing views were created to prevent: put the private addresses in the 
>> internal view so that only internal clients see those addresses.
>>
>> - Kevin
>>
>>     
>
> Hello Kevin,
>
> I don't know if they are the right thing in my case.
> The dns server which has the schaefer-shop.de zone ist completely outside the company lan and the server fpr the mw.schaefer-shop.de zone is inside, so on the second server there is no need for a view, because it has private addresses and is in an private network.
>
> And the first server has in the open zone schaefer-shop.de only a delegation to the internal server, the entries are:
>
> mw.schaefer-shop.de. IN NS webhost.mw.schaefer-shop.de.
> webhost.mw.schaefer-shop.de. IN A 10.19.155.90
>
> If there is a way of which I don't know how to put these entries in a view, then I sure will do this.
>
> Greetings
> Markus
>
>   
>> Markus Boehmer wrote:
>>     
>>>> On Thu, Oct 04, 2007 at 06:49:14AM -0700, Markus Boehmer wrote:
>>>>     
>>>>         
>>>>> 1. Domain is "def.gh" - DNS-server is somewhere outside the company
>>>>> lan with internet access and is reachable from the internet
>>>>>
>>>>> 2. Domain to delegate is abc.def.gh - DNS-server is inside the company
>>>>> lan, has internet access, but is not reachable from the internet.
>>>>>
>>>>>       
>>>>>           
>>>> Having the delegation visible worldwide would be a lame delegation for
>>>> clients not on the local network, which I consider a config error.
>>>>
>>>> Greetings
>>>> Marc
>>>>     
>>>>         
>>> Hi Marc and everyone else,
>>>
>>> here's another problem.
>>>
>>> I would prefer the "lame method" for various reasons, being
>>> here in our company network.
>>>
>>> The "outside" Server ist nsr1.4smr.net, authoritative for the zone
>>>       
>> "schaefer-shop.de".
>>     
>>> This one should now delegate "mw.schaefer-shop.de" to our internal
>>>       
>> Server with the IP-Address 10.19.155.90, who is already up and running, so that
>> other nameservers in our company network can find our subdomain
>> mw.schaefer-shop.de.
>>     
>>> The admin responsible for ns1.4smr.net now told me, that he can't
>>>       
>> delegate, because our internal nameserver can not be reached or reverse looked
>> up.
>>     
>>> Is this possible? I thought, that entries in the schaefer-shop.de. zone
>>> files like:
>>> mw    86400    IN    NS    webhost.mw.schaefer-shop.de.
>>> webhost.mw.schaefer-shop.de.  86400  IN  A  10.19.155.90
>>>
>>> would be enough.
>>>
>>> Have I understood this wrong? I read DNS & Bind from O'Reilly and I
>>>       
>> think,
>>     
>>> that the above mentioned would be enough.
>>>
>>> With this configuration, computers within our company network should be
>>>       
>> able to find our zone and computers outside the company network have simply
>> a weird looking dns record.
>>     
>>> Regards
>>> Markus
>>>
>>>   
>>>       
>
>   