Private Zones and Deligation bind9.7.2

Barry Margolin barmar at alum.mit.edu
Tue Dec 7 01:41:31 UTC 2010 

In article <mailman.955.1291658327.555.bind-users at lists.isc.org>,
 Jay Ford <jay-ford at uiowa.edu> wrote:

> On Mon, 6 Dec 2010, Martin McCormick wrote:
> > the config for this private zone is:
> >
> > zone "r.ds" {
> > 	type master;
> > 	file "/etc/namedb/master/r.ds.zone";
> >            allow-update {
> > key updsrv;
> > };
> >        allow-query { any; };
> > #a list of slaves
> > include "/etc/zoneconfigs/stwnotify";
> > 	notify yes;
> > };
> 
> You configured this server to be master for the r.ds zone, which tells this
> server that it is authoritative for names in that zone.  If it gets a query
> for a resource record in that zone which it doesn't know, it will answer
> authoritatively with a negative answer (either NXDOMAIN if the name doesn't
> exist at all, or NOERROR with no "answer" data if the name exists but not
> with the queried type).  NS records in a zone don't cause an authoritative
> server to send queries elsewhere, because the server knows the answer by
> virtue of being authoritative for the zone.

That's not true.  NS records delimit the extent of the authority, and 
tell it that some other server is authoritative for the subdomain.  So 
as long as recursion is enabled, and the query is recursive, the server 
should follow the delegation.

> 
> The NS records you list will direct *other* resolvers which see those NS
> records to send queries for names in r.ds to the targets of the NS records,
> but any queries for names in r.ds which end up at your server will get
> handled as described above.
> 
> What you probably want to do is add something like the following to the 
> parent "ds" zone:
>     r           IN  NS  stwrdc02.r.ds.
>                 IN  NS  stwrdc03.r.ds.
>     stwrdc02.r  IN  A   192.168.1.1
>     stwrdc03.r  IN  A   192.168.1.2
> then get rid of the r.ds zone definition on your server.
> 
> Your subject line includes "private".  What is it that's private about this
> situation?

The situation isn't private, the zones are, i.e. they're only accessible 
to his internal users.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

More information about the bind-users mailing list