Shortcut the lookup algorithm *other* than via 'forward' ?
L. Gabriel Somlo
gsomlo at gmail.com
Mon Mar 1 20:52:26 UTC 2010
Hi,
I am looking for a way to start the DNS lookup algorithm somewhere
further down the tree, instead of at the root, but only for a small
specified set of domains.
I have a relatively large/complex DNS installation, where we run
our own .LOCAL TLD mapped to RFC1918 IP space. Various departments
and business units have their own authoritative name servers for
subdomains within that space, and we delegate to them from our
primary authoritative name server. This primary name server also
holds our public authoritative data, also with delegations of (some)
third-level subdomains to authoritative name servers run by
the aforementioned departments and business units.
I currently run dedicated caching servers (available only to
internal clients), which are configured to forward anything within
*.local and *.example.com to our primary authoritative server. The
latter must currently recurse (at least) for the caches, since it's
not guaranteed to be authoritative for all subdomains of *.local and
*.example.com, but is still expected to return a full answer as a
'forwarder' configured in the caching servers' named.conf.
What I would like to do instead is to modify the root hints on the
caching servers by adding
LOCAL. IN NS primary-auth-server.example.com
EXAMPLE.COM. IN NS primary-auth-server.example.com
primary-auth-server.example.com. IN A 111.222.333.444
so, rather than forwarding to 'primary-auth-server' they can simply
begin their own lookup algorithm there instead of at the root servers
(for *.local and *.example.com only).
I tried modifying the root hints file on my caches as described,
but BIND (9.6.1-P3) ignored my changes and kept starting the recursive
lookup at the real root servers regardless.
Any idea how I could make BIND do what I asked it to ?
Alternatively, I'd also appreciate any insights into why what I'm
asking for might be a very bad idea and shouldn't be done (or even
supported at all in BIND) ! :)
Thanks,
--Gabriel
More information about the bind-users
mailing list