Best way to handle a delegation...
Ray Van Dolson
rvandolson at esri.com
Sat Jan 21 00:24:17 UTC 2017
So I have domain.com, controlled by AD, but want to delegate
subdomain.domain.com to an external DNS server on the Internet (Amazon
Route53).
This is easy to do for my external version of domain.com as I can just
add
subdomain.domain.com NS amazonserver.com.
However, our AD servers aren't allowed to talk to the Internet, so it's
not quite so straightforward.
What works is to set up a conditional forwarder on the AD side to route
any requests for subdomain.domain.com to the IP's of our internal BIND
cache resolvers. Now, on those cache resolvers I need to create a zone
called "subdomain.domain.com" and either:
(1) Configure as a forward zone forwarding directly to the IP's of the
Amazon DNS servers (I don't like this because those IP's might
change...)
(2) Configure as a forward zone forwarding to my DMZ authoritative
DNS servers for domain.com. I don't like this because not all of my
caching servers can talk to my DMZ DNS server, so I have to chain them
which is ugly to say the least.
Both 1 & 2 work, but what I *wish* I could do is:
(3) Configure as a master zone, but have NS records pointing to the
Amazon servers (referenced by canonical name rather than IP)...
OR
(4) Configure my DMZ server version of subdomain.domain.com as a master
zone (w/ NS pointed to Amazon) and have one of my internal caching
servers configured as a slave to pull the zone in, then redistribute to
other caching servers around the company.
I haven't tried 4 as it's basically a more complex version of 3, but 3
doesn't work for some reason. The caching server has access to the
Internet, but when I point dig at it and ask for
record.subdomain.domain.com, I just get the SOA record back rather than
full recursion via the delegation via the defined NS servers. I
suspect the fact that subdomain.domain.com is defined as a master zone,
I can't really delegate the whole thing elsewhere...
Is there a cleaner way to approach this (short of renaming our
domain!)? Maybe forwarding is the best approach.
Thanks,
Ray
More information about the bind-users
mailing list