What is the proper way to delegate to a private / hidden sub-domain?
Grant Taylor
gtaylor at tnetconsulting.net
Wed May 6 20:25:39 UTC 2020
On 5/6/20 1:28 PM, Grant Taylor via bind-users wrote:
> The only way that I see how to make this work is to anycast the names
> and IPs of the name servers that lab1.example.net is delegated to. One
> anycast instance being external publicly accessible and the other
> anycast instance being internal private accessible.
I have done a proof of concept of the anycast method and it does seem to
work correctly.
--------
internal% dig test.lab1.tnclab.net
; <<>> DiG 9.10.6 <<>> test.lab1.tnclab.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23882
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.lab1.tnclab.net. IN A
;; ANSWER SECTION:
test.lab1.tnclab.net. 3600 IN A 192.0.2.1
;; Query time: 39 msec
;; SERVER: REDACTED
;; WHEN: Wed May 06 14:18:10 MDT 2020
;; MSG SIZE rcvd: 65
--------
--------
external% dig test.lab1.tnclab.net
; <<>> DiG 9.12.3-P4 <<>> test.lab1.tnclab.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63790
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5fc29c39df72cceab05aca3f5eb31d230e6f902042ae0ee9 (good)
;; QUESTION SECTION:
;test.lab1.tnclab.net. IN A
;; AUTHORITY SECTION:
lab1.tnclab.net. 300 IN SOA hidden-soa.lab1.tnclab.net.
gtaylor.tnetconsulting.net. 2017072101 3600 1800 2419200 3600
;; Query time: 390 msec
;; SERVER: REDACTED
;; WHEN: Wed May 06 20:25:07 UTC 2020
;; MSG SIZE rcvd: 150
--------
--------
internal% dig +trace test.lab1.tnclab.net
; <<>> DiG 9.10.6 <<>> +trace test.lab1.tnclab.net
;; global options: +cmd
. 518400 IN NS e.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20200519170000 20200506160000
48903 . OD2b8PqZD5hfvqfK8fpR/1LdfzXU+WRG5cTgZdpuA8/GAba1oP5/6HPK
mzOHTuU7MpLI7u8TIJNd/NtvrZ/1cC6NO+olIu3umCcxte0PJqgxZGSK
0eFaFHrbjBwJd509MnjuZlhdBSGGuS2uD0fdyquZecor+pVQUfTCYCdI
T8w1+F8OmkNfd2F2FUZYq2bBXOJMtgGuyHOo0RHogVQJOw58fDjMWXtS
nMjs+0Lkk/Lh2ZB8tXUnunBM7CrincaLhxQf2Ez9rQS3UeOd5jJAWYMo
V57A5O5FsGJo41vvrS4+Sh10Frk+3sdWwLvCzPPuH/eHsGtdEq8KSfTG a2IC4w==
;; Received 1109 bytes from 198:18:18::254#53(198:18:18::254) in 38 ms
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 86400 IN DS 35886 8 2
7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net. 86400 IN RRSIG DS 8 1 86400 20200519170000 20200506160000
48903 . t7tjxOQhUoE6+VRIPH1U4fVOf6PZ+zsNFky80lrmCMYHJ6YPwo7pwY5n
Fp5GbEC9JcdrcFjpa+NbanTw5RFgWiukZT5AQANZ966ZegyA6tUwaNTV
9L90194vvQDcHNaQznftw4PpcQ0lNNETUswFm1lzv6GGs9iNFjjba459
XXTGYq9voALC8AfySPANp49fWteXPG0YvA0Fu/T+2IooyFwRwiDxEhpQ
49IVwVJZB3CimeL1kmP0nfP4/dxtj0OXhg+0S7gNX+HKf6gopVvtkfVs
AuZZkYRdderRh4mqc1tyK2QIH7QvO8xpzc7ruWVMjNjpKQ6GICGs0inS XLC5tA==
;; Received 1177 bytes from 192.203.230.10#53(e.root-servers.net) in
32 ms
tnclab.net. 172800 IN NS ns1.linode.com.
tnclab.net. 172800 IN NS ns2.linode.com.
tnclab.net. 172800 IN NS ns3.linode.com.
tnclab.net. 172800 IN NS ns4.linode.com.
tnclab.net. 172800 IN NS ns5.linode.com.
tnclab.net. 86400 IN DS 45760 8 1
FF5960A7A1CA8F1C94125BA8F471A828738C046F
tnclab.net. 86400 IN DS 45760 8 2
2E3CDCAD213387EA611A7B368E37D259811DB75371CBB4F2831F89D4 B6014A57
tnclab.net. 86400 IN RRSIG DS 8 2 86400 20200513064718
20200506053718 36059 net.
2yGFlsfpeXC8ID7mh1fVzwrBy7X9Y9fk9sw66Yy8ZqiM20mRCzhf0Fuh
cQGrZRBP4QA65bP1NWc3m5dTV/R0K8ZxDjw4dHMWwmp8e78BRi+CqPzC
ZxSVGBO9WlKKoL9jIvfOUkqQU+YEVEriXe2vMk4DmWT+5yjECjWLMPz3
ExeU1HebMZy6uA4CRueicnzBEkAKN5YJfpPnZdRuq53fnQ==
;; Received 428 bytes from
2001:503:231d::2:30#53(b.gtld-servers.net) in 207 ms
lab1.tnclab.net. 3600 IN NS acns.tnclab.net.
lab1.tnclab.net. 3600 IN NSEC tnclab.net. NS RRSIG NSEC
lab1.tnclab.net. 3600 IN RRSIG NSEC 8 3 3600 20200605194430
20200506184430 18336 tnclab.net.
zmBPhbAJpJTPXIFIk3B57vtPnRqqZ6xYbVwQY2V3o14pHxqy8kjHL0QW
ZPoUCoXmzQ1yRPp8rMlDR6mp/6gNbejN2VSUtlbERnJLns08786LSCsd
oRieCphgsJLZPOKcL9FBa2rKSwp4QOlZdWid91eu+68l359X8TZeInHi xRw=
;; Received 456 bytes from
2400:cb00:2049:1::a29f:1827#53(ns2.linode.com) in 99 ms
test.lab1.tnclab.net. 3600 IN A 192.0.2.1
;; Received 65 bytes from 45.33.28.7#53(acns.tnclab.net) in 1 ms
--------
--------
external% dig +trace test.lab1.tnclab.net
; <<>> DiG 9.12.3-P4 <<>> +trace test.lab1.tnclab.net
;; global options: +cmd
. 164357 IN NS e.root-servers.net.
. 164357 IN NS f.root-servers.net.
. 164357 IN NS k.root-servers.net.
. 164357 IN NS h.root-servers.net.
. 164357 IN NS b.root-servers.net.
. 164357 IN NS j.root-servers.net.
. 164357 IN NS l.root-servers.net.
. 164357 IN NS g.root-servers.net.
. 164357 IN NS m.root-servers.net.
. 164357 IN NS a.root-servers.net.
. 164357 IN NS d.root-servers.net.
. 164357 IN NS c.root-servers.net.
. 164357 IN NS i.root-servers.net.
. 164357 IN RRSIG NS 8 0 518400 20200515050000 20200502040000
48903 . dGTnT7OISNAcz0hcLgOXqLpvSAMJBWDpi1XSSvWpVekIo3ZOwfOHqMdJ
DcZlGtmC4QfU7YXJi9LBVdCI57v9AbL8uyOJhCFVPmmjXoZvijZ9toPd
Ou0YMdBQG2y5ToXinStHcZGeICNUYpwPyuNs+ulK7smJd7Co4N5y5V3t
V+SO9wmVQNou3TIrUUX6KQ7DmyPBmoFIs24wy4NeQ/q547QZgSff7LUP
5rJMwxQhPwy3V3FcaMSbJfHFu5uO3WIHXS98i6HNVw/8G02xhHsTBtj3
NVsXzOB1Wfu4NERzka+Tle53jeK4TZnGWdXldnw4/729RVVVpfF4KpGt j3UQpw==
;; Received 565 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 86400 IN DS 35886 8 2
7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
net. 86400 IN RRSIG DS 8 1 86400 20200519170000 20200506160000
48903 . t7tjxOQhUoE6+VRIPH1U4fVOf6PZ+zsNFky80lrmCMYHJ6YPwo7pwY5n
Fp5GbEC9JcdrcFjpa+NbanTw5RFgWiukZT5AQANZ966ZegyA6tUwaNTV
9L90194vvQDcHNaQznftw4PpcQ0lNNETUswFm1lzv6GGs9iNFjjba459
XXTGYq9voALC8AfySPANp49fWteXPG0YvA0Fu/T+2IooyFwRwiDxEhpQ
49IVwVJZB3CimeL1kmP0nfP4/dxtj0OXhg+0S7gNX+HKf6gopVvtkfVs
AuZZkYRdderRh4mqc1tyK2QIH7QvO8xpzc7ruWVMjNjpKQ6GICGs0inS XLC5tA==
;; Received 1177 bytes from 2001:500:2f::f#53(f.root-servers.net) in
1 ms
tnclab.net. 172800 IN NS ns1.linode.com.
tnclab.net. 172800 IN NS ns2.linode.com.
tnclab.net. 172800 IN NS ns3.linode.com.
tnclab.net. 172800 IN NS ns4.linode.com.
tnclab.net. 172800 IN NS ns5.linode.com.
tnclab.net. 86400 IN DS 45760 8 1
FF5960A7A1CA8F1C94125BA8F471A828738C046F
tnclab.net. 86400 IN DS 45760 8 2
2E3CDCAD213387EA611A7B368E37D259811DB75371CBB4F2831F89D4 B6014A57
tnclab.net. 86400 IN RRSIG DS 8 2 86400 20200513064718
20200506053718 36059 net.
2yGFlsfpeXC8ID7mh1fVzwrBy7X9Y9fk9sw66Yy8ZqiM20mRCzhf0Fuh
cQGrZRBP4QA65bP1NWc3m5dTV/R0K8ZxDjw4dHMWwmp8e78BRi+CqPzC
ZxSVGBO9WlKKoL9jIvfOUkqQU+YEVEriXe2vMk4DmWT+5yjECjWLMPz3
ExeU1HebMZy6uA4CRueicnzBEkAKN5YJfpPnZdRuq53fnQ==
;; Received 428 bytes from 192.43.172.30#53(i.gtld-servers.net) in 7 ms
lab1.tnclab.net. 3600 IN NS acns.tnclab.net.
lab1.tnclab.net. 3600 IN NSEC tnclab.net. NS RRSIG NSEC
lab1.tnclab.net. 3600 IN RRSIG NSEC 8 3 3600 20200605194430
20200506184430 18336 tnclab.net.
zmBPhbAJpJTPXIFIk3B57vtPnRqqZ6xYbVwQY2V3o14pHxqy8kjHL0QW
ZPoUCoXmzQ1yRPp8rMlDR6mp/6gNbejN2VSUtlbERnJLns08786LSCsd
oRieCphgsJLZPOKcL9FBa2rKSwp4QOlZdWid91eu+68l359X8TZeInHi xRw=
;; Received 456 bytes from 162.159.24.25#53(ns5.linode.com) in 74 ms
lab1.tnclab.net. 300 IN SOA hidden-soa.lab1.tnclab.net.
gtaylor.tnetconsulting.net. 2017072101 3600 1800 2419200 3600
;; Received 119 bytes from 45.33.28.7#53(acns.tnclab.net) in 102 ms
--------
45.33.28.7 is anycasted in that it exists globally on one of my VPSs and
in my lab enviornment. (No BGP involved with this anycast.)
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200506/34204e44/attachment.bin>
More information about the bind-users
mailing list