Re: internal root and authoritative DNS

Brad Knowles wrote:

>At 7:22 PM -0500 2005-03-21, Barry Margolin wrote:
>
>
>
>>> Now, if you try to mix an internal root with a nameserver that is
>>> supposed to communicate with the outside world, that is likely to run
>>> into some problems.
>>>
>>>
>> Shouldn't you be able to do it with views? You could have one view with
>> a master zone for ".", and another view with a hints zone for ".".
>>
>>
>
> That would be an interesting test. I would expect it to fail,
>because I don't think that the views mechanism applies to hints, and
>I think the internal versus external views would need to be operating
>from different hints.
>
First of all, why do you think hints would be excluded from "view"
differentiation? Secondly, one of the views in the configuration
described doesn't even need hints, because it's master for the root
zone. What Barry describes should work just fine. In fact, if an
organization had only 1 server and 1 IP address to use for internal and
external DNS, and for whatever reason insisted on having an
internal-root architecture, this is what they'd *have* to do. While
questionable from a security standpoint, I'm sure ISC/Nominum has
contemplated and probably tested such a minimalistic implementation of
"view"s.

- Kevin