Re: Authoritative NS as a proxy to a type forward zone

This is a discussion on Re: Authoritative NS as a proxy to a type forward zone within the Bind Users forums, part of the DNS and Related Forums category; Sunny suen wrote: >>Nope, won't work. Nameserver-to-nameserver traffic is non-recursive >>(RD=0), ...


Go Back   Usenet Forums > DNS and Related Forums > Bind Users

Reload this Page Re: Authoritative NS as a proxy to a type forward zone

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-18-2005
Kevin Darcy
 
Posts: n/a
Default Re: Authoritative NS as a proxy to a type forward zone
Sunny suen wrote:

>>Nope, won't work. Nameserver-to-nameserver traffic is non-recursive
>>(RD=0), and non-recursive queries are never forwarded.
>>
>>
>
>
>
>>Just run a network-level NAT of some sort.
>>
>>
>
>Thanks and fine, but what if those real, hidden name servers are
>publicly addressed? The catch is that we are reluctant to pass these
>addresses to our ISP for the NS records of their DNS server.
>
I don't understand. If you have publicly addressed nameserver, why is
your ISP involved at all? Just get your zone delegated to your
nameservers and be done with it. Seems like the most straightforward setup.

If you really *must* get your ISP involved, then have them be slaves to
your master, or _vice_versa_.

Either way, there is no "authoritative forwarding" between your
nameservers and those of your ISP. In fact, the very definition of
"authoritative" is that you have a full copy of the zone data, and you
can never guarantee that when you're forwarding all of the queries from
one set of servers to another...

The we add these lines ourselves to named.conf on proxy.bar.com and set
up the real name servers properly.
zone "foo.com" {
type forward;
forward only;
forwarders {
202.XXX.XXX.XXX; // Public IP of real master NS
202.YYY.YYY.YYY; // Public IP of real slave NS
}
}

Does it mean that proxy.bar.com can't return to a client-side DNS a
referral to the real NS 202.XXX.XXX.XXX or 202.YYY.YYY.YYY, as they are
merely forwarder addresses (BIND specific?), instead of some standard
RR values of the NS type?

I think you're looking at this the wrong way. If you're delegated a part
of the namespace, then you are expected to be authoritative for that
point in the namespace, and to provide referrals to zones which are
*beneath* that delegation point. What you are proposing is a "sideways
referral" where a delegated nameserver (or set of nameservers) would
return a referral for *exactly*the*same*point*in*the*namespace* that has
been delegated to it. This would be a very bad design and it would be a
very bad policy to allow it, regardless of implementation. Delegations
are always *down* the hierarchy, so referrals should also always be
*down* the hierarchy. Not up, and not sideways. Set up a master/slave
relationship if you want to remain a delegated nameserver but at the
same time share with your ISP the responsibility of actually answering
queries for the zone...


- Kevin



- Kevin



Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:50 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0