|
Thread Index Re:[isp-dns] Split DNS
Len, Thanks for the elaboration - this makes sense, and is more or less the conclusion we came too, but wanted a confirmation. Dee, Can you explain your comment that djbdns doesn't have a problem with split DNS? I don't understand how the problem we are dealing with (which is conceptual) can be dealt with by a different implementation on one server? Thanks, Michael > Subject: Re:Split DNS > From: Len Conrad <LConrad@...> > Date: Fri, 28 Sep 2007 08:52:45 -0500 > X-Message-Number: 2 > > > >So what I am hearing is that the only way to do this where I don't > >depend on whoever runs the auth servers is to make the traffic loop > >through the firewall. Correct? > > The integrity of DNS is guaranteed by having the system trust only > the auth servers. All other data is suspect. No way to split a zone > data and have two authorities give different answers in the > same namespace. > > The other boundary is the NAT, separating the public/private IP > space. That can't be bridged by DNS (works only in the (symbolic > namespace), only by the IP managers (routers) (works in the IP space). > > If the auth servers would delegate a sub-domain to your DNS, that > would work this way: > > In the domain.tld zone now: > > sub.domain.tld A ip.ad.re.ss > > after delegation: > > sub.domain.tld NS ns.yourdomain.tld > > and in your ns.yourdomain.tld for the zone sub.domain.tld : > > view public > > www.domain.tld A ip.ad.re.ss ; public IP > > view private > > www.domain.tld A ip.ad.re.ss ; private IP > > > I'm a trainer and consultant for DNS and mail systems. > > Len > > > > ---------------------------------------------------------------------- > > Subject: Re: Re:Split DNS > From: Len Conrad <LConrad@...> > Date: Fri, 28 Sep 2007 14:08:13 -0500 > X-Message-Number: 4 > > > >So it looks though you are bind centric ? > > BIND has always served well, and it is the standard, RFC compatible, > and function-complete, software. Never had to look elsewhere. > > > I much prefer djbdns now. > > yeah, well > > >We use it exclusively and split DNS is not a problem. > > BIND's views are much superior to the old BIND split views. > > Len > > To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. Copyright 2007 Jupitermedia Corporation All Rights Reserved. <- Previous Message | Next Message -> Thread Index |
|
