Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15725
| Path | csiph.com!weretis.net!feeder7.news.weretis.net!paganini.bofh.team!news.killfile.org!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Grant Taylor <gtaylor@tnetconsulting.net> |
| Newsgroups | comp.protocols.dns.bind |
| Subject | What is the proper way to delegate to a private / hidden sub-domain? |
| Date | Wed, 6 May 2020 11:01:19 -0600 |
| Lines | 131 |
| Approved | bind-users@lists.isc.org |
| Message-ID | <mailman.355.1588784486.942.bind-users@lists.isc.org> (permalink) |
| References | <e528b484-5f6e-d45e-58a8-5855cc9b5634@tnetconsulting.net> |
| NNTP-Posting-Host | lists.isc.org |
| Mime-Version | 1.0 |
| Content-Type | multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000903080806060206030708" |
| X-Trace | usenet.stanford.edu 1588784502 23653 149.20.1.60 (6 May 2020 17:01:42 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| To | bind-users@lists.isc.org |
| Return-Path | <gtaylor@tnetconsulting.net> |
| X-Original-To | bind-users@lists.isc.org |
| Delivered-To | bind-users@lists.isc.org |
| DKIM-Signature | v=1; a=rsa-sha256; c=simple/simple; d=tnetconsulting.net; s=2019; t=1588784487; bh=gSBC5II+pkcgeMSpfTsNe2BlGVlep/8qfVUIcSs7yU4=; h=To:From:Subject:Message-ID:Date:User-Agent:MIME-Version: Content-Type:Cc:Content-Disposition:Content-Language: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Message-ID:MIME-Version:References:Reply-To:Resent-Date: Resent-From:Resent-To:Resent-Cc:Sender:Subject:To:User-Agent; b=VSb17I+2AfjhpoXMrOpCQ5NEqd873iLoq8VFqYugzhngY/G4W20EIiKKp0B4l+ZYO s96lhJlW4AgL3hU8G9IywLto8eafoN04seYax4dcbbQpzHPUEezDfV1y1KqOucjXHd 1piNiWVIQFL1BC5LuUhupxdsJOBThpjwLvLg5lrc= |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 |
| X-Spam-Status | No, score=-2.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,GPG_SIGNED,RCVD_IN_DNSWL_NONE, SPF_HELO_PASS,SPF_PASS autolearn=disabled version=3.4.2 |
| X-Spam-Checker-Version | SpamAssassin 3.4.2 (2018-09-13) on mx.pao1.isc.org |
| X-BeenThere | bind-users@lists.isc.org |
| X-Mailman-Version | 2.1.29 |
| Precedence | list |
| List-Id | BIND Users Mailing List <bind-users.lists.isc.org> |
| List-Unsubscribe | <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe> |
| List-Archive | <https://lists.isc.org/pipermail/bind-users/> |
| List-Post | <mailto:bind-users@lists.isc.org> |
| List-Help | <mailto:bind-users-request@lists.isc.org?subject=help> |
| List-Subscribe | <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe> |
| X-Mailman-Original-Message-ID | <e528b484-5f6e-d45e-58a8-5855cc9b5634@tnetconsulting.net> |
| Xref | csiph.com comp.protocols.dns.bind:15725 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
Hi, What is the proper way to delegate to a private / hidden sub-domain? I have a globally registered domain, call it example.net for this thread, that has multiple sub-domains that I'd like to be properly delegated to internal labs; lab#.example.net. Example.net itself is following all the industry standards and best practices that I'm aware of; registered (read: rented), delegated from roots to multiple public DNS servers which respond to the world. I would like to delegate lab1.example.net in such a way that the outside world sees a delegation to what is effectively an empty zone (save for SOA / NS / etc.) on a public server. However I'd like the internal lab systems see a delegation to a private zone that has all the necessary records in the lab. One hack that comes to mind is to have the example.net parent zone delegate to a separate name server with a separate IP and then to anycast that IP & name server inside the lab. But that would require an additional globally routed IP on the external public Internet. I'm not currently worried about supporting DNSSEC, but it would be nice if the solution would allow DNSSEC signing both the public and private zones. With the obvious assumption being the DNS servers would have shared keys to be able to sing their copies of the zone correctly. Does anybody have any ProTip(s) on how to go about doing this? What about gotchas to avoid? Thank you and have a nice day. -- Grant. . . . unix || die
Back to comp.protocols.dns.bind | Previous | Next | Find similar
What is the proper way to delegate to a private / hidden sub-domain? Grant Taylor <gtaylor@tnetconsulting.net> - 2020-05-06 11:01 -0600
csiph-web