Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.protocols.dns.bind > #15726 > unrolled thread
| Started by | Grant Taylor <gtaylor@tnetconsulting.net> |
|---|---|
| First post | 2020-05-06 13:28 -0600 |
| Last post | 2020-05-06 13:28 -0600 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.protocols.dns.bind
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: What is the proper way to delegate to a private / hidden sub-domain? Grant Taylor <gtaylor@tnetconsulting.net> - 2020-05-06 13:28 -0600
| From | Grant Taylor <gtaylor@tnetconsulting.net> |
|---|---|
| Date | 2020-05-06 13:28 -0600 |
| Subject | Re: What is the proper way to delegate to a private / hidden sub-domain? |
| Message-ID | <mailman.357.1588793289.942.bind-users@lists.isc.org> |
[Multipart message — attachments visible in raw view] — view raw
On 5/6/20 11:38 AM, Sten Carlsen wrote:
> I have been doing that for quite some time without knowing it should be
> difficult.
I'm not saying that it should be difficult. I'm asking what people
think the proper method is.
> I have a domain (in the mail address) which is properly delegated to
> servers and signed. Internally in house I have a number of other
> internal both hosts and one subdomain.
It looks like your domain is delegated to Gratis DNS servers and that
they resolve specific records to your external IP.
I'm not seeing a delegation beyond that. But that could simply be
because I don't know what name to query. (AXFRs are properly refused.)
> The internal versions have RFC1812 IPs and the outside ones have public IPs.
>
> Both sides are signed by the same key.
>
> The way this is organised is that I use two views, one internal and one
> external, I set both to be signed using:
>
> options {
> directory "/var/named/data";
> auth-nxdomain no;
> dnssec-enable yes;
> dnssec-validation auto;
> allow-query { any; };
> allow-transfer { any; };
> listen-on-v6 { any; };
> sig-validity-interval 30 20;
> dnssec-loadkeys-interval 60;
> };
>
> Never caused any problems. The downside is that I use views and have to
> manage both sides.
Your scenario, presuming I understand it correctly, does not match what
I'm asking about.
I'll try to restate.
I want example.net to:
- Follow all standard DNS best practices.
- Delegate lab1.example.net to <something> using the same standard DNS
best practices.
- <something>, which is publicly accessible, to host the public
version of the lab1.example.net zone.
- <something(Else)>, which is not publicly accessible, to host the
private version of the lab1.example.net zone.
I want clients on the Internet, e.g. you, to be able to "dig +trace a
host.lab1.example.net" and get a proper DNS delegation chain from root
zone through net zone through example zone to lab1 zone on the external
publicly accessible DNS servers.
I want clients in the lab to be able to do the same "dig +trace a
host.lab1.example.net" and get a proper DNS delegation chain from root
zone through net zone through example zone to lab1 zone on the internal
private accessible DNS servers.
The difference is that the external publicly accessible lab1 DNS server
is a separate server from the internal private accessible lab1 DNS
server. Separate in the sense that external can be a zone on a VPS
server and the internal being an isolated VM in the lab. More
specifically, external public and internal private are NOT even remotely
the same system thus can't use views or multiple instances of BIND.
E: "." ({a..m}.root-servers.net) -> "net." ({a..m}.root-servers.net) ->
"example.net." (ns{1,2}.example.net) -> lab1.example.net
(extns{1,2}.lab1.example.net)
I: "." ({a..m}.root-servers.net) -> "net." ({a..m}.root-servers.net) ->
"example.net." (ns{1,2}.example.net) -> lab1.example.net
(intns{a,b}.lab1.example.net)
As I type the previous lines, I think that the delegation from
example.net to lab1.example.net will need to be to the same named &
addressed servers. However, the external and internal servers for
lab1.example.net are completely different systems and could easily be in
different parts of the Internet / country / world.
The only way that I see how to make this work is to anycast the names
and IPs of the name servers that lab1.example.net is delegated to. One
anycast instance being external publicly accessible and the other
anycast instance being internal private accessible.
I don't see another way to delegate the same zone to different (sets of)
name servers without using anycast. Hence my email to the list asking
if anyone had any suggestions.
--
Grant. . . .
unix || die
Back to top | Article view | comp.protocols.dns.bind
csiph-web