RE: "chase DS servers" while setting up a Split-DNS-Server with

Tue, 14 Feb 2017 04:25:44 -0800 

Johannes,
        Noted your message below.  I might suggest you check out the 'views' 
feature of BIND.  You may find it a lot easier to setup/manage.  Some starting 
info:  
https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html
        Best regards!
John
------------------------
Date: Tue, 14 Feb 2017 12:51:24 +0100
From: Johannes Kastl <m...@ojkastl.de>

Hi all,

I am trying to get more familiar with named/bind, and thus I am
experimenting a little. I am seeking for guidance in setting up a
split-dns server (aka resolving internal hosts that the outside does
not see and know about).

Host_1
I have bind running as caching resolver in my home dmz, only
accessible on the internal net. All DNS queries go through this one,
works like a charm, even with DNSSEC validation enabled.

Host_2
Then I set up another bind as master for my zone ojkastl.de, which has
all the internal hosts, that the external one does and should not
have. The hosts is set as NS in the SOA of the zone and has an A
record for itself in the zone. Querying this host directly with dig
+norecurse lets me resolve my internal hosts.

I added the following to my named.conf on Host_1, and it works.

-- snip --
zone "ojkastl.de" {
        type static-stub;
        server-addresses { 192.168.99.3; };
};
-- snip --

The only thing I notice are these lines in the logs:

Host_1
-- snip --
error (chase DS servers) resolving 'ojkastl.de/DS/IN': 192.168.99.3#53
-- snip --

Host_2
-- snip --
client 192.168.99.2#22059 (ojkastl.de): query (cache)
'ojkastl.de/DS/IN' denied
-- snip --

Is this actually something to worry about?

I guess that DS might be DNSSEC related, but apparently one cannot
disable dnssec validation for only one zone (or rather I could not get
it to work). And as this zone is not signed (yet) it might not matter.

When using a forward-type zone I got lots of additional NS records for
de (nic.de etc.) in my dig tests, so I tried the static stub.

Thanks in advance for your help!

Johannes

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to