Given VPNs, RemoteAccess and the like, I strongly recommend against split-DNS configurations. They were great ideas in 1993, when all sites were concave, but that's just not the case anymore.
Instead, I recommend having a sub-zone, "internal.example.com", or some other
convenient name. Put a zone split ("NS" and "DS" records) there, and then
limit who can do queries to this zone by IP address. You'd acceptlist all of
your VPN sites, the v4 (RFC1918) and v6 (subnet) prefixes for your remote
access clusters.
Split-DNS finally has some actual IETF definition at:
https://datatracker.ietf.org/doc/draft-ietf-add-split-horizon-authority/
I'm specifically arguing to do:
https://www.ietf.org/archive/id/draft-ietf-add-split-horizon-authority-06.html#name-internal-only-subdomains
It's just so much easier, particularly if you are starting from scratch.
signature.asc
Description: PGP signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
