On 3.4.2015 02:10, Brendan Kearney wrote:
i am wondering if bind-dyndb-ldap supports stub zones. below would be a
use case for me.
TL;DR:
No. bind-dyndb-ldap supports only 'master' and 'forward' zones and at the
moment. Please see below.
http://www.zytrax.com/books/dns/ch7/zone.html#type
say i have a network with a lot of external client connectivity (over
leased line, MPLS, VPN, etc). the clients connections are used for
inbound, outbound or bi-directional traffic (file transfers, web
traffic, data exchange, etc).
because of the size of my network, my already large and complex routing
scheme for my own needs does not need to be made more complex by having
to route my client's address space, so i devote specific networks out of
my address space to 1-to-1 or static NAT addresses. by doing this, i
can push all that traffic to the vpn endpoints or routers that manage
that connectivity, without having to route foreign networks in the
core. to make life easier, i want to have DNS names assigned to the NAT
addresses, but the names are not in my authoritative name space, and may
be internet resolvable, should a recursive search be performed.
say i have mydomain.tld registered, and i have 300.555.0.0/16 assigned
(yes, i know that does not exist). i would devote 300.555.254.0/23 to
these 1-to-1 NATs. client Example Corp has dedicated connectivity to me
and i want to access their website over that connection. the site,
www.example.com, is internet resolvable but i dont want to access the
internet accessible site. i want DNS resolution to point to my NAT, and
take the traffic to the VPN where the NAT occurs and the traffic is
pushed across to the client.
with stub zones, i could create a zone, example.com, put a record for
www into that zone and assign it my 1-to-1 NAT address of 300.555.254.1.
i push my internal requests for that resource towards my vpn or client
connection router, and perform the NAT at that device. my routing stays
free of foreign networks and the traffic ends up where i want it.
can bind-dyndb-ldap manage stub zones? how would one create the
necessary ldap entries? sub zones require some extra work, so i would
imagine stub zones do too, if they are currently supported.
Basically you want to override/'shadow' a public DNS zone with an internal
version, right?
A stub zone is suitable if you already have some other server which hosts this
internal/'shadow' version of the zone in question. Bind-dyndb-ldap does not
support stub zones but you can use 'forward' zone with policy 'only' to get
similar effect.
You can create ordinary 'master' zone with the same name if you do not have an
internal/'shadow' version of the zone on another server and this will override
all data in given zone and sub-zones too. You will need to add NS records for
sub-zones if you want to override just one zone and keep everything below it.
BTW you should share DNSSEC keys between internal and external version of the
zone when you enable DNSSEC signing for the zone. (Other approaches are
technically possible but make validator configuration hard/almost impossible
if you have mobile clients.)
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
