On 3.4.2015 02:10, Brendan Kearney wrote: > i am wondering if bind-dyndb-ldap supports stub zones. below would be a > use case for me.
TL;DR: No. bind-dyndb-ldap supports only 'master' and 'forward' zones and at the moment. Please see below. http://www.zytrax.com/books/dns/ch7/zone.html#type > say i have a network with a lot of external client connectivity (over > leased line, MPLS, VPN, etc). the clients connections are used for > inbound, outbound or bi-directional traffic (file transfers, web > traffic, data exchange, etc). > > because of the size of my network, my already large and complex routing > scheme for my own needs does not need to be made more complex by having > to route my client's address space, so i devote specific networks out of > my address space to 1-to-1 or static NAT addresses. by doing this, i > can push all that traffic to the vpn endpoints or routers that manage > that connectivity, without having to route "foreign" networks in the > core. to make life easier, i want to have DNS names assigned to the NAT > addresses, but the names are not in my authoritative name space, and may > be internet resolvable, should a recursive search be performed. > > say i have mydomain.tld registered, and i have 300.555.0.0/16 assigned > (yes, i know that does not exist). i would devote 300.555.254.0/23 to > these 1-to-1 NATs. client Example Corp has dedicated connectivity to me > and i want to access their website over that connection. the site, > www.example.com, is internet resolvable but i dont want to access the > internet accessible site. i want DNS resolution to point to my NAT, and > take the traffic to the VPN where the NAT occurs and the traffic is > pushed across to the client. > > with stub zones, i could create a zone, example.com, put a record for > www into that zone and assign it my 1-to-1 NAT address of 300.555.254.1. > i push my internal requests for that resource towards my vpn or client > connection router, and perform the NAT at that device. my routing stays > free of "foreign" networks and the traffic ends up where i want it. > > can bind-dyndb-ldap manage stub zones? how would one create the > necessary ldap entries? sub zones require some extra work, so i would > imagine stub zones do too, if they are currently supported. Basically you want to override/'shadow' a public DNS zone with an internal version, right? A stub zone is suitable if you already have some other server which hosts this internal/'shadow' version of the zone in question. Bind-dyndb-ldap does not support stub zones but you can use 'forward' zone with policy 'only' to get similar effect. You can create ordinary 'master' zone with the same name if you do not have an internal/'shadow' version of the zone on another server and this will override all data in given zone and sub-zones too. You will need to add NS records for sub-zones if you want to override just one zone and keep everything below it. BTW you should share DNSSEC keys between internal and external version of the zone when you enable DNSSEC signing for the zone. (Other approaches are technically possible but make validator configuration hard/almost impossible if you have mobile clients.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
