On 23/10/12 15:56, Johan Ihrén wrote:
However, you never answered my question: Which zone file is it that contains
"external authoritative DNS servers as well"?
Regards,
Johan
The authoritative server keeps two files for most of the zones.
On each view they load different file with different entries (zone.pub,
zone.priv)
You didn't answer the question of which matching rules you're using for your
views. So, not trying to be overly picky here, but when someone tries to help
you and to be able to do that asks specific questions about your setup then you
really should try to answer those questions, because otherwise... I cannot help.
I'm not trying to be picky at all. I've tried to answer your question
"Which zone file is it that contains..."
that's why I' ve told about the zone files.
So my guess here is that you're matching on the src address. Don't Do That(tm).
If you have to use views (you don't) then match on destination, i.e. regard
your servers as multiple distinct nameservers with individual addresses
collapsed into a single box. Then it becomes quite obvious that you should use
distinct IP addresses for the nameserver for the internal view and the
nameserver for the external view.
Correct, I'm matching according to source address of clients. I've never
thought of using distinct IPs on the DNS server to serve different zones
since I had the views feature. Also I'm not quite sure if a single
instance of BIND can do that but that's not a problem of this list.
The external authoritative NS records are on both files. You're suggesting I
should alter .priv zones to list only
internal DNS servers?
No, I'm suggesting that you should alter the internal zone to only list servers
that are authoritative for the internal zone. The internal and external
versions of the zone are distinct, but they must each be internally consistent
otherwise you'll break DNS coherency.
So if internal NS servers are the only authoritative for the internal
zone, then only the internal NS should be listed correct? Doesn't this
break DNS coherency as you say? I've lost you on this.
That is a thought but I should think of it's implications it might have on
secondary authoritative servers...
As long as you don't go down the rabbit hole of trying to use the same
nameserver address for multiple views, with multiple roles, you'll be fine. If
you're using the same address, and do src address matching on the queries, and
intend to keep it that way... then I'll have to leave you to your current and
upcoming pain.
Regards,
Johan
I still don't get the advantages on using different IPs on the
authoritative NS server instead of src matching.
So far it has served as well. If you could point to some documentation
with complete setup and advantages I would be happy to read and see the
whole picture.
Giannis
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
