Maintained by: NLnet Labs

[Unbound-users] forward zone vs stub

Kapetanakis Giannis
Tue Oct 23 15:44:12 CEST 2012


On 23/10/12 15:56, Johan Ihrén wrote:
>
> However, you never answered my question: Which zone file is it that contains "external authoritative DNS servers as well"?
>
> Regards,
>
> Johan
>> The authoritative server keeps two files for most of the zones.
>> On each view they load different file with different entries (zone.pub, zone.priv)
> You didn't answer the question of which matching rules you're using for your views. So, not trying to be overly picky here, but when someone tries to help you and to be able to do that asks specific questions about your setup then you really should try to answer those questions, because otherwise... I cannot help.

I'm not trying to be picky at all. I've tried to answer your question 
"Which zone file is it that contains..."
that's why I' ve told about the zone files.
> So my guess here is that you're matching on the src address. Don't Do That(tm). If you have to use views (you don't) then match on destination, i.e. regard your servers as multiple distinct nameservers with individual addresses collapsed into a single box. Then it becomes quite obvious that you should use distinct IP addresses for the nameserver for the internal view and the nameserver for the external view.

Correct, I'm matching according to source address of clients. I've never 
thought of using distinct IPs on the DNS server to serve different zones 
since I had the views feature. Also I'm not quite sure if a single 
instance of BIND can do that but that's not a problem of this list.

>> The external authoritative NS records are on both files. You're suggesting I should alter .priv zones to list only
>> internal DNS servers?
> No, I'm suggesting that you should alter the internal zone to only list servers that are authoritative for the internal zone. The internal and external versions of the zone are distinct, but they must each be internally consistent otherwise you'll break DNS coherency.

So if internal NS servers are the only authoritative for the internal 
zone, then only the internal NS should be listed correct? Doesn't this 
break DNS coherency as you say? I've lost you on this.

>> That is a thought but I should think of it's implications it might have on secondary authoritative servers...
> As long as you don't go down the rabbit hole of trying to use the same nameserver address for multiple views, with multiple roles, you'll be fine. If you're using the same address, and do src address matching on the queries, and intend to keep it that way... then I'll have to leave you to your current and upcoming pain.
>
> Regards,
>
> Johan

I still don't get the advantages on using different IPs on the 
authoritative NS server instead of src matching.
So far it has served as well. If you could point to some documentation 
with complete setup and advantages I would be happy to read and see the 
whole picture.

Giannis