Do You Need "named.ca" For Intranet DNS ?
Nick Boyce
[Um, I'm administering DEC-brand BIND; I believe in "Cricket Liu"
terminology "named.ca" (the DEC name) == "db.cache"]
I've been trying to figure out the niceties of setting up a
multi-domain DNS service when the network concerned is *not* connected
to the Internet - I think I can describe this as "intranet DNS". We've
been happily running DNS in our single-domain organisation for a
couple of years now, with a single pair of primary/secondary DNS
servers, although I could never decide whether we actually needed the
Internet root servers defined in named.ca.
I have the excellent Nutshell Book, "DNS & Bind", 1st edition revised
up to 1994, by Paul Albitz & Cricket, (hi guys - good book), but it
doesn't give any advice about what you do if there *aren't* any root
servers in your network. In the end I set up a named.ca with the
standard Internet root servers defined.
At the moment, if one of my users mistakenly tries to connect to
somewhere that's not in "ourdomain.com" (or makes a typo) then I want
the DNS lookup to fail immediately. As things stand these queries have
to timeout before the lookup fails.
Should I have an empty named.ca in this case ?
We've now recently been taken over by a geographically distant larger
organisation with their own multidomain intranet, and I need to
integrate "us" with "them". It seems to me that this comes down to two
changes :
a) I need to forward DNS queries for machines in their domain to
their DNS servers.
b) I need to get them to delegate authority for our domain to
our DNS servers.
We're changing our domain name from "ourdomain.com" to
"our-bit.theirdomain.com".
Assuming that "they" are *not* connected to the Internet, should I set
up a named.ca which just contains an entry for "their" DNS servers as
root servers ? It seems to me that if I keep the real Internet root
servers in named.ca then our hosts will never find the "theirdomain"
servers when making out-of-domain queries.
Or should I add records like
theirdomain IN NS ns1.theirdomain.com.
IN NS ns2.theirdomain.com.
ns1.theirdomain.com IN A 123.123.123.123
ns2.theirdomain.com IN A 124.124.124.124
to our "db.our-bit.theirdomain" file ?
I keep thinking this must be a frequent question, but I never saw it
asked on the Bind mailing list when I was subscribed. If there's a FAQ
for this group please point me at it.
Thanks in advance for any light anyone can shed.
Nick Boyce
Bristol, UK
--
If there's ever a nuclear holocaust, the only | PGP key available
survivors will be cockroaches and spammers. | on request.
Cricket Liu
On Sun, 06 Jul 1997 03:05:17 GMT, ni...@swrcc.demon.co.uk (Nick Boyce)
wrote:
>[Um, I'm administering DEC-brand BIND; I believe in "Cricket Liu"
>terminology "named.ca" (the DEC name) == "db.cache"]
I can't take any credit for the terminology. Paul Albitz, who wrote
hosts_to_named (and most of h2n) uses that for the name of the cache
file in both scripts. We tried to attribute the naming convention to
someone a month or so ago, and Kevin Dunlap wouldn't take the blame,
so I guess it's Paul's.
On the other hand, I usually refer to it as "db.cache," so you can
call it "Cricket Liu terminology" if you like.
>I've been trying to figure out the niceties of setting up a
>multi-domain DNS service when the network concerned is *not* connected
>to the Internet - I think I can describe this as "intranet DNS". We've
>been happily running DNS in our single-domain organisation for a
>couple of years now, with a single pair of primary/secondary DNS
>servers, although I could never decide whether we actually needed the
>Internet root servers defined in named.ca.
If you have no Internet connectivity, and your two name servers are
the only ones in your world and are equivalent in terms of what
they're authoritative for, there's no reason to configure root name
servers, except possibly to shut named up (keep it from complaining
about having "No root name servers for class 1").
>I have the excellent Nutshell Book, "DNS & Bind", 1st edition revised
>up to 1994, by Paul Albitz & Cricket, (hi guys - good book), but it
>doesn't give any advice about what you do if there *aren't* any root
>servers in your network. In the end I set up a named.ca with the
>standard Internet root servers defined.
>
>At the moment, if one of my users mistakenly tries to connect to
>somewhere that's not in "ourdomain.com" (or makes a typo) then I want
>the DNS lookup to fail immediately. As things stand these queries have
>to timeout before the lookup fails.
It sounds like there's a default route in your world that causes
queries to the real root to get carried somewhere, rather than having
the UDP send fail immediately with "No route to host."
>Should I have an empty named.ca in this case ?
That should work fine. Any query that can't be answered locally
should fail quickly.
>We've now recently been taken over by a geographically distant larger
>organisation with their own multidomain intranet, and I need to
>integrate "us" with "them". It seems to me that this comes down to two
>changes :
> a) I need to forward DNS queries for machines in their domain to
> their DNS servers.
Remember that forwarders don't work intelligently; that is, you just
forward to a "smarter" name server. You can't configure BIND to
forward some queries to this name server, and some to that name
server.
That means that forwarders will only let you configure your name
server to forward unresolvable queries to one name server on your new
parent company's network. (You can actually list more than one
forwarder in the forwarders directive, but that's for failover.)
> b) I need to get them to delegate authority for our domain to
> our DNS servers.
>
>We're changing our domain name from "ourdomain.com" to
>"our-bit.theirdomain.com".
Right. You'll need the administrators of theirdomain.com to add NS
records delegating our-bit.theirdomain.com to your name servers.
How you resolve other names under theirdomain.com depends on their
internal DNS infrastructure. If they use forwarders extensively, you
may just point your name servers at their forwarders. If they use
internal roots, you may configure your name server to use their
internal roots.
>Assuming that "they" are *not* connected to the Internet, should I set
>up a named.ca which just contains an entry for "their" DNS servers as
>root servers ? It seems to me that if I keep the real Internet root
>servers in named.ca then our hosts will never find the "theirdomain"
>servers when making out-of-domain queries.
Depends on their setup. You don't want to blithely add their name
servers to your cache file if they're not in fact configured to run as
roots.
>Or should I add records like
>
> theirdomain IN NS ns1.theirdomain.com.
> IN NS ns2.theirdomain.com.
> ns1.theirdomain.com IN A 123.123.123.123
> ns2.theirdomain.com IN A 124.124.124.124
>
>to our "db.our-bit.theirdomain" file ?
Newer versions of BIND would ignore those records, since they're
outside of your zone.
cricket
Acme Byte & Wire | http://www.acmebw.com/
cri...@acmebw.com | (303) 449-0484
Ulrich Windl
> I've been trying to figure out the niceties of setting up a
> multi-domain DNS service when the network concerned is *not* connected
> to the Internet - I think I can describe this as "intranet DNS". We've
> been happily running DNS in our single-domain organisation for a
> couple of years now, with a single pair of primary/secondary DNS
> servers, although I could never decide whether we actually needed the
> Internet root servers defined in named.ca.
If you can't reach them, you don't need them.
>
> I have the excellent Nutshell Book, "DNS & Bind", 1st edition revised
> up to 1994, by Paul Albitz & Cricket, (hi guys - good book), but it
> doesn't give any advice about what you do if there *aren't* any root
> servers in your network. In the end I set up a named.ca with the
> standard Internet root servers defined.
>
> At the moment, if one of my users mistakenly tries to connect to
> somewhere that's not in "ourdomain.com" (or makes a typo) then I want
> the DNS lookup to fail immediately. As things stand these queries have
> to timeout before the lookup fails.
Right, because you must have some root server inside your domain. Put
these servers in your db.root or whatever it is called.
>
> Should I have an empty named.ca in this case ?
No
>
> We've now recently been taken over by a geographically distant larger
> organisation with their own multidomain intranet, and I need to
> integrate "us" with "them". It seems to me that this comes down to two
> changes :
> a) I need to forward DNS queries for machines in their domain to
> their DNS servers.
> b) I need to get them to delegate authority for our domain to
> our DNS servers.
>
> We're changing our domain name from "ourdomain.com" to
> "our-bit.theirdomain.com".
>
> Assuming that "they" are *not* connected to the Internet, should I set
> up a named.ca which just contains an entry for "their" DNS servers as
> root servers ? It seems to me that if I keep the real Internet root
> servers in named.ca then our hosts will never find the "theirdomain"
> servers when making out-of-domain queries.
Your root servers must delegate the subdomains properly.
>
> Or should I add records like
>
> theirdomain IN NS ns1.theirdomain.com.
> IN NS ns2.theirdomain.com.
> ns1.theirdomain.com IN A 123.123.123.123
> ns2.theirdomain.com IN A 124.124.124.124
>
> to our "db.our-bit.theirdomain" file ?
>
> I keep thinking this must be a frequent question, but I never saw it
> asked on the Bind mailing list when I was subscribed. If there's a FAQ
> for this group please point me at it.
>
> Thanks in advance for any light anyone can shed.
Ulrich
Martin Bligh
> I have the excellent Nutshell Book, "DNS & Bind", 1st edition revised
> up to 1994, by Paul Albitz & Cricket, (hi guys - good book), but it
> doesn't give any advice about what you do if there *aren't* any root
> servers in your network. In the end I set up a named.ca with the
> standard Internet root servers defined.
Page 321, "Internal Roots" (in my edition, anyway).
Martin.