Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Separate zone files for each of the sub-domain

1,007 views
Skip to first unread message

Danie I.

unread,
Jul 21, 2001, 11:00:42 AM7/21/01
to

Hi Kevin,
I wish to thank you very much for your very kind & descriptive
response.

I have been off for many days and got this email only last night.

I am using ns1.granitecanyon.com for my primary nameserver:
@ SOA.....
domain.com. IN NS ns1.granitecanyon.com
IN NS ns2.granitecanyon.com
IN NS ns1.secondary.com
IN NS ns2.secondary.com


1) Please advise on how to delegate out subdomains by an
example.
2) my requisite is:

subdomains1.domain.com. IN NS ns1.anotherDNS.com.
IN NS ns2.anotherDNS.com.
subdomains2.domain.com. IN NS ns1.anotherDNS.com.
IN NS ns2.anotherDNS.com.
where ns1.anotherDNS.com would be authoritative for the
subdomains.

For the privacy reason, I do not want anybody quering for my
domain.com could see all the names of the subdomains, that's
why I wish to have separate zone files for each of subdomains.

Best regards & wishes

Danie.

On 11 Jul 2001, at 18:35, Kevin Darcy wrote:

>
> Danie I. wrote:
>
> > Hi there,
> > I shall appreciate for the help on follwing:
> >
> > At a name server,
> > can we create separate zone files for each of
> > the subdomains instead of entring in the main
> > domain's zone.
>
> Your question is unclear, but either way I parse it, the answer is
> "yes".
>
> If you want separate *zones* for those subdomains, then you can delegate
> them out and put separate "zone" definitions in named.conf for them, in
> which case obviously you can also store then in separate files. Each
> zone needs its own SOA record and a set of NS records, in addition to
> the delegations from the parent. Also, your slaves will need to know
> about the new subzones if you want the same degree of redundancy for
> them as you have for the parent zone.
>
> On the other hand, if you want to keep the subdomains in the *same*
> zone, but you just want to store each one in a separate file, then use
> $INCLUDE directives in the (main) zonefile. In this case, since
> everything stays in the same zone, you wouldn't need the extra NS and
> SOA records, and you wouldn't need additional "zone" definitions in
> named.conf on the master or the slaves.
>
> An important distinction here is between a "zone" and a "zonefile".
> Through the $INCLUDE mechanism, a single zone can be loaded from
> multiple zonefiles. Conversely, some folks load multiple zones from the
> _same_ zonefile (but let's not confuse matters). Another important
> distinction is between "zones" and "domains". Every zone is a domain (or
> subdomain), but not every domain/subdomain is a zone. It's possible to
> store many subdomains, or even many levels of subdomains, in a single
> zone. The main reasons to delegate off a subdomain into a separate zone
> are to delegate control of it to some other organization, or just to
> break up your namespace in order to reduce zone-transfer overhead. As
> explained above, it is *not* necessary to delegate a subdomains as a
> subzone, just so you can keep the data in a separate file.
>
>
> - Kevin
>
>

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Danie I.

unread,
Jul 21, 2001, 11:14:28 AM7/21/01
to

Hi Michab,
Thank you very much for your reply, I have been away from my
office. Got your email just last night.

Do you mean , plainly I may add another zone for each of
subdomains, No need to point anything for the parent zone at the
same nameserver.?

I am using ns1.granitecanyon.com as my primary nameserver.

I want :
subdomain1.domain.com. IN NS ns1.anotherDNS.com.

thing and want to hide full names of subdomains in parent
domain.com's zone file .

Please extend help.

B.Regards
Danie


On 12 Jul 2001, at 0:33, michab wrote:

> >
> >
> >Hi there,
> >I shall appreciate for the help on follwing:
> >
> >At a name server,
> >can we create separate zone files for each of
> >the subdomains instead of entring in the main
> >domain's zone.
> >

> >Thanks & Regards
> >Danie.
> >
>
> of course u can ... just handle it like a normal domain, your db-file can be
> db.myfirst.domain.com - or u can use the $INCLUDE option... to include
> that subdomain stuff...
>
> bye,
> micha
>
>
> -- michab, bind...@gmx.de on 12.07.2001

Kevin Darcy

unread,
Jul 23, 2001, 9:49:23 PM7/23/01
to

I think you need to clarify exactly what you are trying to do here. If you
truly want a *delegation* of these subdomains, then there is really no way to
separate the exposure of the fact that a subdomain is delegated from the
ability to resolve names in the subdomain/subzone, i.e. if you want
foo.bar.domain.com to be resolvable, then there is really no way to hide the
bar.domain.com delegation. That is to say, there is no reasonable way for
your nameserver to distinguish queries that are made for the purpose of
resolving a name in a subzone from queries made solely to discover whether or
not a subzone exists.

Now, having said that, if you want to only expose the existence of these
subzones (and all of the names contained in those subzones) to
*certain* clients, and deny their existence to other clients, then we're
talking about "split DNS", where you present different versions of DNS
reality to different clients. But before I go off in gory detail about how to
implement that, I'd like to confirm that that's what you actually want.

Note: if all you want to do is prevent clients from doing a listing of your
zone, then you can restrict that via the "allow-transfer" option. But that
only stops them from doing a total listing. They can still query the
subdomains directly, and if you're delegating them and not using split DNS,
they will be able to confirm their existence.


- Kevin


Danie I. wrote:

> > Danie I. wrote:
> >
> > > Hi there,
> > > I shall appreciate for the help on follwing:
> > >
> > > At a name server,
> > > can we create separate zone files for each of
> > > the subdomains instead of entring in the main
> > > domain's zone.
> >

Danie I.

unread,
Jul 25, 2001, 5:18:59 AM7/25/01
to

Kevin,
Thank you very much for your kind reply. I describe my position in
detail as following:

at NIC, I have entered:

Primary NS name: 205.166.226.38
Primary NS IP: 205.166.226.38
Secondary NS name: 64.63.77.90
Secondary NS IP: 64.63.77.90
Secondary NS name: ns1.secondary.com
Secondary NS IP: 128.177.209.26
Secondary NS name: ns2.secondary.com
Secondary NS IP: 216.200.151.6

Pls note: I have used direct IP addresses, as names, for the first 2
nameservers of ns1.granitecanyon.com & ns2.granitecanyon.com
at our NIC's form submission. (Also secondary.com have supplied
us 3 IPs 128.177.209.26 , 128.177.209.154 & 216.200.151.6
whereas we supplied 2 IPs to the NIC)

My Zone file at ns1.granitecanyon.com reads as follows:

domain.com. 43200 IN SOA ns1.granitecanyon.com.
danie62k01.yahoo.com. (1932......................43200)
domain.com. IN NS ns1.granitecanyon.com.
IN NS ns2.granitecanyon.com.
IN NS ns1.secondary.com.
IN NS ns2.secondary.com.
IN A 195.224.98.180
in MX 10 siteurl.evryone.net. ; EXTREF
pub-email.domain.com. IN MX 10 siteurl.everyone.net. ; EXTREF
subdom1.domain.com. IN NS ns1.anotherDNS.com. ; EXTREF
IN NS ns2.anotherDNS.com. ; EXTREF
subdom2.domain.com. IN NS ns1.anotherDNS.com. ; EXTREF
IN NS ns2.anotherDNS.com. ; EXTREF
subdom3.domain.com. IN NS ns1.anotherDNS.com. ; EXTREF
IN NS ns2.anotherDNS.com. ; EXTREF

-----------
Please now note: here I have entered ns1.granitecanyon.com &
ns2.granitecanyon.com
-----------

I WANT TO:
1) HIDE the list of all my subdomains. So any one, quering my
domain.com should not get list of my subdomains.
2) Maximum security wise, I can do.
3) A future tip for a dynamicDNS type thing or any other way.

Thank you very much once again, and with best regards
Danie.

_________________________________________________________

Brad Knowles

unread,
Jul 25, 2001, 6:23:21 AM7/25/01
to

At 2:04 PM -0700 7/25/01, Danie I. wrote:

> I WANT TO:
> 1) HIDE the list of all my subdomains. So any one, quering my
> domain.com should not get list of my subdomains.

For this, you are dependant on the operators of the nameservers
you are using. If the folks at GraniteCanyon or Nominum have
confgured their machines to disallow zone transfers except from
certain IP addresses, you are fine. Otherwise, you are screwed.

> 2) Maximum security wise, I can do.

List as relatively little information in the DNS that you can,
and then use TSIG and DNSSEC to cryptographically sign the
information that you have out there.

> 3) A future tip for a dynamicDNS type thing or any other way.

I'm not quite sure what you mean here. Could you elaborate?

--
Brad Knowles, <brad.k...@skynet.be>

/* efdtt.c Author: Charles M. Hannum <ro...@ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'


0 new messages