In article , Steven Job
wrote:

> Quoting Barry Margolin :
>
> > Configure your server as authoritative for the root zone, and put a
> > wildcard A record in the zone that resolves to your IP.

>
> Here is sort of a followup to this which I have tried many different ways
> unsuccessfully.
> I want to resolve this local IP for all domains / zones that our systems are
> not
> authoritative for. (Easy enough, already covered by making the wildcard and
> as
> you said answered almost every week).


If you follow my suggestion, your server will consider itself
authoritative for the entire DNS hierarchy. It should never recurse at
all, unless your root zone contains delegation records; in that case,
the wildcard record will not be used for anything in those delegated
subdomains.

> The problem is that then this local IP is also returned in the glue records
> for
> all other domain responses. Meaning if someone had an MX record going to
> "smtp1.mail.yahoo.com" (and you were not authoritative for yahoo.com) then it
> would also return the local IP for the Yahoo mail server in the glue record.


Glue records are the A records for nameservers that host the domain that
they're in. They have nothing to do with MX records. I think you're
referring to the Additional Records that are often included with MX
records; these are not called glue records.

> Is there anyway to create this wildcard root zone but at the same time not
> have
> any of it's data be set as part of the glue records?


Don't think so. If a server knows the address of a hostname mentioned
in an MX or NS record, it's supposed to include it in the Additional
Records section of the reply.

Anyway, even if it didn't return this in the Additional Records, you'd
still have this problem. Your client would query for the MX record of
yahoo.com, and it returns smtp1.mail.yahoo.com. Then your client
queries for the A record of smtp1.mail.yahoo.com, and you'll return your
own IP, just like you configured.

The situation you describe *would* be a problem if your server were the
authoritative server for some domains. Don't do that. This special
configuration should be done *only* on resolvers, not authoritative
servers. If you only have one server, you can use the "views" mechanism
to configure it as authoritative for the root zone only for your local
clients.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***