Andrey G. Sergeev (AKA Andris) wrote:
> Hello,
>
>
> I'm trying to avoid one annoying side effect from the forwarding queries
> for some private TLDs to their authoritative servers. Here is the
> disposition.
>
> 1. There is a private TLD "private-tld." served by 192.168.28.1 and
> 192.168.28.2;
>
> 2. The 192.168.28.1 and 192.168.28.2 servers are authoritative for both
> the "legitimate-zone.private-tld." *and* the "private-tld." zone.
>
> 3. I want to be able to resolve hostnames in
> "legitimate-zone.private-tld." but I have no direct DNS access to and
> even any network connectivity with the 192.168.28.1 and 192.168.28.2
> boxes. However there is a local DNS server available which *has* an
> ability to communicate with these private hosts. I configure my local
> server like this:
>
> --- named.conf on the forwarding box ---
> zone "legitimate-zone.private-tld" IN {
> type forward;
> forward only;
> forwarders {
> 192.168.28.1;
> 192.168.28.2;
> };
> };
> --- named.conf on the forwarding box ---
>
> Using this the forwarding server will got and store in its cache the
> authority RRs for the "private-tld." just after the first attempt to
> resolve names such as "ftp.legitimate-zone.private-tld.". Within the TTL
> timeframe any subsequent queries for the *nonexistent* names like
> "hostname.nonexistent-zone.private-tld." will be also directed to the
> 192.168.28.1 and 192.168.28.2. This can be annoying and even undesirable.
>
> Is there a way to setup the forwarding server to ignore the authority
> RRs beyond the forwarding scope?
>

Set up a fake master zone for "private-tld", containing nothing but the
apex info (SOA, NS) and a delegation for legitimate-zone.private-tld. As
counter-intuitive as it may be, you actually *need* that delegation
underneath private-tld, otherwise the selective forwarding for
legitimate-zone.private-tld won't work. It doesn't really matter what
the delegation records point to, it just needs to be there.

Everything in legitimate-zone.private-tld will be forwarded selectively,
as it is now; everything else under private-tld will be considered
directly answerable -- without forwarding -- from the private-tld
authoritative zone, which, being empty, will always give NXDOMAIN.


- Kevin