blrmaani wrote:
> My DNS has been setup to forward queries to a external customer. Now I
> want to change
> it to forward using delegation. What will be the impact on my external
> customer? Do
> they see any additional logs? Any firewall changes for them.
>
>

I assume you mean that are you going to delegate a particular zone
*instead* of forwarding. The terminology "forward using delegation" is a
little confusing because "forwarding" in BIND terms is separate and
distinct from iterative-resolution-via-following-delegations.

The big difference will be that your queries will be non-recursive.

The main impact of this is that if there are any descendant (i.e. child,
grandchild, etc.) zones whose published nameservers are *unreachable*
from your nameservers, you won't be able to resolve them. Presumably if
any such unreachable zones exists, you are currently depending on the
apex nameservers to recursively resolve names in all descendant zones.
E.g. if you're currently forwarding child.example.com, that might also
allow you resolve grand.child.example.com names, even if you can't reach
the published grand.child.example.com nameservers directly. If you stop
forwarding and merely delegate child.example.com, then you may need to
create explicit forward-only definitions for any unreachable descendants
such as grand.child.example.com. Reachable descendant zones should
resolve fine, and in fact should be more resolved more efficiently, and
be more resilient to outages, than your current forwarding setup.

Another potential impact of your queries becoming non-recursive, is if
the delegated nameservers are doing convoluted stuff like
"recursion-only" views. But that's unlikely. You might want to check
with them though.


- Kevin