On 2015-08-09 21:41, Dave Koelmeyer wrote:
Hi Josh, Heiko
On 09/08/15 18:38, Heiko Richter wrote:
Am 09.08.2015 um 06:58 schrieb Josh Kuo:
> Add www.mydomain.co.nz to your internal zone, that is one common
> way to deal with it. With BIND you can keep the common records in a
> separate file and use "include" statement to avoid double entry.
Using the same domain with two seperate contents is just bad practice.
And when you decide to use DNSSec sometime in the future it will leave
your home network inoperable, because the trust delegations won't work
anymore.
Thanks very much for your responses, much appreciated. Sounds like
creating a home subdomain is the way to go (I've seen this mentioned
online), so I'll go down that path.
Cheers,
Dave
I meant to comment earlier, but forgot....
But was this server actually doing both internal and external DNS? Seemed to
me you only had internal plus wanting to do resolutions? Which to me seems
would be common situation.
Because, I have a dyndns domain that is also what I've been using as the
domain of my home network.
Use the outside dyndns hostname as the domain on the inside
so dynhost.dyndom.tld on the outside, and
host1.dynhost.dyndom.tld
host2.dynhost.dyndom.tld
etc.
on the inside. Though at a later point I turned on the wildcard feature so
that I could appear to access the same service whether I was on the inside or
outside of my network. used different port numbers and the router would
forward it to the desired host.
More recently, went to a DMZ host with proxy servers (ran out of port
forwards).
But, could have an external hosted domain with more than just a single IP.
Had done that back with my first employer, the external hosted on the service
providers nameservers, and our internal servers did the internal. (along with
resolutions with root.hints...)
The only bad things was that both internal servers were primary...the other
administrator refused to be slave, even though he also didn't want my
responsibilities (or to be the one crawling around the office Friday
afternoons when the 10Base2 network would mysteriously break....)
If DNSSEC is involved....don't see why signing internal with same KSK and ZSK
as the external wouldn't be a problem.
Its how I'm doing things here at work. The way I have it, it doing signing
of internal first...that way internal servers see the change sooner...
The only thing I haven't grasped is how to make DNSSEC work if my link goes
down.
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
with LOPSA Professional Recognition.
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
