[prev in list] [next in list] [prev in thread] [next in thread] 

List:       rfci-discuss
Subject:    Re: [RFCI-Discuss] Bad NS...
From:       Peter van Dijk <peter () dataloss ! nl>
Date:       2001-10-02 14:09:00
Message-ID: 20011002160900.T25878 () dataloss ! nl
[Download RAW message or body]

On Tue, Oct 02, 2001 at 07:06:26AM -0700, Derek Balling wrote:
[snip]
> You're right, it could happen with delegations, but, for example, 
> where is the harm if you have something like:
> 
> $ORIGIN bigcompany.com.
> @          	IN NS  ext-ns1.bigcompany.com.
>                  IN NS  ext-ns2.bigcompany.com.
> internal	IN NS  int-ns1.bigcompany.com. ; 10.200.0.5
> 		IN NS  int-ns2.bigcompany.com  ; 10.100.0.7
> 
> So the only way to get an IP address for 
> "foo.internal.bigcompany.com" is to query the RFC1918 server. I'll 
> admit that this is ugly (if something external accidentally 
> references *.internal hosts), but what does it BREAK for that leakage?

One should use split-horizon DNS.

It breaks if I happen to use those IPs internally as well and run a
nameserver on 'm that says it's authorative for ., for example. There
are perfectly good reasons to do so (same for 127.0.0.1). This
nameserver will then deny existence of internal.bigcompany.com.

On the other hand, that may even be preferable over having the mail
linger in the queue for a week while the IPs keep being unreachable.

And ofcourse, internal... should never leak to the outside world
anyway.

Greetz, Peter
-- 
Monopoly        http://www.dataloss.nl/monopoly.html

[prev in list] [next in list] [prev in thread] [next in thread]