Can I delegate part of a zone to another server?
Solution 1:
It sounds like you have home.mydomain.tld as a public zone and you want to create internal records for PC.home.mydomain.tld, TV.home.mydomain.tld, refrigerator.home.mydomain.tld, etc.?
About the only un-nasty way I can think of to do this without stepping on the home.mydomain.tld domain would be to create x.home.mydomain.tld and put everything under that zone, which is served by your local nameserver.
You COULD create an individual zone for each of PC, TV, refrigerator, etc. above and have your local nameserver only be authoritative for those individual bits, but that means a huge number of one-entry zone files (YUCK!).
Also note that any local zones you create would step on and override any outside DNS server's zones: It's not possible to have the A record for pc.home.mydomain.tld come from one NS and the AAAA record for it come from another: DNS delegates and declares authority by zone name, and that authority is for all record types within that zone.
If a nameserver is told it is authoritative for something and can't find the record it will not forward the query up the DNS tree, it will simply return NXDOMAIN.
Solution 2:
Of course you can. Any node in the namespace below the zone apex can be a delegation point.
To clarify your question: To the rest of Internet you have, for example:
;; pioto.org. zone
@ IN A 66.39.110.116
newpair IN A 66.39.110.116
creandus IN A 66.39.110.116
But on your LAN, because you're so excited about all of these 1990s innovations and want to start experimenting with them, you want to have:
;; pioto.org. zone
@ IN A 192.168.100.1
@ IN AAAA FEC0:0100::1
newpair IN A 192.168.100.2
newpair IN AAAA FEC0:0100::2
_http._tcp IN SRV 10 10 80 @
_http._tcp.newpair IN SRV 10 10 80 newpair
This is a simple exercise in split-horizon DNS service. Configure an internal content DNS server with the second set of data, and perform the prune-and-graft operation in the appropriate manner, using either stub zones with properly separate servers or views.
Letting parts of the external DNS database be visible internally is — with properly separated content and proxy servers — a simple exercise in delegation on the content server:
;; pioto.org. zone, continued
creandus IN NS NS1.PAIRNIC.COM.
creandus IN NS NS2.PAIRNIC.COM.
If you have a combined DHCP-plus-content-DNS service on your router, that knows about leased IP addresses and hostnames, or if you have Microsoft's DNS and DHCP servers on a Windows Server machine, then getting the IP addresses from the combined server is also an exercise in delegation:
;; pioto.org. zone, modified
newpair IN NS a.ns.newpair ;; replaces the A and AAAA records
a.ns.newpair IN A 192.168.1.1 ;; IP address of the DHCP+DNS server
The only things that you cannot do are …
- … use external data for
pioto.org.itself. The zone apex cannot be delegated. - … retrieve
AandAAAAresource records from different content DNS servers.
Further reading
- Jonathan de Boyne Pollard (2002,2003). Providing "split horizon" DNS service.. Frequently Given Answers.
- Jonathan de Boyne Pollard (2000,2004,2007). "Content" and "proxy" DNS servers. Frequently Given Answers.
- Jonathan de Boyne Pollard (2003). You've forgotten to populate your "internal" DNS database with data.. Frequently Given Answers.