On 8.12.2015 10:34, Reindl Harald wrote: > > > Am 08.12.2015 um 10:25 schrieb Petr Spacek: >> On 8.12.2015 09:41, Gerd Hoffmann wrote: >>> Hi, >>> >>>> Start moving away from >>>> split DNS because that's going to be very hard to support. >>> >>> Seriously? How do you suggest to handle DNS for my 192.168.2.0/24 home >>> network then? Making the forward zone for home.kraxel.org public would >>> at least work, although I fail to see the point in having public dns >>> records for private networks. Registering the reverse zone is never >>> ever going to work though ... >> >> For the record, this is an invalid example. >> >> Special-use domain names are listed in IANA registry >> http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml >> > > what is there invalid? > > * rhsoft.net is my public zone > * rhsoft.net is also my internal DNS zone > * there is no point calling my smart-tv "tv.example.com" > instead "tv.rhsoft.net" > * there is also no point to add a 192.168.x.x record in public DNS > * there is also no point calling my devices something.test > * .local shouldn't be used (look in the samba list-archives) > > not that i am affected by any network changes Fedora decides since my local > DNS server will always be a full featured BIND forwarding any non-lan zones > over VPN to the comapany nameservers where i also control the internal and > external DNS views, but there are *millions* of valid use-cases for split-DNS Reindl, you are mixing two things here. The e-mail I was replying to was about sub-trees used for reverse IP->name resolution. This can be easily solved by the registry as mentioned above. Solution for generic DNS views is described on https://fedoraproject.org/wiki/Networking/NameResolution/DNSSEC/Design#Broken_networks As you might see, we were thinking about this hard and actually made attempt to make it interaction-less. In short, public/fallback DNS servers will be used to detect if part of DNS sub-tree (like rhsoft.net) is unsigned. If the sub-tree is unsigned the query will be re-sent to local servers and returned to the client, so data from your local DNS view will be accessible as usual. The assumption here is that if your domain is signed you have enough wisdom so use DNSSEC-enabled resolvers in your network. If the domain is not signed we will trust the crappy local servers. -- Petr Spacek @ Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
