[Freeipa-users] bind-dyndb-ldap and stub zones

Brendan Kearney bpk678 at gmail.com
Fri Apr 3 00:10:35 UTC 2015 

i am wondering if bind-dyndb-ldap supports stub zones.  below would be a
use case for me.

say i have a network with a lot of external client connectivity (over
leased line, MPLS, VPN, etc).  the clients connections are used for
inbound, outbound or bi-directional traffic (file transfers, web
traffic, data exchange, etc).

because of the size of my network, my already large and complex routing
scheme for my own needs does not need to be made more complex by having
to route my client's address space, so i devote specific networks out of
my address space to 1-to-1 or static NAT addresses.  by doing this, i
can push all that traffic to the vpn endpoints or routers that manage
that connectivity, without having to route "foreign" networks in the
core.  to make life easier, i want to have DNS names assigned to the NAT
addresses, but the names are not in my authoritative name space, and may
be internet resolvable, should a recursive search be performed.

say i have mydomain.tld registered, and i have 300.555.0.0/16 assigned
(yes, i know that does not exist).  i would devote 300.555.254.0/23 to
these 1-to-1 NATs.  client Example Corp has dedicated connectivity to me
and i want to access their website over that connection.  the site,
www.example.com, is internet resolvable but i dont want to access the
internet accessible site.  i want DNS resolution to point to my NAT, and
take the traffic to the VPN where the NAT occurs and the traffic is
pushed across to the client.

with stub zones, i could create a zone, example.com, put a record for
www into that zone and assign it my 1-to-1 NAT address of 300.555.254.1.
i push my internal requests for that resource towards my vpn or client
connection router, and perform the NAT at that device.  my routing stays
free of "foreign" networks and the traffic ends up where i want it.

can bind-dyndb-ldap manage stub zones?  how would one create the
necessary ldap entries?  sub zones require some extra work, so i would
imagine stub zones do too, if they are currently supported.

More information about the Freeipa-users mailing list