Non-authoratative zone for local DNS?

Question

A company I work for has a local DNS server that answers requests for their domain, foo.com, internally.

Externally, we serve DNS for foo.com with Route 53.

The problem we have is that we have to duplicate any new DNS records, adding them both to their local zone and the external zone. It's amazing how many times we forget this step.

Is it possible to configure a local DNS zone to be non-authoritative and forward requests to the Route 53 zone that it doesn't have in its local zone file?

The research I've done so far has not given me a clear answer. I may be searching for the wrong terminology.

Also, if it matters, they are on Windows Server (not sure which version, but at least 2008).

Answer 1

Assuming that this is a Windows DNS server providing both recursive and authoritative functionality, the best that you can accomplish in this scenario is to create individual NS records pointing at Route 53. You still have to create records on both sides when you need it to resolve in both environments, but from that point onward you only have to update the record on the Route 53 side. The one exception is children of the NS records; if you create a NS record for sub1.example.com, you don't need to create one for sub2.sub1.example.com as you've already defined a delegation at the sub1 boundary.

As for why it doesn't work the way that you would like it to, this is due to the concept of zone cuts. Once a server has claimed authority for a zone, it considers itself the owner of all data within that zone until a more specific zone cut is carved out. If the zone cut is achieved through a delegation (the NS records mentioned in the first paragraph), the server is no longer authoritative for all names falling within the new zone.

(The more sane solution is, of course, to not have multiple servers competing for authority at the same zone boundary. These are just bandaids stemming from your technical debt.)