Separation of authoritative and recursive functions
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jul 6 01:08:11 UTC 2005
Niall O'Reilly wrote:
>On 5 Jul 2005, at 08:08, Stephane Bortzmeyer wrote (perhaps as a
>rhetorical question?):
>
>
>
>>But I wonder if there is today, with the current BIND, a specific
>>technical reason to do so (such as a known security issue) or if it is
>>just good practice to put widely different functions on different
>>servers, just in case.
>>
>>
>
>And on 5 Jul 2005, at 08:44, Mark Andrews, answering Stephane, chose not
>to grasp this particular nettle. I can't fault him for that choice.
>
>I think it would be good if one or two people who know more about this
>issue than I do could answer the question Stephane raises, focusing, as
>he does, on the _current_ BIND.
>
>I'm sure there are a couple of such people out there. 8-)
>
>As for me, I find it useful to draw a line between
>
> (a) advertising the domains for which I am responsible, and
>
> (b) providing a name-resolution service to customers on the
> networks for which I am responsible.
>
>The few servers I'm involved with provide one or other of these
>services,
>but not both.
>
>My 'a' servers are advertised in the parent zone and in the zone(s) for
>which they provide service, are authoritative, do not provide recursion,
>and are publicly accessible. After all, we want the world to be able to
>find us.
>
>My 'b' servers are advertised internally using DHCP and
>customer-directed
>documentation, are recursive, may carry 'stealth' authoritative copies
>of
>internal zones, and refuse queries from outside the networks for which
>they provide service.
>
Well, you can separate those functions at the view (query source
address, query destination address, or TSIG-key) level, the
listen-address level, or -- as you have indicated -- by putting the
respective functions on different machines or sets of machines. None of
this requires that there be separate *programs* for the two different
functions, as the context of Stephane's message implied. When
considering the value of having separate programs for these functions,
one has to weigh the potential performance/efficiency benefits of
separation (which seem to me to be rather elusive, except in special
high-volume and/or mission-critical situations like serving Internet
TLDs or whatnot) versus the drawback of having more
products/packages/subsystems for the admin(s) to
install/configure/maintain/run/monitor/troubleshoot and the broader
skill-sets required to properly do so. For most organizations and their
requirements, I think having a single program for both functions makes
more sense. Note that if one is using a commercial product for DNS
management, or a "DNS appliance", one may not know or particularly care
whether it's one program or two that is performing the functions
"beneath the covers".
As for the relative merits of separating the functions by view,
listen-address or physical server(s) (irrespective of the
one-program-or-two issue), opinions differ widely on that, and each
admin/architect needs to decide for himself/herself, based on their
specific security/availability/performance requirements,
fiscal/facility/address-space constraints, support infrastructure, etc.
- Kevin
More information about the bind-users
mailing list