Architecture Questions
Doug Barton
dougb at dougbarton.us
Sun Jun 1 22:17:37 UTC 2014
On 05/28/2014 07:39 AM, Mark Andrews wrote:
>
> In message <D6C04EC67151214DAD5E55E7EBF5207E425E3836 at WRXXENTEXMB01.na.follett.l
> an>, "Baird, Josh" writes:
>> Hi,
>>
>> I have historically hosted authoritative slave zones on my internal caching/r
>> ecursive servers to override recursion for internal zones. These servers are
>> not directly reachable from the internet. Generally speaking, I realize tha
>> t it is considered a bad practice for any authoritative servers to perform re
>> cursion. Is it a common practice in this particular scenario though?
>>
>> The other option would be to have 'X' number of authoritative servers with re
>> cursion disabled, and then spin up another dedicated caching/recursive tier w
>> hich used stub zones to communicate with the authoritative servers. Clients
>> would point directly to the caching tier for name resolution. This scenari
>> o sounds like it would be more cumbersome to maintain. It would also require
>> additional servers. I'm not sure the additional hardware and complexity is
>> worth trouble in this scenario, but I am looking for opinions.
>>
>> Furthermore, I was recently told by one of the larger managed IPAM/DNS vendor
>> s that it was on ISC's roadmap to no longer allow authoritative servers to pe
>> rform recursion (ie, the 'recusion yes' option would be disabled if the serve
>> r contained authoritative zones). Is this actually true?
>
> No. There are good reasons to allow a server to perform both roles.
>
> What isn't advisable is for a listed server offering authoritative
> service to the world to also be recursive. This risks leaking
> cached data to the world. It can also result in answers being
> returned when referrals are expected. Sharing rolls is very bad
> if you serve not leaf zones to the world. If there are only leaf
> zones being served it is not such a issue.
>
> A internal server or a recursive server having copies of zones isn't
> generally issue though you do need to be careful about the type of
> response you generate depending upon RD state.
>
> This is a much more complex issue that is generally acknowledged.
+1 to everything that Mark said. I always recommend to customers that
they do this on their INTERNAL servers for just the reasons that Josh
outlined. And as Mark said, EXTERNAL authoritative servers should never
have a recursive role.
hth,
Doug
More information about the bind-users
mailing list