separation of authoritative and recursive functions on internal networks

[Tony Finch]

Darcy Kevin (FCA) <kevin.darcy at fcagroup.com> wrote:

> "Separate authoritative and recursive functions" is really a simplistic
> approach to a complex challenge. I think a better approach is to make
> both the published-authoritative function and the recursive-resolution
> functions robust enough *in*and*of*themselves* so that there is no value
> to an attacker taking down a single node or instance for either
> function. At that point, it doesn't matter whether you mix
> published-authoritative with recursive, or not.

However, you should consider failure scenarios, e.g. loss of external
connectivity, or loss of power.

In particular it is a very good idea for your on-site recursive servers to
be able to resolve your internal names without needing to iterate from the
root, because they can't do that when your external link is down.

An easy way to do this is to make your recursive servers authoritative for
your internal zones, and this has the added advantage of isolating them
from failures in other parts of your DNS infrastructure.

When you are bringing everything up after a power outage, it is very
helpful if your recursive servers can come up and start working without
anything else being up and working - avoids cyclic dependencies.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Irish Sea: Southwest 5 or 6, veering northwest 3 or 4. Slight, occasionally
moderate at first. Showers, fair later. Good.