Separating Authoratative and Resolving Servers, and DNSSEC
Curt Sampson
cjs at cynic.net
Tue Apr 24 05:01:14 UTC 2007
What's the current stance on running separate versus combined
authoratative and resolving servers on trusted hosts? My authoratative
name servers also deal with mail, monitoring, and a few odd sysadmin
things, but have no login accounts other than sysadmins, and no web
servers or other such fairly dodgy public services.
Using BIND 8, for the obvious reasons, I always ran two name
servers, a resolving one listening on localhost and an authoratative
(non-resolving) one listening on all other interfaces.
Since I upgraded to BIND 9, I've been using a single nameserver with
an access list limited to localhost for resolving queries. Is this
sensible, or ought one, despite this feature, still be running separate
instances of bind for authoratative stuff? I notice that BIND does serve
material from the cache even to outside queries, which is probably not a
good thing.
As well, I've been having some issues with DNSSEC on authoratative
servers that may force me to change anyway; it seems that on my
authoratative servers, despite having a zone key in trusted-keys, the
AD bit is not set in DNSSEC responses. Is it supposed to set this in
the way that my resolving servers do? Perhaps it's just some sort of
configuration issue on my part....
cjs
--
Curt Sampson <cjs at cynic.net> +81 90 7737 2974
The power of accurate observation is commonly called cynicism
by those who have not got it. --George Bernard Shaw
More information about the bind-users
mailing list