Forwarding environment questions

[Baird, Josh]

Mark,

In order to serve existing clients, our internal authoritative servers
need to be able to answer recursive queries as well.  Are you saying
that I should have all of my authoritative slave servers be caching
servers as well and answer recursive queries directly?  I was under the
impression that it was a better practice to have these authoritative
servers forward to caching only servers for recursive queries?

Mark -- sorry for the duplicate copy.

Thanks,

Josh

-----Original Message-----
From: Mark_Andrews at isc.org [mailto:Mark_Andrews at isc.org] 
Sent: Sunday, November 25, 2007 11:57 PM
To: Baird, Josh
Cc: bind-users at isc.org
Subject: Re: Forwarding environment questions 


> I am currently in the process of re-structuring a fairy large BIND
environment
> and have a few questions regarding forwarding.  Here is a simple
overview of the 
> enviornment that I have in mind for Internal DNS:
> 
> * Internal Master (authoritative, uses forwarders to caching only
servers for non-authoritative queries)
>  `- Slave 1 (authoritative, uses forwarders to caching only servers
for non-authoritative queries)
>   - Slave 2 (authoritative, uses forwarders to caching only servers
for non-authoritative queries)
>   - Slave 3 (authoritative, uses forwarders to caching only servers
for non-authoritative queries)
>   - Slave 4 (authoritative, uses forwarders to caching only servers
for non-authoritative queries)
> * Caching only nameserver 1 (no authoritative data, all other internal
BIND servers forward to these for recursive queries)
> * Caching only nameserver 2
>   
> I am trying to follow best practices in that authoritative servers
(masters and slaves) should
> not allow recursive lookups, but should use forwarders if necessary.
Due to the nature of the 

	There is no "but should use forwarders if necessary".

> existing environment, all clients are pointing to either the internal
master or slave servers for
> all name resolution (internal resolution, and recursive resolution).
In order to keep these
> authoritative servers from doing recursive lookups, my plan is to have
them all use a forwarders statement
> in the global options to forward all recursive lookups to the two
"Caching only nameservers" that
> we have in our environment.  Is using forwarders in this way
considered to be a good practice versus
> these authoritative servers going out to the Internet directly for
resucrsive lookups using root hints?
> 
> I am also a bit confused about the forwarders statements on the slave
servers.  It is my understanding 
> that they will only use the forwarders (that are defined in options)
if the nameserver does not
> contain authoritative data for the zone.. this is the case for slave
zones as well?  Or do I need
> to specify "forwarders { };" for each of the zones on the slaves to
force it to use the local authoritative
> data?  
> 
> I greatly appreciate any input or suggestions that you have.
> 
> Thanks,
> 
> Josh Baird

	You have totally missed the point of seperating recursive
	and authoritative services.

	Firstly, do not use forwarders unless you know what you are
	doing.  Forwarders are there for very specific configuration
	issues.  Forwarders are one of the most abused configuration
	options is named.conf.

	For authoritative servers you really only need.

		options {
			recursion no;
			allow-query-cache { none; };
		};

		<zone definitions>

	That will isolate the clients from anything the server
	learns as it does its notify processing.  Note, authoritative
	servers (masters and slaves) will still ask question so
	they still need a hint zone.

	Caches can be slaves of zones but they should not be listed
	in the NS RRset for the zones.  It is actually common for
	caches to be slave of internal zones as a override mechanism.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org