nanny (was Re: bind-9.8.1: INSIST(! dns_rdataset _isassociated(sigrdataset)) failed)
michoski
michoski at cisco.com
Thu Nov 17 21:57:36 UTC 2011
On 11/17/11 1:45 PM, "/dev/rob0" <rob0 at gmx.co.uk> wrote:
> What I should perhaps do: separate the authoritative named instance
> from the recursive one on the mail server. I suppose BIND 10 does
> this, by design?
Yes, that is best practice (I keep reading it in docs from people I trust,
like Cricket Liu). I've done it since BIND 8 (back in 4.x I was new enough
I was just happy things worked)... Even on the same host, use IP aliases
and keep separate process space for authoritative and recursive. Even
better, different boxes/VMs with dedicated resource pools. There's really
no good reason a bug in caching code should take down your authoritative
instances, you just have to design it that way.
The "make lots of dedicated binaries" approach of BIND 10 (sorry, one of the
suggested approaches) reminds me of tinydns and qmail... However, since I
have never liked either of those products, but do very much like the least
privilege model, I will choose Postfix instead -- as something worthy of
measuring up to. ;-) It will be fun to see how this pans out.
--
By nature, men are nearly alike;
by practice, they get to be wide apart.
-- Confucius
More information about the bind-users
mailing list