No subject


Tue Apr 2 00:56:56 UTC 2013 

zone resident in memory at all times. So if you have the memory (my boxes have 2Gb
RAM apiece) and the zone-transfer overhead doesn't bring the box to its knees (it
doesn't), then being a slave for the most frequently-used zones makes a lot of
sense. Besides, I have to do it anyway for purposes of redundancy.

But, just because I make my boxes slaves for a bunch of mission-critical zones,
doesn't mean I must turn recursion off completely and be slave for *all* zones,
does it? I mean, how often is a plant user going to query something in, e.g. the
mbcc.com (Mercedes-Benz Credit Corporation) zone (bearing in mind that all of our
web access is proxied)? Hardly ever. I really don't want to incur the overhead of
slaving mbcc.com on all of the plant boxes, but I want those names to be resolvable
if necessary. So it makes much more sense to just recurse for that zone.

My basic point is: whether or not to slave a particular zone on a particular
nameserver is partly a tuning decision. A blanket rule like "all nameservers should
be completely authoritative/non-recursive or completely
non-authoritative/recursive" elminates many opportunities to tune and optimize
performance and/or meet other requirements that may be put on a nameserver. Hybrid
configurations have their place.

(Note that I haven't said anything specifically about forwarding. None of the
nameservers I've been discussing perform any form of forwarding whatsoever).

>         However, you are capable of reading the documentation, and if you
> really want to take these risks, you are capable of configuring the
> machines so as to allow you to do this.
>
>         No, I'm much more worried about the other 99.99999% of the people
> who do this sort of stuff (and far worse) out of ignorance.
>
>         Check out the nameservers for Critical Path (criticalpath.net) sometime.
>
>         Having unadvertised caching servers that also happen to be
> authoritative for certain zones does have some security risks (which
> might be mitigated if they are on private networks and not publicly
> accessible), but we know that having advertised authoritative servers
> that are also caching & recursive is a *far* more dangerous risk.

Agreed. All of my external-facing nameservers have recursion disabled or limited to
our own networks. In network-boundary situations, I agree that separation between
the two types of nameserver functions is generally recommended. But outside of such
environments, hybrid configurations are often optimal.


- Kevin

More information about the bind-users mailing list