Forward First on Master Zone (bypass SOA)

[Mike Hoskins (michoski)]

-----Original Message-----

From: Kevin Darcy <kcd at chrysler.com>
Date: Monday, April 1, 2013 2:46 PM
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Re: Forward First on Master Zone (bypass SOA)

>On 3/29/2013 12:09 AM, Doug Barton wrote:
>> On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote:
>>> My organization is evaluating the use of split-view DNS in our
>>> environment.
>>
>> Simple ... don't do it. It's almost never the right answer, and as
>> you're learning carries with it more administrative overhead than the
>> problems it's designed to solve.
>>
>> Much better to spend the time carefully considering what your goals
>> are, and finding other ways to reach them.
>And your alternative is what? Run the external version of the namespace
>on a completely separate infrastructure from the internal version?

Wouldn't you do that to some extent anyway, to separate external infra --
which I'd think is authoritative only -- and internal which is likely a
mix of authoritative and recursive?

I guess we've overkilled...We're running a split-horizon config on
separate infrastructure.

There has always been those for and against split horizon.  I often flip
back and forth since I see logic in many of the arguments on both sides.
When I usually hear people speak against split-horizon it has to do with
added complexity and minimal benefit (can be harder to debug, confusing to
new admins, internal resources should rely on more than DNS for protection
and leak out in a lot of ways beside DNS, etc).  They generally advocate
converging the namespace itself more than dictating what the
infrastructure should look like.  You could have a cohesive name space
served from separate infra or common infra using views and ACLs to decide
who can access the cache.  I would envision a hidden master feeding both
sets of infra so maintenance is still centralized.