separation of authoritative and recursive functions on internal networks

John Miller johnmill at brandeis.edu
Mon Aug 10 15:45:10 UTC 2015 

On Wed, Aug 5, 2015 at 10:18 AM, Gary Carr <garycarr100 at gmail.com> wrote:
>
> Overall, is breaking this function out - internally - really worth it?
>

I can offer a personal testimonial on the management aspects of this:

A couple of years back, we made the switch from combined
authoritative/recursive servers to recursive-only and
authoritative-only systems.  The reasoning was more a logistics thing
than anything else: we wanted to host our authoritative records both
locally and with a cloud service, and moving the recursive portion was
easy to do.  We also weren't sure which daemons we wanted to use for
each side of things - PowerDNS recursor?  BIND?  unbound?  PowerDNS
authoritative?  NSD? - so separating the two functions gave us
flexibility in that arena.  It also meant we didn't have to worry
about views.  We treated the separation of authoritative and recursive
as gospel.

For recursive service, we initially ran three pdns-recursor instances
and two BIND instances, most behind a hardware load balancer.  For
authoritative service, we kept our records in Amazon Route 53, syncing
with four internal NSs: one hidden master and three slaves.  This let
us override records locally as needed and meant that we didn't have to
follow delegation from the root NSs (important - you're not relying on
100% border uptime for your internal network).

We've since moved our recursive stuff to BIND (for RPZ), and have
added a couple of additional internal authoritative servers, so we're
at 10+ DNS servers locally.  We're starting to become too complicated!
 Separating authoritative and recursive functions certainly makes it
easier to do maintenance and change daemons as necessary, but it's
added a layer of complexity that you might not want.

Something interesting we did is that our recursive servers don't
depend exclusively on our local authoritative servers.  In a pinch
(last master in the stub zone), they'll go out to our cloud DNS
servers and pull/follow delegation from there.  So the dependence of
recursive on authoritative, due to separation, isn't nearly as great.

John
-- 
John Miller
Systems Engineer
Brandeis University
johnmill at brandeis.edu

More information about the bind-users mailing list