Tuning for lots of SERVFAIL responses

Mark Andrews marka at isc.org
Fri Feb 19 02:52:33 UTC 2016 

In message <CAGYMsbvhOLEKJyopVnwsWL_8p7R+P=1La=vXDAuKGmfod=bYrA at mail.gmail.com>, John Miller writes:
> On Thu, Feb 18, 2016 at 5:06 PM, Mark Andrews <marka at isc.org> wrote:
> > For some reason people are afraid to slave internal zones.  Back
> > when I was working for CSIRO I used to slave all the internal zones
> > for all of the sites the division had.  Each site administered its
> > own zones but all sites slaved all of them.  That way local and
> > inter site lookups always succeeded even when the external links
> > were down.
> 
> It wasn't so much a fear thing for us as a configuration thing: we
> previously were using a pair of nameservers for everything under the
> sun.  Not being sure if we would do BIND for recursive DNS (or
> authoritative, for that matter), it was far easier to migrate things
> piecemeal.  Using stub zones on the resolvers makes configuration far
> simpler as well.  We're also in an interesting place where our
> internal zones aren't _really_ internal: everything for the most part
> has a .brandeis.edu FQDN, and the world sees largely the same set of
> records that we do locally.  We have to keep everything synced up
> somehow.
> 
> Is slaving internal zones like this feasible with other DNS products
> (NSD, PowerDNS)?  Both of those run different binaries for their
> authoritative and recursive functions, so this seems like a
> BIND-specific (or BIND9, at least) way of doing things.

No, it is not BIND specific.  Its part of the basic DNS design.
There is no need for a recursive server to not be able to server
zone content directly.  If fact there are a number of RFC that
require this ability or the equivalent.

There is benefit in the listed (NS records) authoritative servers
for a zone not offering recursion to anyone.  It provides for
consistent answers from all the listed authoritative servers for
the zone as you don't have answers from the cache polluting the
configured glue for the zone.

Unfortunately this has morphed into "complete seperation of roles"
being needed.  This has never been the case.

> We'll definitely be increasing recursive-clients (likely to something
> ~10k).  I'd imagine that we'll also start slaving our own zones
> again--we just need to figure out the config management piece of
> things.  Shouldn't take more than a day or two, though.  Thanks for
> the advice, Mark.
> 
> John
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list