separation of authoritative and recursive functions on internal networks

Mark Andrews marka at isc.org
Sun Jan 31 23:03:04 UTC 2016 

In message <23F8B4F8-B0EA-436D-A700-87AC63248514 at nau.edu>, Mathew Ian Eis writes:
> Howdy Mark,
>
> Can you please clarify the best practice for this?
>
> > Recursive servers (honouring RD=1) however can be authoritative for
> > zones.
>
> In this context of "authoritative", do you mean that they can be fully
> functional slaves and have a complete copy of the zone information?

Yes.

> I would imagine you would still not want such recursive servers to be
> truly authoritative (e.g. listed in the NS records for the zones),
> correct?

Correct.  You don't want the listed servers for the zone returning
data that is learnt via iterative/recursive lookups and the best
way to do that is to not have those servers recurse.

> Thanks in advance,
>
> Mathew Eis
> Northern Arizona University
> Information Technology Services
> mathew.eis at nau.edu
> (928) 523-2960
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: <bind-users-bounces at lists.isc.org> on behalf of Mark Andrews
> <marka at isc.org>
> Date: Monday, August 10, 2015 at 11:12 AM
> To: Gary Carr <garycarr100 at gmail.com>
> Cc: "bind-users at isc.org" <bind-users at isc.org>
> Subject: Re: separation of authoritative and recursive functions on
> internal	networks
>
> >
> >Authoritative servers (listed in NS records) shouldn't be recursive.
> >This prevents leakage of cache data.  This provide consistent
> >answers.  The server also doesn't have to decide what type of answer
> >to give (recursive vs authoritative).  Glue doesn't get overridden
> >by answers, etc.
> >
> >Recurive servers (honouring RD=1) however can be authoritative for
> >zones.  This proves robustness in the presence of link failures.
> >Faster than ttl expiry of local zone changes (provided that notify
> >messages are sent).
> >
> >Unfortunately this has become strict seperation lore which really
> >wasn't ever the intent.
> >
> >Mark
> >--
> >Mark Andrews, ISC
> >1 Seymour St., Dundas Valley, NSW 2117, Australia
> >PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >_______________________________________________
> >Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> >bind-users mailing list
> >bind-users at lists.isc.org
> >https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list