inline-signing a zone that exists in two views
Bob Harold
rharolde at umich.edu
Fri May 19 13:06:49 UTC 2017
On Fri, May 19, 2017 at 8:56 AM, Matus UHLAR - fantomas <uhlar at fantomas.sk>
wrote:
> Gordon Messmer <gordon.messmer at gmail.com> wrote:
>>> > Is it considered best-practice (or just normal) for authoritative
>>> > servers to just not use the local server for resolution?
>>>
>>
> On Wed, May 10, 2017 at 5:56 AM, Tony Finch <dot at dotat.at> wrote:
>>
>>> Mine don't :-)
>>>
>>
> On 18.05.17 16:38, Bob Harold wrote:
>
>> My authoritative servers are non-recursive. They use the same DNS
>> resolvers that any other server uses, and not themselves.
>>
>
> this configuration will make your recursive servers provide correct data
> when your customers move their domains out without telling you so (which
> happend quite often)...
> --
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Very true, and I use that fact when I know a zone is in transition. But
most of the time I have stealth slave copies (meaning not listed in NS
records) on my resolvers.
That is more complicated, and has the problem you mention, which happens
often.
But it has some advantages:
Updates reaching my users more quickly, no waiting for cache timeout on the
resolvers (there are still other caches, but it helps)
Cache poisoning attacks don't work against my zones on my resolvers, since
they are authoritative and not cached.
I hope sometime to automate monitoring for zones moving without warning me
in advance.
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170519/a745b864/attachment.html>
More information about the bind-users
mailing list