root nameserver hardware requirements

Mathias Körber mathias at koerber.org
Wed Sep 20 12:53:33 UTC 2000


> It's wise to do this irrespective of performance. Not that performance
> really matters for DNS on today's hardware unless DNSSEC is involved
> and there's cryptographic verification of DNS packets. Use one set of
> name servers for handling queries from other name servers and another
> set for dealing with queries from desktops and end users. Both sets of
> servers should be authoritative for your zones. The first set are the
> ones advertised in your zone's NS records. The others should be
> configured as "stealth" servers: they slave the zone, but are not
> listed in the zone's NS records.

Hmm. Here is a differing opinion on the last point. In my last job
(largish ISP), we had a number of customers whose zones we were =
authoritative
for migrate to some other ISP, without any notice being given, neither =
by
the customer nor by the registry/registrar.

If our resolving nameservers (those used by our dialup customers, our =
own
servers etc) had been authoritative for these zones, they would not have
served the new zone-data from the new ISP these customers went to, but
kept on servibg from their authoritative data. Thus our customers would
have been impossible to resolve the customers (new) domains correctly,
while everyone else could. Obviously the fingers point back to us.

Therefore, I made certain that our resolving nameservers had exactly the =
same view
of the 'net as all other sites, and that these do not serve any zone =
authoritatively.

Similarly, it gets interesting if your authoritative nameservers are =
also authoritative for
one of your parent zones, as again you may have different data for zones =
that have moved
without informing you.

regards




More information about the bind-users mailing list