Many A-records

John S. Giltner, Jr. giltjr at earthlink.net
Sun Apr 4 15:37:45 UTC 2004


fih wrote:
> Hello guys!
> 
> I was once told that a network interface should have only one A-record and a
> corresponding PTR record. Since you probably know many people likes to tweak
> this and I'm doing my best to fight it.
> 
> While fightning it i also gets alot of questions about why we can't have
> many A-records pointing to the same IP. Does any body know if there is a RFC
> or Best practise DNS documentation that i can refer to or am I totally
> wrong??
> 
> Also if my company likes to sell services based on DNS names and we have
> customers that can't see the external namespace we use for our services.
> They want me to add fake A-records in the customers namespace so our
> services will have different names depending who is asking. This i don't
> like
> at all and i allready know that i will get in trouble with  SSL
> certificates.
> In my world we should instead make our service zone available
> for the customer.
> 
> In my world a Network interface should have one but only one A-record.
> 
> Comments please!!!
> 
> 
My opinion:

When you say "network interface" are you talking logically or 
physically?  Or do you really mean IP address?  I hope that you are not 
still just assigning a single IP address to a single NIC.

As you seem to be hosting multiple domains on a single host and you want 
  one IP address per interface, I assume that this means you are 
assigning multiple IP addresses to a single NIC.

This may have been fine 10 years ago, possibly even 5 years ago, today, 
no way.  Virtual hosts on Web servers allow a single IP address to 
respond to multiple host domain names.  Why have 10, 100, or 1,000 IP 
addresses on a single box when one or two can do.

As for SSL certificates, get them assigned based on the host name and 
not the IP address.  This gives you flexibility in that you can move the 
host name from box to box as required.

Internal name spaces vs. external name spaces.  That is a preference. 
Hiding your internal name spaces allows you more flexibility.  It also 
could help in the security arena, as you are not publishing your 
internal name space to the world (depending on how you provide DNS 
services).  This also makes it look as if you are providing a 
customized, and isolated, environment for your customers.  Publishing 
your internal name space externally is less maintenace, as you define 
something once and that is it.  But everybody can now see it.

 From what little I know, what you are being asked todo is the "norm" today.


More information about the bind-users mailing list