Many A-records
John S. Giltner, Jr.
giltjr at earthlink.net
Sun Apr 4 15:37:45 UTC 2004
fih wrote:
> Hello guys!
>
> I was once told that a network interface should have only one A-record and a
> corresponding PTR record. Since you probably know many people likes to tweak
> this and I'm doing my best to fight it.
>
> While fightning it i also gets alot of questions about why we can't have
> many A-records pointing to the same IP. Does any body know if there is a RFC
> or Best practise DNS documentation that i can refer to or am I totally
> wrong??
>
> Also if my company likes to sell services based on DNS names and we have
> customers that can't see the external namespace we use for our services.
> They want me to add fake A-records in the customers namespace so our
> services will have different names depending who is asking. This i don't
> like
> at all and i allready know that i will get in trouble with SSL
> certificates.
> In my world we should instead make our service zone available
> for the customer.
>
> In my world a Network interface should have one but only one A-record.
>
> Comments please!!!
>
>
My opinion:
When you say "network interface" are you talking logically or
physically? Or do you really mean IP address? I hope that you are not
still just assigning a single IP address to a single NIC.
As you seem to be hosting multiple domains on a single host and you want
one IP address per interface, I assume that this means you are
assigning multiple IP addresses to a single NIC.
This may have been fine 10 years ago, possibly even 5 years ago, today,
no way. Virtual hosts on Web servers allow a single IP address to
respond to multiple host domain names. Why have 10, 100, or 1,000 IP
addresses on a single box when one or two can do.
As for SSL certificates, get them assigned based on the host name and
not the IP address. This gives you flexibility in that you can move the
host name from box to box as required.
Internal name spaces vs. external name spaces. That is a preference.
Hiding your internal name spaces allows you more flexibility. It also
could help in the security arena, as you are not publishing your
internal name space to the world (depending on how you provide DNS
services). This also makes it look as if you are providing a
customized, and isolated, environment for your customers. Publishing
your internal name space externally is less maintenace, as you define
something once and that is it. But everybody can now see it.
From what little I know, what you are being asked todo is the "norm" today.
More information about the bind-users
mailing list