Forwarding environment questions

Baird, Josh jbaird at follett.com
Thu Nov 29 15:23:38 UTC 2007 

FYI -- decision was made to turn existing internal authoritative/recursive nameservers into recursive/resolving servers only that hold stub zones for our internal domains.  3 new authoritative/non-recursive internal nameservers will be established to serve internal authoritative queries.
I appreciate all of the input.

Thanks,

Josh Baird

-----Original Message-----
From: Måns Nilsson [mailto:mansaxel at kthnoc.net] 
Sent: Thursday, November 29, 2007 2:13 AM
To: Baird, Josh; Mark_Andrews at isc.org
Cc: bind-users at isc.org
Subject: RE: Forwarding environment questions 

--On måndag, måndag 26 nov 2007 09.50.46 -0600 "Baird, Josh"
<jbaird at follett.com> wrote:

> Mark,
> 
> In order to serve existing clients, our internal authoritative servers 
> need to be able to answer recursive queries as well.

Which is another way of saying "Your clients are very accustomed of getting replies to recursive queries from servers carrying certain IP adressesm and that currently hold your authoritative zone." And once that is established, the solution is clear -- setup new master and slave servers, and migrate from the present IP adressses, keeping the present ones for recursive service only.  

> Are you saying
> that I should have all of my authoritative slave servers be caching 
> servers as well and answer recursive queries directly?  I was under 
> the impression that it was a better practice to have these 
> authoritative servers forward to caching only servers for recursive queries?

Forwarding configrations are harder to debug and intended only for the most Rube Goldbergish setups, where, often under the auspices of "security", people tie themselves into impressive knots to accomplish the simplest things. 

If you have, as many do, a setup where an internal version of the zone needs to be distributed to internal machines, while letting external services and consumers view another set of data, then, you should have a set of servers for recursion inside. Further, you should have master and slave servers, with views, which makes them able to distinguish inside from outside, so that they can serve the right kind of zone to the right kind of client, inside or outside.

-- 
Måns Nilsson                     Systems Specialist
+46 70 681 7204   cell                       KTHNOC
+46 8 790 6518  office                  MN1334-RIPE

MY income is ALL disposable!

More information about the bind-users mailing list