[Best practice] Internal zone

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Nov 15 13:44:10 UTC 2011

On 15/11/2011 12:50, Jeremy MAURO wrote:
> I asking you all for you best practice regarding your internal DNS and
> zones.
> I have a 2 DNS servers used as Internal DNS and Resolvers, here is the
> dilemma, should I declare in each internal zone my NS with a glue record:
> $ORIGIN example.internal.
> ; NS records
>                 IN      NS      ns1
>                 IN      NS      ns2
> ns1           IN      A
> ns2          IN      A
> Or should I point toward the NS server from my principal zone:
> $ORIGIN example.internal.
> ; NS records
>                 IN      NS      ns1.principal.internal.
>                 IN      NS      ns2.principal.internal.
> Which one of those 2 samples is the best one and the closer from the
> RFCs? As far as I know, the second sample should be the best one since
> the RFC 1912 says "Some people get in the bad habit of putting in a glue
> record whenever they add an NS record 'just to make sure'."
> Any opinion is approached.

If you've already got A (and PTR) records set up for your nameservers,
then there's no advantage to adding more A records in each zonefile.
Especially given that all those zones are served from the same set of
authoritative servers.

Having one A record for each nameserver makes it much easier if you ever
need to renumber the server.

In a more complex setup with different zones distributed over various
different sets of internal servers, having a unique A record for each
server makes it much clearer which server is actually serving which zone.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111115/0d342005/attachment.bin>

More information about the bind-users mailing list