BIND and DNSSEC

Alan Clegg alan at clegg.com
Thu Nov 1 11:26:31 UTC 2012


On Nov 1, 2012, at 7:14 AM, Kobus Bensch <kbensch at fullnet.co.uk> wrote:

> Is that because split horizon doubles admin or because its bad all together?
> 
> I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.

Crafted for a private reply, but being re-used here:

There are places that views/split-horizon fit the model that has been put into place.  It does, however, break the "one-question, one-answer" concept that was foundational for DNS.

My recommendation is that for "internal" addressing, a separate zone be created that serves that address space.  You gain a number of things from this, including easier debugging and better data security (no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" since you know that the only people able to resolve/route "internal.example.com" are the ones that should be able to).

The problem lies in that over the years, people (usually the higher-ups) have been trained (by us, the in-the-trench guys) that "www.example.com" can be one thing internally and something else externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com.

All the best,
AlanC
-- 
Alan Clegg | +1-919-355-8851 | alan at clegg.com








More information about the bind-users mailing list