BIND and DNSSEC
Alan Clegg
alan at clegg.com
Thu Nov 1 11:26:31 UTC 2012
On Nov 1, 2012, at 7:14 AM, Kobus Bensch <kbensch at fullnet.co.uk> wrote:
> Is that because split horizon doubles admin or because its bad all together?
>
> I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.
Crafted for a private reply, but being re-used here:
There are places that views/split-horizon fit the model that has been put into place. It does, however, break the "one-question, one-answer" concept that was foundational for DNS.
My recommendation is that for "internal" addressing, a separate zone be created that serves that address space. You gain a number of things from this, including easier debugging and better data security (no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" since you know that the only people able to resolve/route "internal.example.com" are the ones that should be able to).
The problem lies in that over the years, people (usually the higher-ups) have been trained (by us, the in-the-trench guys) that "www.example.com" can be one thing internally and something else externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com.
All the best,
AlanC
--
Alan Clegg | +1-919-355-8851 | alan at clegg.com
More information about the bind-users
mailing list