BIND and DNSSEC
kbensch at fullnet.co.uk
Thu Nov 1 11:26:17 UTC 2012
Thanks. All makes sense and definitely something to think about in the new network design.
Also wanted to say, I did like the doc and will be using that, but as you say, will make particular note about the maintenance side of things.
----- Original Message -----
From: "Alan Clegg" <alan at clegg.com>
To: "Kobus Bensch" <kbensch at fullnet.co.uk>
Cc: bind-users at lists.isc.org
Sent: Thursday, 1 November, 2012 11:26:31 AM
Subject: Re: BIND and DNSSEC
On Nov 1, 2012, at 7:14 AM, Kobus Bensch <kbensch at fullnet.co.uk> wrote:
> Is that because split horizon doubles admin or because its bad all together?
> I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.
Crafted for a private reply, but being re-used here:
There are places that views/split-horizon fit the model that has been put into place. It does, however, break the "one-question, one-answer" concept that was foundational for DNS.
My recommendation is that for "internal" addressing, a separate zone be created that serves that address space. You gain a number of things from this, including easier debugging and better data security (no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" since you know that the only people able to resolve/route "internal.example.com" are the ones that should be able to).
The problem lies in that over the years, people (usually the higher-ups) have been trained (by us, the in-the-trench guys) that "www.example.com" can be one thing internally and something else externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com.
All the best,
Alan Clegg | +1-919-355-8851 | alan at clegg.com
Fullnet Solutions Limited
7 Marlborough Close
Telephone: +44 (07703) 503 733
Kobus Bensch: kbensch at fullnet.co.uk
Information: info at fullnet.co.uk
Registered in England & Wales.
Company Number: 3568937
VAT registration number: UK 714 7309 42
E & O.E. All prices exclude VAT & Carriage unless otherwise specified.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system administrator by emailing admin at fullnet.co.uk with the subject "eMail Confidentiality Query!" .
The content of this email does not necessarily reflect the views or opinions of Fullnet Solutions Limited. If you have any queries or complaints please email info at fullnet.co.uk with the subject "eMail Comment/Complaint Query!".
This footnote also confirms that this email message has been scanned for the presence of computer viruses. Fullnet Solutions Limited can however not be held responsible for any virus infections on the recipients or any other systems. For more information regarding the solutions Fullnet has to offer please email info at fullnet.co.uk with the subject "Sales Query!".
More information about the bind-users