BIND and DNSSEC

Sten Carlsen stenc at s-carlsen.dk
Thu Nov 1 14:35:08 UTC 2012


On 01/11/12 12:26, Alan Clegg wrote:
> On Nov 1, 2012, at 7:14 AM, Kobus Bensch <kbensch at fullnet.co.uk> wrote:
>
>> Is that because split horizon doubles admin or because its bad all together?
>>
>> I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.
> Crafted for a private reply, but being re-used here:
>
> There are places that views/split-horizon fit the model that has been put into place.  It does, however, break the "one-question, one-answer" concept that was foundational for DNS.
>
> My recommendation is that for "internal" addressing, a separate zone be created that serves that address space.  You gain a number of things from this, including easier debugging and better data security (no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" since you know that the only people able to resolve/route "internal.example.com" are the ones that should be able to).
I believe that thinking is no longer valid with laptops moving around. I 
assume you don't have enough public addresses to give everything its own 
address, I don't, my servers work through a NAT. They are behind NAT 
partly for lack of IPs and partly because I want to keep their other 
ports away from accidental exposure to script kiddies, I know more 
concerted efforts will do more harm.

The typical server setup (for own servers) is that one name is used for 
setting up e.g. the mail server, the ideal situation for everybody is 
that whether I am in house or visiting you, if I have any internet 
access, I can read and send mail.

Now if there is an internal zone with a different name, how will you set 
up the mail client? internal name is not accessible from outside and 
external name is not present in internal name space. -> two mail 
clients? changing setups when moving between networks?

My solution is to have the exactly same names internally and externally, 
any client SW will just ask for the same server but the IP will differ 
with the network segment.

IPv6 will change all that of course.
> The problem lies in that over the years, people (usually the higher-ups) have been trained (by us, the in-the-trench guys) that "www.example.com" can be one thing internally and something else externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com.
>
> All the best,
> AlanC

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

        "MALE BOVINE MANURE!!!"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121101/2619c77d/attachment.html>


More information about the bind-users mailing list