jbaird at follett.com
Wed May 28 14:04:12 UTC 2014
I have historically hosted authoritative slave zones on my internal caching/recursive servers to override recursion for internal zones. These servers are not directly reachable from the internet. Generally speaking, I realize that it is considered a bad practice for any authoritative servers to perform recursion. Is it a common practice in this particular scenario though?
The other option would be to have 'X' number of authoritative servers with recursion disabled, and then spin up another dedicated caching/recursive tier which used stub zones to communicate with the authoritative servers. Clients would point directly to the caching tier for name resolution. This scenario sounds like it would be more cumbersome to maintain. It would also require additional servers. I'm not sure the additional hardware and complexity is worth trouble in this scenario, but I am looking for opinions.
Furthermore, I was recently told by one of the larger managed IPAM/DNS vendors that it was on ISC's roadmap to no longer allow authoritative servers to perform recursion (ie, the 'recusion yes' option would be disabled if the server contained authoritative zones). Is this actually true?
More information about the bind-users