separation of authoritative and recursive functions on internal networks

Grant Taylor gtaylor at tnetconsulting.net
Sun Feb 7 23:06:35 UTC 2016 

I know that this is an older thread, but I've been holding onto it for a 
while with the intent of asking a related question.

On 08/10/2015 12:12 PM, Mark Andrews wrote:
> Authoritative servers (listed in NS records) shouldn't be recursive.

I'm taking this to mean servers that have zones (properly) delegated to 
them via glue records.  Correct?

> This prevents leakage of cache data.  This provide consistent
> answers.  The server also doesn't have to decide what type of answer
> to give (recursive vs authoritative).  Glue doesn't get overridden
> by answers, etc.

This makes sense, especially in light of other comments in the thread 
about older name server daemons having bugs that could be problematic to 
this process.

> Recurive servers (honouring RD=1) however can be authoritative for
> zones.

This sort of flies in the face of the first statement, unless this is a 
reference to configurations like recursive servers also being slaves 
for, thus authoritative for, one or more zones -AND- not being listed in 
an NS record.

Does being a slave for a zone imply that a server is also listed as an 
NS?  Or is it considered "okay" for a server to slave a zone without 
publishing that it does so?

> This proves robustness in the presence of link failures.
> Faster than ttl expiry of local zone changes (provided that notify
> messages are sent).

I presume you are referring to the slave zone expiration timer, not 
normal record TTLs.

> Unfortunately this has become strict seperation lore which really
> wasn't ever the intent.

*nod*

Hence why I'm asking my related question.

Is it considered "okay" to mix the authoritative and recursive roles for 
a SOHO DNS server w/ a local, non-internet facing, zone?  I.e. ".local" 
for Bonjour (et al) or "home.example.net".

I've been pondering the "separation lore" in this context for a while 
and still have not really settled on an acceptably good solution.  - 
I've felt that having separate recursive and authoritative servers in 
such a situation is overkill and overly complex.

I'm curious what people consider best (or at least acceptable) practice 
in this type of SOHO environment.



-- 
Grant. . . .
unix || die


P.S.  For added fun, throw AS112 and / or root zone slave into the mix. 
  }:-)

More information about the bind-users mailing list