separation of authoritative and recursive functions on internal networks
gtaylor at tnetconsulting.net
Sun Feb 7 23:06:35 UTC 2016
I know that this is an older thread, but I've been holding onto it for a
while with the intent of asking a related question.
On 08/10/2015 12:12 PM, Mark Andrews wrote:
> Authoritative servers (listed in NS records) shouldn't be recursive.
I'm taking this to mean servers that have zones (properly) delegated to
them via glue records. Correct?
> This prevents leakage of cache data. This provide consistent
> answers. The server also doesn't have to decide what type of answer
> to give (recursive vs authoritative). Glue doesn't get overridden
> by answers, etc.
This makes sense, especially in light of other comments in the thread
about older name server daemons having bugs that could be problematic to
> Recurive servers (honouring RD=1) however can be authoritative for
This sort of flies in the face of the first statement, unless this is a
reference to configurations like recursive servers also being slaves
for, thus authoritative for, one or more zones -AND- not being listed in
an NS record.
Does being a slave for a zone imply that a server is also listed as an
NS? Or is it considered "okay" for a server to slave a zone without
publishing that it does so?
> This proves robustness in the presence of link failures.
> Faster than ttl expiry of local zone changes (provided that notify
> messages are sent).
I presume you are referring to the slave zone expiration timer, not
normal record TTLs.
> Unfortunately this has become strict seperation lore which really
> wasn't ever the intent.
Hence why I'm asking my related question.
Is it considered "okay" to mix the authoritative and recursive roles for
a SOHO DNS server w/ a local, non-internet facing, zone? I.e. ".local"
for Bonjour (et al) or "home.example.net".
I've been pondering the "separation lore" in this context for a while
and still have not really settled on an acceptably good solution. -
I've felt that having separate recursive and authoritative servers in
such a situation is overkill and overly complex.
I'm curious what people consider best (or at least acceptable) practice
in this type of SOHO environment.
Grant. . . .
unix || die
P.S. For added fun, throw AS112 and / or root zone slave into the mix.
More information about the bind-users