Andrey G. Sergeev (AKA Andris) wrote: > Hi there, > > > Mon, 11 Aug 2008 20:10:09 -0700 JINMEI Tatuya / 神明達哉 wrote: > > >> I don't know the answer to this question, but your operational >> environment seems to be extraordinary in some points: >> >> - it's acting both as an authoritative and as a caching server >> > > To Walter Gould: I think it's time to expand your operational > environment. Try to distribute the DNS-related tasks over two - or more, > if required - machines. Let the first server acts as auth-only server > for the zones you are in control of and the second as a cache engine > *only*. This configuration seems to be more flexible, reliable and also > secure. > Let's be clear here: there's nothing *inherently* wrong with running authoritative nameservers and a recursive resolver on the same machine or even within the same nameserver instance, using views.
The unusual thing here is that in Walter's case both of these functions are *high-volume* and combining them in a single instance may be straining BIND's architectural limits. I agree that separating the authoritative nameservice and recursive resolution services to separate instances or separate machines, would be the logical next step in addressing this problem. - Kevin
