On Wed, Aug 5, 2015 at 10:18 AM, Gary Carr <garycarr...@gmail.com> wrote: > > Overall, is breaking this function out - internally - really worth it? >
I can offer a personal testimonial on the management aspects of this: A couple of years back, we made the switch from combined authoritative/recursive servers to recursive-only and authoritative-only systems. The reasoning was more a logistics thing than anything else: we wanted to host our authoritative records both locally and with a cloud service, and moving the recursive portion was easy to do. We also weren't sure which daemons we wanted to use for each side of things - PowerDNS recursor? BIND? unbound? PowerDNS authoritative? NSD? - so separating the two functions gave us flexibility in that arena. It also meant we didn't have to worry about views. We treated the separation of authoritative and recursive as gospel. For recursive service, we initially ran three pdns-recursor instances and two BIND instances, most behind a hardware load balancer. For authoritative service, we kept our records in Amazon Route 53, syncing with four internal NSs: one hidden master and three slaves. This let us override records locally as needed and meant that we didn't have to follow delegation from the root NSs (important - you're not relying on 100% border uptime for your internal network). We've since moved our recursive stuff to BIND (for RPZ), and have added a couple of additional internal authoritative servers, so we're at 10+ DNS servers locally. We're starting to become too complicated! Separating authoritative and recursive functions certainly makes it easier to do maintenance and change daemons as necessary, but it's added a layer of complexity that you might not want. Something interesting we did is that our recursive servers don't depend exclusively on our local authoritative servers. In a pinch (last master in the stub zone), they'll go out to our cloud DNS servers and pull/follow delegation from there. So the dependence of recursive on authoritative, due to separation, isn't nearly as great. John -- John Miller Systems Engineer Brandeis University johnm...@brandeis.edu _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users