Paul Vixie via dns-operations wrote: > Robert Edmonds wrote on 2023-07-20 14:50: > > a) Delegations within the same organization often reflect internal > > organizational boundaries. One team may want to give control over part > > of the namespace to another team, without handing over write permissions > > for the whole zone, so the typical solution is to carve out a child zone > > for the other team, and host that zone on the same provider as the > > parent zone. If the cloud-based DNS providers that many organizations > > use offered a more granular, less than whole zone permissions model, it > > would cut down on the number of child zones that are created solely to > > reflect intra-organizational boundaries. > > i'd hate to see us adopt a cloud-centric model. whatever we do to improve > NS-chain performance -- and i think your first two suggestions would do this > -- should also benefit the normal delegation, notify, and transfer system.
I was primarily thinking of particular cloud-based DNS providers where the permissions granularity is at the zone level, and those providers could unilaterally improve their implementations to make the design pattern described above unnecessary. Now that I look at BIND's documentation [0], I think the kind of granularity that I want already exists, with an "update-policy" rule that matches a "subdomain". So you can think of this section as advice to cloud DNS providers to catch up with state-of-the-art open source DNS implementations :-) Another way of putting it is, try not to ship your org chart into the DNS delegation hierarchy if you can avoid it. Sure, if you have a hard organizational boundary between business units that operate separate infrastructure including DNS servers, by all means go ahead and introduce a zone cut, though. [0] https://bind9.readthedocs.io/en/v9_18_2/reference.html#dynamic-update-policies -- Robert Edmonds _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
