At 18:53 -0400 8/24/06, Suresh Krishnaswamy wrote:
You'd still want to control errant queries though, since the fiat of
a single internal recursive name server may not always be
enforceable. Also, the presence of the boundary recursive name server
gives us the nice property that queries to the outside world are not
directly made from within the internal network segment.
Errant queries? I don't believe in them. Every thing happens by
design or fat-fingering. Tannenbaum does not roll dice with the
network.
This is why we need to have a definition of split-view.
A "fiat of a single internal recursive name server" is certainly
enforceable. What happens if someone runs a server counter to local
policy. If noticed, it'll be debugged and fixed. If someone doesn't
fix it and is supposed to, they will be fired. That's enforcement.
Split-view is run within a management domain, ergo, there's enforcement.
This is why we need a definition of split-view. And operational
assumptions. It's possible to screw up a split-view configuration
and this is why the IETF seems to want to sweep this issue under a
rug. But the fact is that many do use it successfully despite a lack
of guidance from the IETF, and no one is running around screaming
that the sky is falling.
I currently operate in an environment that uses split-view. (And at
every place I've worked for the past decade.) Occasionally I do send
queries directly to the outside world. I do this by running a local
non-policy-compliant server when I am debugging something or checking
out a problem I hear about on a mailing list. When I break policy
the world does not come to an end. "Border recursive servers" aren't
needed (but can be), aren't always there (but can be) in split-view
environments.[0]
Note, however, if I told others in my environment to use my Mac's
recursive server behind the firewalls and managed to cause a great
financial loss to the company, you bet I'd experience "enforcement."
[0] I've worked in places with firewalls that "hijack" DNS traffic
and enforce split-view there. I"ve also worked in places where the
firewalls do not proxy DNS. In both kinds of places, split-view
works. This is what I mean by separating layer 7 splits and layer 3
splits.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Secrets of Success #107: Why arrive at 7am for the good parking space?
Come in at 11am while the early birds drive out to lunch.
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
