On Tue, Nov 10, 2009 at 10:37 AM, Pauls Hotmail <[email protected]> wrote: > What about DNS Namespace choice these days?
This is something of a religious issue for some people. :) > I’ve always had a personal preference to keep internal AD & public > facing names unique & separate ... As do all right-thinking sysadmins. ;-) I favor using a registered domain name, so there is no possibility of ever having a name collision, even in the event of a merger/acquisition, or changes in the public DNS topology, or new stuff that claims your unregistered domain name. (Some implementations of zeroconf want to use ".local".) I do accept a subdomain of the "regular" domain, e.g., "corp.example.com" or "inside.example.com" or "ad.example.com" or what-have-you. The alternative is a "split DNS", where you have multiple disjoint namespaces which the same name. I regard that as an ugly kludge. My commentary on this, from way back: My objection to split DNS is simple: It is one more thing to go wrong. If I can eliminate a place for something to go wrong, I will. And when you are claiming authority for a DNS zone you are not authoritative for (which is what split DNS is all about), there is the potential for things to get out of sync. Sure, if you do it right, nothing will, but *WHY* even open up the possibility, if it does not get you *any* advantage? At the same time, I think using a separate DNS domain name has several advantages: * It keeps DNS names globally unique. * It clearly identifies internal vs external resources in their name. * You don't have to worry about keeping two different DNS zones in sync. * Should you decide you want to expose your private DNS to the public for any reason, you can still do so. * Roaming systems which are sometimes outside the private network will never get confused over which DNS zone is currently visible. In short, it keeps separate things separate. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
