Nice piece, Dan. Believe it or not, I agree with what you've said for
the most part. I like your categories, and your approach makes sense.
I think your viewpoint is a little "old school" though, on 2 accounts.
In the age of virtualization, the way we can combine services on a given
piece of hardware has changed. It's now possible (and practical) to
implement services on different servers, while still running them on the
same host/hardware. So the model for LARGE can be applied equally to the
SMALL model, without requiring additional hardware. This provides
consistency, as well as scalability. IOW, there's no reason for them to
be different. I'd do it the LARGE way regardless (unless TINY is
appropriate). Perhaps Dan and I are stumbling on the term "server",
whereas I mean Virtual Machine (KVM or OpenVZ container), while Dan may
be meaning the traditional "host" (hardware).
The second account regards Bind vs PDNS. I think the key tradeoff here
(performance is not a factor here afaik) is how the data is maintained
and stored. Bind configuration files are normal text files, which makes
them easy (for some) to edit, although the format of the files is very
much its own (slight learning curve). PDNS provides a slew of backends
(http://doc.powerdns.com/html/backends-detail.html) making it far more
flexible in its implementation, albeit slightly more complex. You can
even use a bind zone file backend if you like. However, in order to use
the Poweradmin web interface for maintaining your zone records, you must
use a SQL based backend (any one of a number of them). You can't have
your cake and eat it too in this case.
So to each his own (isn't Linux great that way?). Personally, I put a
fairly high value on being able to use Poweradmin (so other people can
maintain DNS records without them mucking around in my server!), so
PowerDNS with MySQL (and Poweradmin) is my choice. FWIW, I've actually
implemented this across 4 virtual servers: one for PowerDNS (listens on
53 and serves requests), one for MySQL (storage), and two for Poweradmin
(one Nginx, one PHP). Overkill perhaps, but it demonstrates my point
(and scales unbelievably!).
As always, thanks for the post Dan.
--
-Eric 'shubes'
On 09/01/2013 10:07 AM, Dan McAllister wrote:
A lot has been written lately about DNS as it relates to QMT. As I am
the DNS Admin for the project, I thought it worthwhile to share my thoughts.
NOTE: Although I am the DNS Admin of the project, these are _/MY
/_opinions, based on /_MY _/experiences... they do NOT represent any
official position of the QMT project.
Firstly, let's differentiate the KINDS of DNS service:
- A _*RESOLVING *_DNS server answers /permitted client /requests
to resolve ANY DNS request (like YAHOO.COM) by recursively searching for
an appropriate authoritative DNS server for the domain requested. (A
*RECURSIVE *DNS server is a /synonym /to a *RESOLVING *DNS server)
- AN _*AUTHORITATIVE *_DNS server answers /PUBLIC /requests to
resolve DNS for domains for which it is authoritative (e.g. its own
domains).
Some DNS servers (like BIND 9 and later) have the ability to do both
(securely - BIND8 could do both, but not very securely), while others
(like PDNS) take the QMail approach and use separate programs to do each
kind of task. FWIW, I use PDNS resolvers on some of my QMT servers, and
BIND9 on others.
I'm reasonably well-known for not "drinking the kool-aide" from any
vendor or software project. Instead, I choose the "right tool for
the right use" - and choosing a DNS server is one of those instances
where "one size fits all" is definitely UNTRUE.
SIDE NOTE: I am far less adamant than Eric (my boss on this project!)
that an authoritative DNS service should /not /be on the same server as
a QMT (or other mailserver).
IMHO, there are times when it is appropriate, and times when it is not.
In my experience (which is considerable, though I don't yet consider
myself an expert):
- I have some high-traffic QMT servers that service high-use domains and
use pdns-resolver (and external authoritative DNS servers)
- I have some low-traffic QMT servers where the DNS is BIND9 running as
both recursive (for the localhost) and authoritative (for the serviced
domains).
Again, FWIW, my personal experience is that QMT servers typically fall
into one of 3 categories:
- _*TINY*_: One or two "personal" domains, where the authoritative DNS
is usually at the domain registrar... in this case, I recommend
pdns-resolver (because there is no need for "local" authoritative DNS,
and it is MUCH easier to configure than BIND)
- _*SMALL*_: Several domains, probably not all owned by the same
company, with advanced DNS being hosted locally as well... in this case,
I prefer BIND9 configured with "view" options that limit recursive
lookups to the LAN (if not only the localhost), and acts as the
authoritative server for the domains being served.
- _*LARGE*_: Many domains hosted with high levels of traffic. In this
case, I only slightly prefer BIND9 over PDNS (both only as a
caching-only nameserver, but in my experience BIND9 is somewhat faster
than PDNS) Then, I use a SEPARATE server for authoritative DNS! (I
typically use BIND9 there, unless I want client-access to the DNS
settings, in which case PDNS has a GUI frontend that's reasonable for that).
The end result from my experiences is that PDNS & BIND are /each /good
options, so long as you use each *appropriately*.
Dan McAllister
IT4SOHO
QMT DNS/Mirror Admin
PS: The master authoritative DNS server for QMT is BIND9 :)
--
PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
