Re: Architecture Questions

2014-06-01 Thread Doug Barton 

On 05/28/2014 07:39 AM, Mark Andrews wrote:


In message d6c04ec67151214dad5e55e7ebf5207e425e3...@wrxxentexmb01.na.follett.l
an, Baird, Josh writes:

Hi,

I have historically hosted authoritative slave zones on my internal caching/r
ecursive servers to override recursion for internal zones.  These servers are
  not directly reachable from the internet.  Generally speaking, I realize tha
t it is considered a bad practice for any authoritative servers to perform re
cursion.  Is it a common practice in this particular scenario though?

The other option would be to have 'X' number of authoritative servers with re
cursion disabled, and then spin up another dedicated caching/recursive tier w
hich used stub zones to communicate with the authoritative servers.   Clients
  would point directly to the caching tier for name resolution.   This scenari
o sounds like it would be more cumbersome to maintain.  It would also require
  additional servers.  I'm not sure the additional hardware and complexity is
worth trouble in this scenario, but I am looking for opinions.

Furthermore, I was recently told by one of the larger managed IPAM/DNS vendor
s that it was on ISC's roadmap to no longer allow authoritative servers to pe
rform recursion (ie, the 'recusion yes' option would be disabled if the serve
r contained authoritative zones).  Is this actually true?


No.  There are good reasons to allow a server to perform both roles.

What isn't advisable is for a listed server offering authoritative
service to the world to also be recursive.  This risks leaking
cached data to the world.  It can also result in answers being
returned when referrals are expected.  Sharing rolls is very bad
if you serve not leaf zones to the world.  If there are only leaf
zones being served it is not such a issue.

A internal server or a recursive server having copies of zones isn't
generally issue though you do need to be careful about the type of
response you generate depending upon RD state.

This is a much more complex issue that is generally acknowledged.


+1 to everything that Mark said. I always recommend to customers that 
they do this on their INTERNAL servers for just the reasons that Josh 
outlined. And as Mark said, EXTERNAL authoritative servers should never 
have a recursive role.


hth,

Doug


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Book recomendations?

2014-06-01 Thread Doug Barton 

On 05/27/2014 03:51 PM, Baird, Josh wrote:

Hi,

Can someone recommend a modern/new-ish book on DNS (specifically BIND)?  I know 
there have been several O'Reily books throughout the years, but haven't kept up 
on anything in the past few years.  I'm looking for architecture design, best 
practices in designing enterprise and service provider DNS architectures, etc.


For DNSSEC specifically:

https://www.michaelwlucas.com/nonfiction/dnssec-mastery

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users