Well, except then you need to update all of your delegations. That can
not only be an administrative hassle, but can also get very expensive,
especially if you have hundreds of them in ccTLDs, where you have to pay
your "in-country agent" a fee for every registry change. It's quite a
racket.
You don't have to change all the domain registrations. You just have to
change the A records of the nameserver names. Hopefully you haven't
done something silly like use different nameserver names for each domain.
Updating the adns A records is great but this doesn't automatically
change firewall rulesets. I can't control what kind of good or bad
assumptions folks that we are secondaries for made.
I think we can agree that it can be a lot of effort to break auth and
recursive into two IPs no matter what route you go.
I agree that using adns for rdns proxy is suboptimal but sometimes the
lower cost engineering solutions in practice are just as good as the
painful ones.
I mostly threw my hat in the ring so that it would be known that more
than one BIND user could benefit from a feature like this.
-Michael
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
