On 2011-05-19, at 21:58, Michael Sinatra wrote: > If you're saying that you shouldn't *offer* recursive and authoritative > services on the same box, then I generally agree. If you're saying that you > shouldn't ever prime your cache with a zone, or have a recursive server be a > slave to anything, then I'd say it gets kind of hairy there.
Indeed. "Hairy" is an apt description of the situation. There are many cases where it can work fine, and there are also plenty of cases where it won't, and the ones where it won't will be difficult for most operators to figure out. If one must run the two services on the same machine, it's much safer to split them into separate processes. If, for some reason, you can't wait for your TTLs to expire, then forwarding the relevant zones to your authoritative servers is a better solution than slaving the zones. > Moreover, the recommended RPZ configuration as of BIND 9.8.0 is to have your > recursive servers slave your RPZ zone, so your recursives will have to slave > something if they run RPZ. RPZ is an entirely different situation. Nobody's going to be querying your RPZ zones, and so there's no case where the server will get confused about which resolution algorithms to use. >> You will particularly run into problems if you ever intend to do >> DNSSEC validation on these name servers.. it just won't work. > > Yes. In that case, static-stub or forwarding is your friend. Although, we > should be clear: It won't work on the zones that are slaved by the recursive > server. Presumably one is protecting those zones some other way (TSIG, > SIG(0)). It *will* (and does) work for signed zones for which the recursor > is not authoritative. I'm not even sure forwarding helps here. But yes, you're right, it breaks only for the zones you're slaving... but the fact that they're being slaved suggests they're the most important ones. I don't know of many organizations larger than a few dozen people using SIG(0) or TSIG between stub and caching servers... certainly none where the stubs are on random student computers. I'd be rather surprised to find any universities at all doing that outside of the machines operated by the computer labs. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
