-----Original Message----- From: Kevin Darcy <k...@chrysler.com> Date: Monday, April 1, 2013 2:46 PM To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Re: Forward First on Master Zone (bypass SOA)
>On 3/29/2013 12:09 AM, Doug Barton wrote: >> On 03/28/2013 12:28 PM, Ben-Eliezer, Tal (ITS) wrote: >>> My organization is evaluating the use of split-view DNS in our >>> environment. >> >> Simple ... don't do it. It's almost never the right answer, and as >> you're learning carries with it more administrative overhead than the >> problems it's designed to solve. >> >> Much better to spend the time carefully considering what your goals >> are, and finding other ways to reach them. >And your alternative is what? Run the external version of the namespace >on a completely separate infrastructure from the internal version? Wouldn't you do that to some extent anyway, to separate external infra -- which I'd think is authoritative only -- and internal which is likely a mix of authoritative and recursive? I guess we've overkilled...We're running a split-horizon config on separate infrastructure. There has always been those for and against split horizon. I often flip back and forth since I see logic in many of the arguments on both sides. When I usually hear people speak against split-horizon it has to do with added complexity and minimal benefit (can be harder to debug, confusing to new admins, internal resources should rely on more than DNS for protection and leak out in a lot of ways beside DNS, etc). They generally advocate converging the namespace itself more than dictating what the infrastructure should look like. You could have a cohesive name space served from separate infra or common infra using views and ACLs to decide who can access the cache. I would envision a hidden master feeding both sets of infra so maintenance is still centralized. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
