Hello Matthew, I am mobile right now and a bit distracted sitting here in a parking lot so what exactly your question is eludes me.
<grin> Speaking from experience, running a split horizon environment has several advantages and is quit liberating. For example, internally your BIND servers can be authortative for the root of your zone and then you delegate a subzone to Active Directory. It keeps external/internal root neat and tidy and internally allows Active Directory the freedom to run dynamic updates without risk of leakage. Every host get DNS from the Domain Controllers and the DC's get recursion exclusively from BIND. That said, you will want authorative name severs for both external and internal. If you choose to go with hidden external/internal masters that is fine. No need to separate the roles of the slaves out unless there is an unknown operational requirement. Finally, if you have a lot of RR churn, look to an IPAM solution the help shoulder the load. Editing db files by hand is asking for mistakes to be made. Hope that helps! John Sent from Nine<http://www.9folders.com/> From: Mathew Ian Eis <mathew....@nau.edu> Sent: Apr 4, 2016 7:38 PM To: bind-users@lists.isc.org Subject: Split horizon and authoritative servers Hi BIND, I have a question about authoritative servers in a split horizon environment (suppose two views "internal" and "external"). Is is necessary to have separate internal authoritative (listed in internal zone NS records, but not in whois or external NS records) servers, if the internal recursive servers are also authoritative (in the same way) slaves to an internal hidden master for the relevant zones? It seems like cache poisoning should not be a concern, since the only servers listed in the (internal) NS records would as slaves always have full copies of relevant zones, and would not actually be recursing for those records. I can't think of any other reason to separate the internal authoritative slaves and the internal recursive resolvers... am I missing anything obvious? Thanks in advance, Mathew Eis Northern Arizona University
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
