On Fri, May 19, 2017 at 8:56 AM, Matus UHLAR - fantomas <[email protected]> wrote:
> Gordon Messmer <[email protected]> wrote: >>> > Is it considered best-practice (or just normal) for authoritative >>> > servers to just not use the local server for resolution? >>> >> > On Wed, May 10, 2017 at 5:56 AM, Tony Finch <[email protected]> wrote: >> >>> Mine don't :-) >>> >> > On 18.05.17 16:38, Bob Harold wrote: > >> My authoritative servers are non-recursive. They use the same DNS >> resolvers that any other server uses, and not themselves. >> > > this configuration will make your recursive servers provide correct data > when your customers move their domains out without telling you so (which > happend quite often)... > -- > Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ Very true, and I use that fact when I know a zone is in transition. But most of the time I have stealth slave copies (meaning not listed in NS records) on my resolvers. That is more complicated, and has the problem you mention, which happens often. But it has some advantages: Updates reaching my users more quickly, no waiting for cache timeout on the resolvers (there are still other caches, but it helps) Cache poisoning attacks don't work against my zones on my resolvers, since they are authoritative and not cached. I hope sometime to automate monitoring for zones moving without warning me in advance. -- Bob Harold
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
