Petr Špaček <petr.spa...@nic.cz> wrote:
>
> My operational experience indicates that it is easiest to just use
> "corp.example.com.", "office.example.com.", or even "i.example.com.".
We use private.cam.ac.uk.
> Nice thing is that this approach doesn't require:
> - views
We have an empty version of private.cam.ac.uk in an external view,
originally set up to avoid problems with CAA checking for X.509
certificates. It also massively reduces retries for REFUSED queries from
outside. (Our qps went down by about 50% when we introduced this view!)
> - forwarding
However you do still need forwarding (or stealth secondarying) for RFC1918
reverse DNS. Catalog zones make stealth secondaries almost as easy as
forwarding to set up and maintain :-)
> - explicit trust anchor (if you want DNSSEC inside internal network)
>
> and generally just works :-)
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Sole: Westerly backing southerly, 3 or 4, increasing 5 or 6 later in west.
Slight, becoming moderate in west. Mainly fair. Moderate or good.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
