On Thu 18 August 2011 14:36:26 Michael Mol did opine thusly: > On Thu, Aug 18, 2011 at 2:17 PM, Florian Philipp <li...@binarywings.net> wrote: > > Am 18.08.2011 03:35, schrieb Michael Mol: > >> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon <alan.mckin...@gmail.com> wrote: > >>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly: > >>> At a minimum they should be on different interfaces and > >>> preferably in chroots. Otherwise all manner of $BAD_STUFF > >>> happens. > >> > >> Hm. Interested. > >> > >> echo $BAD_STUFF > >> > >> (or URI) > > > > URI: http://cr.yp.to/djbdns/separation.html > > Ah, gotcha. Yeah, I'm a bit worried about that. Even though I use a > FQDN, I'm only authorative within my own network and I don't (yet) > expose my DNS records publicly. (It all resolves to RFC1918 > addresses...what'd be the point?)
On your scale you'd probably get away with it, that's why I made that little note earlier. Throughout this thread I've been replying from the viewpoint of having very large auth servers to maintain, I have to deal with stuff you'd likely never see, simply because you only have one zone. My employers have seen fit to sign up something like 40,000 zones from customers then said "Here you Alan, make this work." Aside from security and integrity issues, all sorts of interesting data problems happen on that scale, and they all seem the trace back to inappropriate use of glue. Sooner or later you will find a record you need to look up for purposes other than it being an NS, and you have it already in glue. If you are using that bind instance also as a cache, it will never do a proper look up for that glue record as it is ALREADY authoritative. You will go nuts and turn your brains into scrambled eggs trying to find that one. (exactly the same weird issues can be found in almost any kind of coding problem using data and linked data structures, it's not unique to DNS). Any large DNS provider should (and almost all do) keep the caches and auth servers distinctly separate. Most also split top-level and second-level domains too. -- alan dot mckinnon at gmail dot com
