dns authority changes and lame servers
Nathan Ward
nanog at daork.net
Sat Oct 20 23:37:48 UTC 2007
On 20/10/2007, at 1:24 PM, Mike Lewinski wrote:
> Simon Lyall wrote:
>
>> Sounds like the real problem is that your authotative and caching DNS
>> servers are mixed up.
>
> Understood. I've worked to turn off recursion to the world and made
> it through that without too much pain (except for the people who
> transport statically configured laptops on and off our network).
> The next step isn't trivial since it's a matter of updating quite a
> lot of data. It's important and we're working on it for the benefit
> of the customers, but this will be an operational issue for us for
> a while.
I've yet to try it, but if you're running BIND you should be able to
split it up in to views:
- View A takes queries from your end users (based on source IP) and
acts as a recursive cache.
- View B takes queries from everyone else (catchall) and answers
authoritatively.
You'll probably run in to a couple of problems where and end user
needs an authoritative answer of a name you are authoritative for,
but that'll be a small percentage I expect.
Again, I haven't tested this, but I can't see any obvious reason why
it wouldn't work.
>> If they are split then it doesn't really matter if you still host
>> a lame
>> record because (since it's lame) nobody will ask you about it.
>
> It's still cruft and ideally should still be cleaned up
> automatically based on the external authority changing.
Maybe. Note that the same is true of MTA and MX servers. (ie. MX
record points at the same place for domains you host, as your
customers do to send mail to domains you don't host).
--
Nathan Ward
More information about the NANOG
mailing list