| 1 |
On Thu 18 August 2011 14:36:26 Michael Mol did opine thusly: |
| 2 |
> On Thu, Aug 18, 2011 at 2:17 PM, Florian Philipp |
| 3 |
<lists@×××××××××××.net> wrote: |
| 4 |
> > Am 18.08.2011 03:35, schrieb Michael Mol: |
| 5 |
> >> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon |
| 6 |
<alan.mckinnon@×××××.com> wrote: |
| 7 |
> >>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly: |
| 8 |
> >>> At a minimum they should be on different interfaces and |
| 9 |
> >>> preferably in chroots. Otherwise all manner of $BAD_STUFF |
| 10 |
> >>> happens. |
| 11 |
> >> |
| 12 |
> >> Hm. Interested. |
| 13 |
> >> |
| 14 |
> >> echo $BAD_STUFF |
| 15 |
> >> |
| 16 |
> >> (or URI) |
| 17 |
> > |
| 18 |
> > URI: http://cr.yp.to/djbdns/separation.html |
| 19 |
> |
| 20 |
> Ah, gotcha. Yeah, I'm a bit worried about that. Even though I use a |
| 21 |
> FQDN, I'm only authorative within my own network and I don't (yet) |
| 22 |
> expose my DNS records publicly. (It all resolves to RFC1918 |
| 23 |
> addresses...what'd be the point?) |
| 24 |
|
| 25 |
On your scale you'd probably get away with it, that's why I made that |
| 26 |
little note earlier. |
| 27 |
|
| 28 |
Throughout this thread I've been replying from the viewpoint of having |
| 29 |
very large auth servers to maintain, I have to deal with stuff you'd |
| 30 |
likely never see, simply because you only have one zone. My employers |
| 31 |
have seen fit to sign up something like 40,000 zones from customers |
| 32 |
then said "Here you Alan, make this work." |
| 33 |
|
| 34 |
Aside from security and integrity issues, all sorts of interesting |
| 35 |
data problems happen on that scale, and they all seem the trace back |
| 36 |
to inappropriate use of glue. Sooner or later you will find a record |
| 37 |
you need to look up for purposes other than it being an NS, and you |
| 38 |
have it already in glue. If you are using that bind instance also as a |
| 39 |
cache, it will never do a proper look up for that glue record as it is |
| 40 |
ALREADY authoritative. You will go nuts and turn your brains into |
| 41 |
scrambled eggs trying to find that one. (exactly the same weird issues |
| 42 |
can be found in almost any kind of coding problem using data and |
| 43 |
linked data structures, it's not unique to DNS). |
| 44 |
|
| 45 |
Any large DNS provider should (and almost all do) keep the caches and |
| 46 |
auth servers distinctly separate. Most also split top-level and |
| 47 |
second-level domains too. |
| 48 |
|
| 49 |
|
| 50 |
-- |
| 51 |
alan dot mckinnon at gmail dot com |
Archives