1 |
On Thu 18 August 2011 14:36:26 Michael Mol did opine thusly: |
2 |
> On Thu, Aug 18, 2011 at 2:17 PM, Florian Philipp |
3 |
<lists@×××××××××××.net> wrote: |
4 |
> > Am 18.08.2011 03:35, schrieb Michael Mol: |
5 |
> >> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon |
6 |
<alan.mckinnon@×××××.com> wrote: |
7 |
> >>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly: |
8 |
> >>> At a minimum they should be on different interfaces and |
9 |
> >>> preferably in chroots. Otherwise all manner of $BAD_STUFF |
10 |
> >>> happens. |
11 |
> >> |
12 |
> >> Hm. Interested. |
13 |
> >> |
14 |
> >> echo $BAD_STUFF |
15 |
> >> |
16 |
> >> (or URI) |
17 |
> > |
18 |
> > URI: http://cr.yp.to/djbdns/separation.html |
19 |
> |
20 |
> Ah, gotcha. Yeah, I'm a bit worried about that. Even though I use a |
21 |
> FQDN, I'm only authorative within my own network and I don't (yet) |
22 |
> expose my DNS records publicly. (It all resolves to RFC1918 |
23 |
> addresses...what'd be the point?) |
24 |
|
25 |
On your scale you'd probably get away with it, that's why I made that |
26 |
little note earlier. |
27 |
|
28 |
Throughout this thread I've been replying from the viewpoint of having |
29 |
very large auth servers to maintain, I have to deal with stuff you'd |
30 |
likely never see, simply because you only have one zone. My employers |
31 |
have seen fit to sign up something like 40,000 zones from customers |
32 |
then said "Here you Alan, make this work." |
33 |
|
34 |
Aside from security and integrity issues, all sorts of interesting |
35 |
data problems happen on that scale, and they all seem the trace back |
36 |
to inappropriate use of glue. Sooner or later you will find a record |
37 |
you need to look up for purposes other than it being an NS, and you |
38 |
have it already in glue. If you are using that bind instance also as a |
39 |
cache, it will never do a proper look up for that glue record as it is |
40 |
ALREADY authoritative. You will go nuts and turn your brains into |
41 |
scrambled eggs trying to find that one. (exactly the same weird issues |
42 |
can be found in almost any kind of coding problem using data and |
43 |
linked data structures, it's not unique to DNS). |
44 |
|
45 |
Any large DNS provider should (and almost all do) keep the caches and |
46 |
auth servers distinctly separate. Most also split top-level and |
47 |
second-level domains too. |
48 |
|
49 |
|
50 |
-- |
51 |
alan dot mckinnon at gmail dot com |