[100277] in North American Network Operators' Group
Re: dns authority changes and lame servers
daemon@ATHENA.MIT.EDU (Nathan Ward)
Sat Oct 20 19:43:41 2007
In-Reply-To: <47194AB9.8080000@rockynet.com>
From: Nathan Ward <nanog@daork.net>
Date: Sun, 21 Oct 2007 12:37:48 +1300
To: Nanog <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
On 20/10/2007, at 1:24 PM, Mike Lewinski wrote:
> Simon Lyall wrote:
>
>> Sounds like the real problem is that your authotative and caching DNS
>> servers are mixed up.
>
> Understood. I've worked to turn off recursion to the world and made
> it through that without too much pain (except for the people who
> transport statically configured laptops on and off our network).
> The next step isn't trivial since it's a matter of updating quite a
> lot of data. It's important and we're working on it for the benefit
> of the customers, but this will be an operational issue for us for
> a while.
I've yet to try it, but if you're running BIND you should be able to
split it up in to views:
- View A takes queries from your end users (based on source IP) and
acts as a recursive cache.
- View B takes queries from everyone else (catchall) and answers
authoritatively.
You'll probably run in to a couple of problems where and end user
needs an authoritative answer of a name you are authoritative for,
but that'll be a small percentage I expect.
Again, I haven't tested this, but I can't see any obvious reason why
it wouldn't work.
>> If they are split then it doesn't really matter if you still host
>> a lame
>> record because (since it's lame) nobody will ask you about it.
>
> It's still cruft and ideally should still be cleaned up
> automatically based on the external authority changing.
Maybe. Note that the same is true of MTA and MX servers. (ie. MX
record points at the same place for domains you host, as your
customers do to send mail to domains you don't host).
--
Nathan Ward
