Greetings Kevin,
Wed, 18 Nov 2009 18:16:37 -0500 Kevin Darcy wrote:
Andrey G. Sergeev (AKA Andris) wrote:
Greetings,
does the following setup violate any DNS RFCs or is it in the conflict
with any best practices?
----------------------------------------------------------------------
[and...@strigidae ~]$ dig +nocmd +nocom +noque +nosta domain1.tld1. ns
domain1.tld1. 86400 IN NS ns1.domain1.tld1.
domain1.tld1. 86400 IN NS ns2.domain1.tld1.
domain1.tld1. 86400 IN NS ns1.domain2.tld2.
domain1.tld1. 86400 IN NS ns2.domain2.tld2.
domain1.tld1. 86400 IN NS ns1.domain3.tld3.
domain1.tld1. 86400 IN NS ns2.domain3.tld3.
ns1.domain1.tld1. 86400 IN A IP.Add.ress.1
ns2.domain1.tld1. 86400 IN A IP.Add.ress.2
^^^^^^^^^^^^^
ns1.domain2.tld2. 86400 IN A IP.Add.ress.3
^^^^^^^^^^^^^
ns2.domain2.tld2. 86400 IN A IP.Add.ress.4
ns1.domain3.tld3. 86400 IN A IP.Add.ress.2
^^^^^^^^^^^^^
ns2.domain3.tld3. 86400 IN A IP.Add.ress.3
^^^^^^^^^^^^^
----------------------------------------------------------------------
As we can see above, the ns2.domain1.tld1 / ns1.domain3.tld3 are
actually the same physical host with the IP.Add.ress.2 and the
ns1.domain2.tld2 / ns2.domain3.tld3 are actually the same machine
with the IP.Add.ress.3.
The DNS standards only say that every zone must have at least 2
nameservers. That doesn't appear to be violated here. The fact that
some of the nameservers have multiple names, doesn't reduce the
availability/robustness of the delegations (which is apparently the
whole point of the rule), the only minor negative effect is that
there is some confusion over where the PTR records should point. But
even that is pretty much irrelevant, since doing a reverse lookup of
an authoritative nameserver is not required by any standard, nor
something that is done in the normal course of operation.
What are the benefits of this setup?
4 nameservers are cheaper than 6 (??)
Hmm, may be. I suppose that this setup creates an added redundancy and
seems to be more reliable. If all of these 6 nameservers would be in the
same TLD, then simply cutting off this TLD from the DNS namespace would
be sufficient to cut off the delegated domain too:
domain1.tld1 delegated to:
ns1.domain1.tld1
ns2.domain1.tld1
ns1.domain2.tld1
ns2.domain2.tld1
ns1.domain3.tld1
ns2.domain3.tld1
In this scenario the tld1 is the single POF.
But if we have something like this
domain1.tld1 delegated to:
ns1.domain1.tld1
ns2.domain1.tld1
ns1.domain2.tld2
ns2.domain2.tld2
ns1.domain3.tld3
ns2.domain3.tld3
then we have an additional level of redundancy. The idea is that we
should distribute out authoritative nameservers not only across
different IP networks, ASes and ISPs, but also among different TLDs and
SLDs. It can be expensive to setup 6 completely different nameservers so
we can emulate the redundancy by creating the aliases for our existing
nameservers.
We're still vulnerable because if we have tld1 completely unavailable
then it would be rather difficult to determine the full list of
authoritative nameservers for any domains in tld1 - but don't forget
about the cached data.
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
