Hi all,
> If you're saying that you shouldn't *offer* recursive and authoritative > services on the same box, then I generally agree. If you're saying that you > shouldn't ever prime your cache with a zone, or have a recursive server be a > slave to anything, then I'd say it gets kind of hairy there. > > And just for the record, our publicly visible authoritative servers do not serve recursive queries. > A number of us have been doing that sort of thing for years, and there > isn't really a way of getting certain zones to update quickly in a recursive > server without really short TTLs, unless you do zone transfers. I bet > Carlos's users demand this capability just as my users did when I worked on > a university campus. > > That's correct, and we've also being operating like that for some years now. > > You will particularly run into problems if you ever intend to do >> DNSSEC validation on these name servers.. it just won't work. >> > > Yes. In that case, static-stub or forwarding is your friend. Although, we > should be clear: It won't work on the zones that are slaved by the recursive > server. Presumably one is protecting those zones some other way (TSIG, > SIG(0)). It *will* (and does) work for signed zones for which the recursor > is not authoritative. > > That's news to me. What's the failure mode? Does the server return SERVFAIL, or does it not set the AD flag, or...? Thanks, cv
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
