Hi Brian, I completly agree with you that it make sense for medium to large ISP needs to separate resolver from auth servers for several reasons.
My point was that the powerdns architecture and its good API make it a very interesting for small ISP or small to medium size enterprises : you may have it integrated with other products such as domain management systems, IPAM products, DHCP servers or Web management panels. So perhaps it is too bad to target the product only for large ISP needs. Also about your example of a customer move the domain to an other, I don’t think this is solve by the separation of recursor and auth server as you will have to remove the forwarding zones from the recursor and/or the dnsdist processes in order to correct the problem. Best regards, Alain RICHARD > Le 23 janv. 2018 à 09:58, Brian Candler <b.cand...@pobox.com> a écrit : > > There are several reasons why it is best practice to separate your > nameservers (even when using bind, you should have two separate instances). > In my experience, the number one problem with mixing recursor and auth at ISP > scale is when people move their domains away. > > Suppose a customer has their domain "example.com <http://example.com/>" on > your DNS service. Some time later they move the domain away to a different > ISP, changing the delegating in the registry without telling you. This leaves > you with an old, stale authoritative zone on your DNS. > > If the caches and authoritative are the same boxes, then *your* customers > will still be seeing data from the stale zone, whilst the rest of the > Internet sees the correct data for example.com <http://example.com/>. This > can lead to problems which are really hard to debug; e.g. your customers > can't send mail to example.com <http://example.com/>, but example.com > <http://example.com/> is unaware of any issue (because mail works fine to > everyone else). So it hits *your* support desk. > > However, if your auth and recursors are separate, there is no problem. Your > recursors follow the delegation to the new authoritative servers at the other > ISP; and nobody ever queries the stale example.com <http://example.com/> zone > on your authoritative server, because there is no delegation to it. >
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
