Set up external dnscache on the public IP, and set up tinydns on IP
127.0.0.1
yep, that's the obvious way to do it. it does leave a few questions,
though:
1. can this kind of setup return authoritative answers?
Nope.
[about migrating]
if i tried doing it, there'd be a week of two of complete chaos, with
almost all customers getting the impression that our service was broken
Assuming IP space is not the issue.. Start with moving to tinydns/nsd
on different IP addresses, and start migrating anything that needs the
authoritive into to those. Not sure how many domains you're responsible
for, so this may be some work, but it'd at least not be disruptive.
Once done, you can move to your existing IP being a non-auth caching
resolver for your end users, which, IMO, are generally more difficult to
cope with :-).
what would be useful here is an application layer DNS proxy sitting on
port 53 (both tcp and udp), with both authoritative and recursive
servers on other IP addresses. that way neither customers, secondary
servers, nor help desk staff would need to do anything - as far as
they're concerned, nothing has changed.
Yeah. Agreed.
I'm curious just how *screwed up* it would be to make dnscache
flag the authoritive bit on certain answers . zone
transfers are not an issue, that's *tcp* 53, not udp.
actually, that's something that could be built into nsd - if it is
authoritative for a given request then answer it, otherwise proxy it to
a recursive server.
That's not entirely off from adding a real resolver to nsd :-)
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
