[dns-operations] New subscribers
wllarso at swcp.com
Wed Dec 29 20:12:19 UTC 2010
On Thu, 30 Dec 2010 08:03:15 +1300 (NZDT), Simon Lyall wrote:
> The main differences I would see between then and now:
> - Number of packages on machines ( ~100 on minimal vs ~300 today )
> - More layers of complexity in packages ( If you upgrade libssl then
> have to worry about php-ssl, python-ssl apache-ssl )
> - Greater automation of machines ( a dozen hand crafted servers are
> common, instead people have 10s/100s/1000s of identical web servers
> - In 95% of cases the distribution version will do the trick
> - In 4% of cases somebody will have already packaged a more uptodate
> version for RHEL, Ubuntu, Debian.
> - The last 1% of cases you shouldn't have too many packages per
> Sure if I was running 100 DNS servers and after interesting features
> then I'd look at downloading, compiling, packaging and rolling out
> latest and greatest bind. But I wouldn't be doing the same with ssh,
> sendmail, ssl, bash, kernel etc on the same box unless there was a
> good reason. Following and maintaining more than a dozen packages
> locally would start to have some overhead (I'm doing this with RHEL5
> already and it's a pain).
Just a question. What ever happened to the KISS principle for
operating DNS servers?
A number of years ago (and I hate to admit HOW long ago) on the
BIND-USERS list, the topic of what should also be allowed to run on a
DNS server was brought up. The response was to allow the DNS server to
also provide NTP services but nothing else. No web server, no database
server, no user logins, etc.
The idea was that hardware was cheap enough that having servers
dedicated to only providing DNS services was very practical. Now days,
this should even be a more compelling reason for having dedicated DNS
servers and not piggy backing on every other service possible. If
separate hardware is not available then at least separate virtual
machines is still a possibility. (But don't get me on the topic of
running a DNS server on a VM!)
If you are worried about the hundreds, and apparently thousands, of
possible packages installed on your DNS server, aren't you defeating the
KISS principle for operating a critical infrastructure service?
Wouldn't controlling your architecture of your DNS servers, i.e.,
deploying DNS ***ONLY*** servers, make this issue of package
dependencies much simpler?
Again, just a question,
(A dedicated DNS operation lurker. Normally quiet, unless ...)
More information about the dns-operations