[dns-operations] New subscribers

wllarso wllarso at swcp.com
Wed Dec 29 20:12:19 UTC 2010


 On Thu, 30 Dec 2010 08:03:15 +1300 (NZDT), Simon Lyall wrote:

> The main differences I would see between then and now:
> - Number of packages on machines ( ~100 on minimal vs ~300 today )
> - More layers of complexity in packages ( If you upgrade libssl then 
> you
>   have to worry about php-ssl, python-ssl apache-ssl )
> - Greater automation of machines ( a dozen hand crafted servers are 
> less
>   common, instead people have 10s/100s/1000s of identical web servers 
> )
> - In 95% of cases the distribution version will do the trick
> - In 4% of cases somebody will have already packaged a more uptodate
>   version for RHEL, Ubuntu, Debian.
> - The last 1% of cases you shouldn't have too many packages per
>   environment.
>
> Sure if I was running 100 DNS servers and after interesting features
> then I'd look at downloading, compiling, packaging and rolling out 
> the
> latest and greatest bind. But I wouldn't be doing the same with ssh,
> sendmail, ssl, bash, kernel etc on the same box unless there was a
> good reason. Following and maintaining more than a dozen packages
> locally would start to have some overhead (I'm doing this with RHEL5
> already and it's a pain).

 Just a question.  What ever happened to the KISS principle for 
 operating DNS servers?

 A number of years ago (and I hate to admit HOW long ago) on the 
 BIND-USERS list, the topic of what should also be allowed to run on a 
 DNS server was brought up.  The response was to allow the DNS server to 
 also provide NTP services but nothing else.  No web server, no database 
 server, no user logins, etc.

 The idea was that hardware was cheap enough that having servers 
 dedicated to only providing DNS services was very practical.  Now days, 
 this should even be a more compelling reason for having dedicated DNS 
 servers and not piggy backing on every other service possible.  If 
 separate hardware is not available then at least separate virtual 
 machines is still a possibility.  (But don't get me on the topic of 
 running a DNS server on a VM!)

 If you are worried about the hundreds, and apparently thousands, of 
 possible packages installed on your DNS server, aren't you defeating the 
 KISS principle for operating a critical infrastructure service?  
 Wouldn't controlling your architecture of your DNS servers, i.e., 
 deploying DNS ***ONLY*** servers, make this issue of package 
 dependencies much simpler?

 Again, just a question,

 (A dedicated DNS operation lurker.  Normally quiet, unless ...)

 Bill Larson



More information about the dns-operations mailing list