[dns-operations] recursive nameservers with "hidden" auth zones?

Ralf Weber dns at fl1ger.de
Thu Mar 14 14:22:18 UTC 2013


On 14.03.2013, at 08:21, R.P. Aditya <aditya at grot.org> wrote:

> I didn't mean to be opaque, but just in case it clarifies more:
> The question is "does the benefit of quicker updates outweigh the risks
> involved in serving a few select zones authoritatively from a recursive
> server that is open to a select population?" 
No. I've seen people setting up these hybrid recursive/authoritative servers and while they worked good initially as time progressed and some changes on the authoritative setup occurred, they caused all sorts of problems. I strongly advise not to do this.

What you want to achieve is that when within your network you make a change to your authoritative zones you want these to reflect nearly instantly on your recursive servers. You can achieve this better IMHO by flushing the cache for that domains when you make a change. That way the normal resolution process will get the new record, and that will work and not give a wrong result even when there was a change in the authoritative setup.

So long
Ralf Weber (Internet Citizen)
e: dns at fl1ger.de

More information about the dns-operations mailing list