[dns-operations] Cache efficiency (was: Re: DNS .com/.net resolution problems in the Asia/Pacific region)

Robert Edmonds edmonds at mycre.ws
Fri Jul 21 06:24:01 UTC 2023

Paul Vixie via dns-operations wrote:
> Robert Edmonds wrote on 2023-07-20 14:50:
> > a) Delegations within the same organization often reflect internal
> > organizational boundaries. One team may want to give control over part
> > of the namespace to another team, without handing over write permissions
> > for the whole zone, so the typical solution is to carve out a child zone
> > for the other team, and host that zone on the same provider as the
> > parent zone. If the cloud-based DNS providers that many organizations
> > use offered a more granular, less than whole zone permissions model, it
> > would cut down on the number of child zones that are created solely to
> > reflect intra-organizational boundaries.
> i'd hate to see us adopt a cloud-centric model. whatever we do to improve
> NS-chain performance -- and i think your first two suggestions would do this
> -- should also benefit the normal delegation, notify, and transfer system.

I was primarily thinking of particular cloud-based DNS providers where
the permissions granularity is at the zone level, and those providers
could unilaterally improve their implementations to make the design
pattern described above unnecessary.

Now that I look at BIND's documentation [0], I think the kind of
granularity that I want already exists, with an "update-policy" rule
that matches a "subdomain". So you can think of this section as advice
to cloud DNS providers to catch up with state-of-the-art open source DNS
implementations :-)

Another way of putting it is, try not to ship your org chart into the
DNS delegation hierarchy if you can avoid it. Sure, if you have a hard
organizational boundary between business units that operate separate
infrastructure including DNS servers, by all means go ahead and
introduce a zone cut, though.

[0] https://bind9.readthedocs.io/en/v9_18_2/reference.html#dynamic-update-policies

Robert Edmonds

More information about the dns-operations mailing list