[dns-operations] Cache efficiency (was: Re: DNS .com/.net resolution problems in the Asia/Pacific region)
edmonds at mycre.ws
Fri Jul 21 06:24:01 UTC 2023
Paul Vixie via dns-operations wrote:
> Robert Edmonds wrote on 2023-07-20 14:50:
> > a) Delegations within the same organization often reflect internal
> > organizational boundaries. One team may want to give control over part
> > of the namespace to another team, without handing over write permissions
> > for the whole zone, so the typical solution is to carve out a child zone
> > for the other team, and host that zone on the same provider as the
> > parent zone. If the cloud-based DNS providers that many organizations
> > use offered a more granular, less than whole zone permissions model, it
> > would cut down on the number of child zones that are created solely to
> > reflect intra-organizational boundaries.
> i'd hate to see us adopt a cloud-centric model. whatever we do to improve
> NS-chain performance -- and i think your first two suggestions would do this
> -- should also benefit the normal delegation, notify, and transfer system.
I was primarily thinking of particular cloud-based DNS providers where
the permissions granularity is at the zone level, and those providers
could unilaterally improve their implementations to make the design
pattern described above unnecessary.
Now that I look at BIND's documentation , I think the kind of
granularity that I want already exists, with an "update-policy" rule
that matches a "subdomain". So you can think of this section as advice
to cloud DNS providers to catch up with state-of-the-art open source DNS
Another way of putting it is, try not to ship your org chart into the
DNS delegation hierarchy if you can avoid it. Sure, if you have a hard
organizational boundary between business units that operate separate
infrastructure including DNS servers, by all means go ahead and
introduce a zone cut, though.
More information about the dns-operations