[dns-wg] NCC reverse delegation criteria
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] combining authoritative and recursive DNS service
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ralf Weber
dns at fl1ger.de
Wed Jun 12 07:07:27 CEST 2019
Moin! On 11 Jun 2019, at 20:40, Jonas Frey wrote: > I do see 3 major benefits to combine/unify these: > - "saving" IP addresses (depending of how many you run of course[1]) Should not be a problem with IPv6, and running the same function like http on the same IP is quite different from running different functions (recursive vs authoritative DNS) on the same IP. > - less effort managing (not having multiple places for configuration > thus unifiying [automated] setup) That is wrong. You have more efforts managing as you need to update the sever software more often. I can not count the numbers of times some CVE in bind was caused by the fact that it is both a recursive and authoritative server. From a security these have different attack scenarios and you now need to take care of both and some mitigations are only applicable to one function. > - saving ressources (servers, virtual machines, whatever they run on) Those are machine resources and cheap. Your manpower resources running mixed servers are higher as you have to be a lot more careful how you treat a mixed function dns server. Even pur bind shops these days run there servers with only one function. And all modern DNS software is either authoritative or recursive and there is a good reason for that. Unless you believe people dealing with this for decades are wrong. So long -Ralf —-- Ralf Weber
- Previous message (by thread): [dns-wg] NCC reverse delegation criteria
- Next message (by thread): [dns-wg] combining authoritative and recursive DNS service
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]