Date: Mon, 18 Nov 2002 16:41:04 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: Brad Knowles <brad.knowles@skynet.be> Cc: freebsd-current@freebsd.org Subject: Re: Run two copies of named from rc.conf? Message-ID: <3DD988A0.2DD58687@mindspring.com> References: <20021118041523.GA45159@BSDWins.Com> <3DD8822C.1D337FDB@mindspring.com> <a05200f0fb9ff1d5ae47e@[146.106.12.76]>
next in thread | previous in thread | raw e-mail | index | archive | help
Brad Knowles wrote:
> It depends on how you do it. You could $INCLUDE the exterior
> file inside the interior file, if that subset of information is the
> same. You could also use BIND 9 "views". Otherwise, split-horizon
> can be a pain.
If you have a LAN behind a transient network connection, and you
want your LAN to function without degradation as a result of losing
the link ("Who ever heard of DSL going out?"), then you want to have
your on site DNS server be authoritative.
But. If you are transiently connected, then if the on site DNS
server is authoritative, then there is no way to look up externally
hosted services via DNS, unless the external DNS, also a hosted
service, and therefore not transiently connected, is authoritative.
One potential answer to this is that the external DNS is a secondary
of a "stealth primary" running at your local site. However, this
has the unfortunate effect that a persistant outage will become a
general outage, should it last longer than the TTL for the externally
visible records.
In addition, there are no NOTIFY updates sent to the secondaries, if
the primary is offline when it is updated.
In addition, making the primary MX on site means a 3 minute delay
on all external mail send attempts to the site domain(s)., as the
connection attempt times out and falls back to the secondaries,
which are externally hosted.
Finally, externally hosted resources may require changes as the
actual facilities are changed around. This includes relocation
of primary and secondary external MX's, relocation of web services,
relocation of database and other outsourced services, relocation of
shopping cart services, etc.. This may include relocation of the
primary IP address of the customer site, which would also require a
change to the IP address configured into the secondaries of the
stealth primaries.
Basically, what this boils down to is that you are never fully
authoritative for a domain for which there exist externally hosted
services, and such services must have priority ofver transiently
connected services.
For this to work, you have to have a DNS server that's external
(hosted, and therefore always available), as well as being seen
to be authoritative.
For local authority, then, you must delegate authority, without
delegating it as a subdomain, to the external server. The easiest
way to do this is to, on a local lookup miss, forward the request
to an external server, even if you are the authoritative server,
AND to replicate local DNS information to the external authoritative
server, as well.
DNS does not support this right now, even with BIND 9's "views".
The entire point of people coming onto the Internet for the first
time is to make themselves appear "real", "clueful", etc., and
that means a virtual non-transient connection, which basically
means external hosting of visible services by a third party, so
that it looks like the company has a full time Internet connection,
rather than looking like a "Mom and Pop" with only a dialup or
other transient connection.
Yeah, that doesn't sit very well with you, if you are a company
who wants to sell one server to each of 100 customers, rather
than 6 servers to a hosting provider, but tough: there's no law
that requires me to protect your business model, unless you are
a member of the music or motion picture industry, and have bribed
enough senators.
-- Terry
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DD988A0.2DD58687>