From owner-freebsd-current Mon Nov 18 16:49:23 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A57037B404 for ; Mon, 18 Nov 2002 16:49:21 -0800 (PST) Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7418943EE5 for ; Mon, 18 Nov 2002 16:44:19 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from pool0159.cvx22-bradley.dialup.earthlink.net ([209.179.198.159] helo=mindspring.com) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 18DwUI-00026D-00; Mon, 18 Nov 2002 16:43:34 -0800 Message-ID: <3DD988A0.2DD58687@mindspring.com> Date: Mon, 18 Nov 2002 16:41:04 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Brad Knowles Cc: freebsd-current@freebsd.org Subject: Re: Run two copies of named from rc.conf? References: <20021118041523.GA45159@BSDWins.Com> <3DD8822C.1D337FDB@mindspring.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Brad Knowles wrote: > It depends on how you do it. You could $INCLUDE the exterior > file inside the interior file, if that subset of information is the > same. You could also use BIND 9 "views". Otherwise, split-horizon > can be a pain. If you have a LAN behind a transient network connection, and you want your LAN to function without degradation as a result of losing the link ("Who ever heard of DSL going out?"), then you want to have your on site DNS server be authoritative. But. If you are transiently connected, then if the on site DNS server is authoritative, then there is no way to look up externally hosted services via DNS, unless the external DNS, also a hosted service, and therefore not transiently connected, is authoritative. One potential answer to this is that the external DNS is a secondary of a "stealth primary" running at your local site. However, this has the unfortunate effect that a persistant outage will become a general outage, should it last longer than the TTL for the externally visible records. In addition, there are no NOTIFY updates sent to the secondaries, if the primary is offline when it is updated. In addition, making the primary MX on site means a 3 minute delay on all external mail send attempts to the site domain(s)., as the connection attempt times out and falls back to the secondaries, which are externally hosted. Finally, externally hosted resources may require changes as the actual facilities are changed around. This includes relocation of primary and secondary external MX's, relocation of web services, relocation of database and other outsourced services, relocation of shopping cart services, etc.. This may include relocation of the primary IP address of the customer site, which would also require a change to the IP address configured into the secondaries of the stealth primaries. Basically, what this boils down to is that you are never fully authoritative for a domain for which there exist externally hosted services, and such services must have priority ofver transiently connected services. For this to work, you have to have a DNS server that's external (hosted, and therefore always available), as well as being seen to be authoritative. For local authority, then, you must delegate authority, without delegating it as a subdomain, to the external server. The easiest way to do this is to, on a local lookup miss, forward the request to an external server, even if you are the authoritative server, AND to replicate local DNS information to the external authoritative server, as well. DNS does not support this right now, even with BIND 9's "views". The entire point of people coming onto the Internet for the first time is to make themselves appear "real", "clueful", etc., and that means a virtual non-transient connection, which basically means external hosting of visible services by a third party, so that it looks like the company has a full time Internet connection, rather than looking like a "Mom and Pop" with only a dialup or other transient connection. Yeah, that doesn't sit very well with you, if you are a company who wants to sell one server to each of 100 customers, rather than 6 servers to a hosting provider, but tough: there's no law that requires me to protect your business model, unless you are a member of the music or motion picture industry, and have bribed enough senators. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message