public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Running HTTP and DNS on same machine
Date: Fri, 19 Aug 2011 09:17:10 +0200	[thread overview]
Message-ID: <3962619.3ULkQmIFNW@nazgul> (raw)
In-Reply-To: <CA+czFiAAq+rubihFZ9g6Fu-WqN0CKbscb8f8dn4LNbKeGhRHag@mail.gmail.com>

On Thu 18 August 2011 14:36:26 Michael Mol did opine thusly:
> On Thu, Aug 18, 2011 at 2:17 PM, Florian Philipp 
<lists@binarywings.net> wrote:
> > Am 18.08.2011 03:35, schrieb Michael Mol:
> >> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon 
<alan.mckinnon@gmail.com> wrote:
> >>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly:
> >>> At a minimum they should be on different interfaces and
> >>> preferably in chroots. Otherwise all manner of $BAD_STUFF
> >>> happens.
> >> 
> >> Hm. Interested.
> >> 
> >> echo $BAD_STUFF
> >> 
> >> (or URI)
> > 
> > URI: http://cr.yp.to/djbdns/separation.html
> 
> Ah, gotcha. Yeah, I'm a bit worried about that. Even though I use a
> FQDN, I'm only authorative within my own network and I don't (yet)
> expose my DNS records publicly. (It all resolves to RFC1918
> addresses...what'd be the point?)

On your scale you'd probably get away with it, that's why I made that 
little note earlier.

Throughout this thread I've been replying from the viewpoint of having 
very large auth servers to maintain, I have to deal with stuff you'd 
likely never see, simply because you only have one zone. My employers 
have seen fit to sign up something like 40,000 zones from customers 
then said "Here you Alan, make this work."

Aside from security and integrity issues, all sorts of interesting 
data problems happen on that scale, and they all seem the trace back 
to inappropriate use of glue. Sooner or later you will find a record 
you need to look up for purposes other than it being an NS, and you 
have it already in glue. If you are using that bind instance also as a 
cache, it will never do a proper look up for that glue record as it is 
ALREADY authoritative. You will go nuts and turn your brains into 
scrambled eggs trying to find that one. (exactly the same weird issues 
can be found in almost any kind of coding problem using data and 
linked data structures, it's not unique to DNS).

Any large DNS provider should (and almost all do) keep the caches and 
auth servers distinctly separate. Most also split top-level and 
second-level domains too.


-- 
alan dot mckinnon at gmail dot com



  reply	other threads:[~2011-08-19  7:18 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-17 20:56 [gentoo-user] Running HTTP and DNS on same machine Grant
2011-08-17 21:08 ` Alan McKinnon
2011-08-17 21:22   ` kashani
2011-08-17 21:43     ` Alan McKinnon
2011-08-17 22:08       ` kashani
2011-08-17 22:51         ` Alan McKinnon
2011-08-18  0:50           ` Peter Humphrey
2011-08-17 21:49   ` Grant
2011-08-17 22:09     ` Alan McKinnon
2011-08-17 21:23 ` Michael Mol
2011-08-17 21:53   ` Alan McKinnon
2011-08-18  1:35     ` Michael Mol
2011-08-18 18:17       ` Florian Philipp
2011-08-18 18:36         ` Michael Mol
2011-08-19  7:17           ` Alan McKinnon [this message]
2011-08-17 23:51 ` Paul Hartman
2011-08-18  0:18   ` Adam Carter
2011-08-18  0:40     ` kashani
2011-08-18  1:56     ` Grant
2011-08-18 17:26     ` Jarry
2011-08-18 17:39       ` Michael Mol
2011-08-18 18:22       ` Grant
2011-08-18 18:38         ` Michael Mol
2011-08-18 18:47         ` Jarry
2011-08-18 21:48     ` Stroller
2011-08-18  0:35   ` Pandu Poluan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3962619.3ULkQmIFNW@nazgul \
    --to=alan.mckinnon@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox