From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Running HTTP and DNS on same machine
Date: Fri, 19 Aug 2011 09:17:10 +0200 [thread overview]
Message-ID: <3962619.3ULkQmIFNW@nazgul> (raw)
In-Reply-To: <CA+czFiAAq+rubihFZ9g6Fu-WqN0CKbscb8f8dn4LNbKeGhRHag@mail.gmail.com>
On Thu 18 August 2011 14:36:26 Michael Mol did opine thusly:
> On Thu, Aug 18, 2011 at 2:17 PM, Florian Philipp
<lists@binarywings.net> wrote:
> > Am 18.08.2011 03:35, schrieb Michael Mol:
> >> On Wed, Aug 17, 2011 at 5:53 PM, Alan McKinnon
<alan.mckinnon@gmail.com> wrote:
> >>> On Wed 17 August 2011 17:23:41 Michael Mol did opine thusly:
> >>> At a minimum they should be on different interfaces and
> >>> preferably in chroots. Otherwise all manner of $BAD_STUFF
> >>> happens.
> >>
> >> Hm. Interested.
> >>
> >> echo $BAD_STUFF
> >>
> >> (or URI)
> >
> > URI: http://cr.yp.to/djbdns/separation.html
>
> Ah, gotcha. Yeah, I'm a bit worried about that. Even though I use a
> FQDN, I'm only authorative within my own network and I don't (yet)
> expose my DNS records publicly. (It all resolves to RFC1918
> addresses...what'd be the point?)
On your scale you'd probably get away with it, that's why I made that
little note earlier.
Throughout this thread I've been replying from the viewpoint of having
very large auth servers to maintain, I have to deal with stuff you'd
likely never see, simply because you only have one zone. My employers
have seen fit to sign up something like 40,000 zones from customers
then said "Here you Alan, make this work."
Aside from security and integrity issues, all sorts of interesting
data problems happen on that scale, and they all seem the trace back
to inappropriate use of glue. Sooner or later you will find a record
you need to look up for purposes other than it being an NS, and you
have it already in glue. If you are using that bind instance also as a
cache, it will never do a proper look up for that glue record as it is
ALREADY authoritative. You will go nuts and turn your brains into
scrambled eggs trying to find that one. (exactly the same weird issues
can be found in almost any kind of coding problem using data and
linked data structures, it's not unique to DNS).
Any large DNS provider should (and almost all do) keep the caches and
auth servers distinctly separate. Most also split top-level and
second-level domains too.
--
alan dot mckinnon at gmail dot com
next prev parent reply other threads:[~2011-08-19 7:18 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-17 20:56 [gentoo-user] Running HTTP and DNS on same machine Grant
2011-08-17 21:08 ` Alan McKinnon
2011-08-17 21:22 ` kashani
2011-08-17 21:43 ` Alan McKinnon
2011-08-17 22:08 ` kashani
2011-08-17 22:51 ` Alan McKinnon
2011-08-18 0:50 ` Peter Humphrey
2011-08-17 21:49 ` Grant
2011-08-17 22:09 ` Alan McKinnon
2011-08-17 21:23 ` Michael Mol
2011-08-17 21:53 ` Alan McKinnon
2011-08-18 1:35 ` Michael Mol
2011-08-18 18:17 ` Florian Philipp
2011-08-18 18:36 ` Michael Mol
2011-08-19 7:17 ` Alan McKinnon [this message]
2011-08-17 23:51 ` Paul Hartman
2011-08-18 0:18 ` Adam Carter
2011-08-18 0:40 ` kashani
2011-08-18 1:56 ` Grant
2011-08-18 17:26 ` Jarry
2011-08-18 17:39 ` Michael Mol
2011-08-18 18:22 ` Grant
2011-08-18 18:38 ` Michael Mol
2011-08-18 18:47 ` Jarry
2011-08-18 21:48 ` Stroller
2011-08-18 0:35 ` Pandu Poluan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3962619.3ULkQmIFNW@nazgul \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox