[lug] DNS operational question(s)

Kirk Rafferty kirk at fpcc.net
Tue Apr 10 12:39:31 MDT 2001 

On Tue, Apr 10, 2001 at 10:37:42AM -0600, Atkinson, Chip wrote:
> Can you specify different name servers for different types of records?  For
> example, can one specify one server for MX records and another server for
> the A(?) records?

I'm pretty sure you can't do this, at least with BIND.  Basically, WHOIS
determines which nameservers will resolve anything at that domain (or, at
least who it should look to for resolution).  Once at the nameserver level,
the information for that domain (A, CNAME, MX, etc) is either on that server
or delegated to another server.  I don't think you can tell BIND to look at
arecords.foo.com for A records, and mxrecords.foo.com for MX records.  It's
an all or nothing thing.  Which seems like a good thing to me.  Managing
DNS is tricky enough without distributing individual records across servers.

If you're thinking of it for load-balancing issues, keep in mind that DNS
traffic accounts for a very small portion of your network traffic.  Even
if you could distribute your DNS records, your primary server would still
take a hit, just so it could tell the querying system where to get the
desired record.  Or your primary server would have to go fetch the desired
record itself.  Either way, you lose anything you gained by distribution.

> What are the complexity issues with DNS that prevent someone else from
> "quickly" writing their own version of BIND that's not so susceptible to
> cracking?

The fact that BIND has withstood the test of time would seem to indicate
that there's really not a "quick" way to write a new version.  Companies
like Microsoft have tried to write their own DNS services, with (*ahem*)
varying degrees of success.  DNS is one of those things that are elegant
conceptually, but downright nasty in implementation.

Keep in mind too, that the BIND vulnerability in versions prior to 8.2.3
was met with a fix in almost no time.  So really, staying with BIND would
seem to be the quickest way to avoid BIND exploits (if that makes sense).

By the way, BIND 9 is an almost complete re-write of BIND 8.  9.1.1 was
released at the end of March.  I haven't used it, but I understand it
has some pretty severe scalability problems.  My advice: Don't use it if
the root servers ain't using it. :-)

-k

More information about the LUG mailing list