[lug] DNS operational question(s)

Atkinson, Chip CAtkinson at Circadence.com
Tue Apr 10 13:19:52 MDT 2001 

Thank you very much for the information.  I kind of thought what you said
was the case, but I really appreciate the second opinion.

Chip

> -----Original Message-----
> From: Kirk Rafferty [mailto:kirk at fpcc.net]
> Sent: Tuesday, April 10, 2001 12:40 PM
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] DNS operational question(s)
> 
> 
> On Tue, Apr 10, 2001 at 10:37:42AM -0600, Atkinson, Chip wrote:
> > Can you specify different name servers for different types 
> of records?  For
> > example, can one specify one server for MX records and 
> another server for
> > the A(?) records?
> 
> I'm pretty sure you can't do this, at least with BIND.  
> Basically, WHOIS
> determines which nameservers will resolve anything at that 
> domain (or, at
> least who it should look to for resolution).  Once at the 
> nameserver level,
> the information for that domain (A, CNAME, MX, etc) is either 
> on that server
> or delegated to another server.  I don't think you can tell 
> BIND to look at
> arecords.foo.com for A records, and mxrecords.foo.com for MX 
> records.  It's
> an all or nothing thing.  Which seems like a good thing to 
> me.  Managing
> DNS is tricky enough without distributing individual records 
> across servers.
> 
> If you're thinking of it for load-balancing issues, keep in 
> mind that DNS
> traffic accounts for a very small portion of your network 
> traffic.  Even
> if you could distribute your DNS records, your primary server 
> would still
> take a hit, just so it could tell the querying system where to get the
> desired record.  Or your primary server would have to go 
> fetch the desired
> record itself.  Either way, you lose anything you gained by 
> distribution.
> 
> > What are the complexity issues with DNS that prevent 
> someone else from
> > "quickly" writing their own version of BIND that's not so 
> susceptible to
> > cracking?
> 
> The fact that BIND has withstood the test of time would seem 
> to indicate
> that there's really not a "quick" way to write a new version. 
>  Companies
> like Microsoft have tried to write their own DNS services, 
> with (*ahem*)
> varying degrees of success.  DNS is one of those things that 
> are elegant
> conceptually, but downright nasty in implementation.
> 
> Keep in mind too, that the BIND vulnerability in versions 
> prior to 8.2.3
> was met with a fix in almost no time.  So really, staying 
> with BIND would
> seem to be the quickest way to avoid BIND exploits (if that 
> makes sense).
> 
> By the way, BIND 9 is an almost complete re-write of BIND 8.  
> 9.1.1 was
> released at the end of March.  I haven't used it, but I understand it
> has some pretty severe scalability problems.  My advice: 
> Don't use it if
> the root servers ain't using it. :-)
> 
> -k
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list