From: Dave Wilson (dave.wilson at domain heanet.ie)
Date: Fri 12 Apr 2002 - 16:20:09 IST
> Why? Lots of reasons...
> Security: nobody can poison your _authoritative_ name server [process].
> Security: a problem in the resolving code isn't exposed to the world.
> Security: less code faces the world.
> Reliability: greedy resolving clients don't tie up your auth name server.
> Speed: the resolving code can be optimised for resolving,
> the auth serving code for auth serving.
Agree that these are compelling reasons to split your DNS servers.
Disagree that they are sufficient to justify the extra complexity in
*all* cases to the point where one's competence is in question.
> Seems to me that there'd be a whole lot less open relays in the world (and
> a *whole* lot less spam) if destination mail servers ("MX" servers) really
> were distinct from relay servers... So yes, exactly like that. :-)
Disagree; the problem is that the relay server has a bad configuration,
regardless of whether it can also act as an MX server. But I'm taking
this way too far off topic :-)
I think we do actually reverse-delegate each /24 separately if a client
has an allocation of the order /21-/23; however for delegations below
the /24 boundary, the reading up to get classless delegation working is
marginal compared to the setting up of the server in the first place.
Dave
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:16:04 GMT