From: Wesley Darlington (wesley at domain yelsew.com)
Date: Tue 16 Apr 2002 - 10:31:30 IST
On Fri, Apr 12, 2002 at 04:22:35PM +0100, Dave Wilson wrote:
> >Why? Lots of reasons...
> >Security: nobody can poison your _authoritative_ name server [process].
> >Security: a problem in the resolving code isn't exposed to the world.
> >Security: less code faces the world.
> >Reliability: greedy resolving clients don't tie up your auth name server.
> >Speed: the resolving code can be optimised for resolving,
> > the auth serving code for auth serving.
> Agree that these are compelling reasons to split your DNS servers.
> Disagree that they are sufficient to justify the extra complexity in
> *all* cases to the point where one's competence is in question.
Ah, but a competent admin would be able to justify not doing it. The
incompetent admin would have been unaware of the superior alternative.
(Bind Certified DNS Engineer, anybody? :-)
> >Seems to me that there'd be a whole lot less open relays in the world (and
> >a *whole* lot less spam) if destination mail servers ("MX" servers) really
> >were distinct from relay servers... So yes, exactly like that. :-)
> Disagree; the problem is that the relay server has a bad configuration,
> regardless of whether it can also act as an MX server. But I'm taking
> this way too far off topic :-)
Right enough. Would there be far fewer open relays in the world though
if "smtp proxies" were quite distinct beasties to "MX servers"?
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:16:08 GMT