From: Wesley Darlington (wesley at domain yelsew.com)
Date: Tue 16 Apr 2002 - 10:31:30 IST
On Fri, Apr 12, 2002 at 04:22:35PM +0100, Dave Wilson wrote:
> >Why? Lots of reasons...
> >Security: nobody can poison your _authoritative_ name server [process].
> >Security: a problem in the resolving code isn't exposed to the world.
> >Security: less code faces the world.
> >Reliability: greedy resolving clients don't tie up your auth name server.
> >Speed: the resolving code can be optimised for resolving,
> > the auth serving code for auth serving.
>
> Agree that these are compelling reasons to split your DNS servers.
> Disagree that they are sufficient to justify the extra complexity in
> *all* cases to the point where one's competence is in question.
Ah, but a competent admin would be able to justify not doing it. The
incompetent admin would have been unaware of the superior alternative.
(Bind Certified DNS Engineer, anybody? :-)
> >Seems to me that there'd be a whole lot less open relays in the world (and
> >a *whole* lot less spam) if destination mail servers ("MX" servers) really
> >were distinct from relay servers... So yes, exactly like that. :-)
>
> Disagree; the problem is that the relay server has a bad configuration,
> regardless of whether it can also act as an MX server. But I'm taking
> this way too far off topic :-)
Right enough. Would there be far fewer open relays in the world though
if "smtp proxies" were quite distinct beasties to "MX servers"?
Wesley.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:16:08 GMT