On 20/10/2007, at 1:24 PM, Mike Lewinski wrote:
Simon Lyall wrote:
Sounds like the real problem is that your authotative and caching DNS servers are mixed up.
Understood. I've worked to turn off recursion to the world and made it through that without too much pain (except for the people who transport statically configured laptops on and off our network). The next step isn't trivial since it's a matter of updating quite a lot of data. It's important and we're working on it for the benefit of the customers, but this will be an operational issue for us for a while.
I've yet to try it, but if you're running BIND you should be able to split it up in to views: - View A takes queries from your end users (based on source IP) and acts as a recursive cache. - View B takes queries from everyone else (catchall) and answers authoritatively. You'll probably run in to a couple of problems where and end user needs an authoritative answer of a name you are authoritative for, but that'll be a small percentage I expect. Again, I haven't tested this, but I can't see any obvious reason why it wouldn't work.
If they are split then it doesn't really matter if you still host a lame record because (since it's lame) nobody will ask you about it.
It's still cruft and ideally should still be cleaned up automatically based on the external authority changing.
Maybe. Note that the same is true of MTA and MX servers. (ie. MX record points at the same place for domains you host, as your customers do to send mail to domains you don't host). -- Nathan Ward