Recherches récentes
Options de recherche
How good (or a bad) idea is to run ones own authoritative nameservers?
Any tips/tricks/suggestions or gotyas to remember?
@sahil Depends authoritative on what kind of zones :-) If "critical" and you need 99.9999% reliability, then no. Otherwise, maybe. Theoretically, you need either solid anycast, OR at least 2 separate IP blocks in separate AS in separate datacenters with separate routing (+ ideally different OS and nameservers software). Plus the usual (power source, monitoring, etc.). But to do it at home on some toy zones, absolutely, to learn things!
@pmevzek I'm strongly leaning on PowerDNS (with BIND backend) because of some experience with that.
> ... different OS and nameservers software
for security reasons that is? Can you elaborate a bit here.
Also, If I understand correctly IXFR/AXFR should flow fine across different name server software primary-secondary combinations (?)
@sahil If you manage anything critical, imagine you have 4 nameservers, but all with same OS and all with same nameserver software and version. What happens if a critical vulnerability is found for the OS or the nameserver? Having 4 times the same setup brings there no recourse against such problem. While not 0 cost, if. you can mix and match different OS and different software you gain a little more guarantee to maintain service even if part is affected.
@sahil Or if you can easily and quickly switch, so have one active configuration with nameserver software X and another inactive but ready and in sync with software Y. Not only for security. Case I had once: a nameserver with a bug regarding an edge case in DNSSEC. It was either waiting for that bug to be fixed, or using another nameserver instead. And sometimes you can't wait. So even if not multiple active, good to be fluid with multiple cases to be able to switch quickly if needed.
@sahil Yes AXFR/IXFR are pretty standard mechanisms and should flow between nameservers without troubles.