Best practice for network configuration
Robert Brockway
robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org
Fri Jul 1 06:19:01 UTC 2011
On Thu, 30 Jun 2011, Christopher Browne wrote:
> People that are serious about DNS availability seem to prefer having
> permutations of:
> a) Not just one flavour of DNS server (e.g. - multiple of BIND, NSD, ...)
> b) Have NS records in multiple zones, so you're not vulnerable to one
> registry operator "oopsing" you. Thus, multiple of (com|net),
> (org|info|...others that Afilias are involved with), and perhaps some
> of (ca|uk|de|us|fr|jp)
> c) DNS servers not all in one ((legal|geographic) region|data centre)
Quite right. I encourage 'physical and logical separation'. Logical
separation should really mean address separation and domain separation.
> How much paranoia/redundancy to have is a good question without any
> single correct answer.
Yep, it's a risk assessment.
> if your web server's on one box in one data centre, then you lose
> little by depending on DNS servers sitting in the same subnet, which
> heads back to the same "moot point" about DHCP.
I think the arguments I mentioned earlier are still relevant. All else
being equal I'd like to avoid a potential problem, and setting up a dns
secondary isn't exactly hard.
>> I've never liked this argument. I think this argument has some flaws:
>>
>> (1) That you fully understand every function this server performs. You
>> haven't forgotten any of them.
>
> I suspect that this may one may be in flux. With the ease of
> deploying virtual machines, it increasingly makes sense to deploy 15
> services by setting up 15 VMs, each running a single service. If they
Yes I nearly mentioned this in my previous email. I still prefer not to
assume that it behaves exactly the way we think it does. I see the use of
distributed DNS servers even if you think you don't need them as an
application of 'reliability in depth'.
> (On the other hand, VMs also make it practical to take that mouldering
> old box running a long-out-of-support version of Mandrake with an
> unenumerated set of services that nobody knows much about, and that
> they're all too scared to touch, and keep it running.)
Yes yes they do. Hopefully such hosts are hidden well away from the
dangerous world that is fully of baddies that would love nothing more than
to 0wn one of your hosts :)
Cheers,
Rob
--
Email: robert-5LEc/6Zm6xCUd8a0hrldnti2O/JbrIOy at public.gmane.org Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Contributing member of Software in the Public Interest (http://spi-inc.org/)
Open Source: The revolution that silently changed the world
More information about the Legacy
mailing list