Am 01.06.2015 um 19:55 schrieb Jason L Tibbitts III:
"RSB" == Ryan S Brown <ryansb@xxxxxxxxxx> writes:RSB> I disagree; for server & cloud deployments it doesn't make sense to RSB> duplicate a DNS server on *every* host, and if you care about RSB> DNSSEC you likely already run a trusted resolver. I disagree generally in the case of server deployments. Having a local caching resolver is pretty much essential, even though we all know it's just a workaround for glibc.
no it is not in case of a serious server setup - period
Basically, if you have properly functioning DNS on multiple local servers but not having anything fancier like heartbeat-based IP handoff or a load balancing appliance or something, and the first resolver in resolv.conf goes offline, your hosts are screwed. glibc's resolver code is simply horrible. This is completely exclusive of DNSSEC issues.
if your *LAN* nameservers are going offline you need to solve that problem and ask you why....
What really concerns me is what happens with split DNS. I assume I'll just need to configure the local resolvers to talk only to my resolvers, but this would really need to be documented
well and by having shared resolvers in the network in case they are properly configured spilt DNS won't happen ever - with a local resolver not *only* forwarding to the LAN resolvers (and then you have not much gained with the local resolver) it beomces much more likely
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
