[dns-wg] NCC reverse delegation criteria

Moin!

On 11 Jun 2019, at 20:40, Jonas Frey wrote:
> I do see 3 major benefits to combine/unify these:
> - "saving" IP addresses (depending of how many you run of course[1])
Should not be a problem with IPv6, and running the same function
like http on the same IP is quite different from running different
functions (recursive vs authoritative DNS) on the same IP.

> - less effort managing (not having multiple places for configuration
> thus unifiying [automated] setup)
That is wrong. You have more efforts managing as you need to update the
sever software more often. I can not count the numbers of times some
CVE in bind was caused by the fact that it is both a recursive and
authoritative server. From a security these have different attack
scenarios and you now need to take care of both and some mitigations
are only applicable to one function.

> - saving ressources (servers, virtual machines, whatever they run on)
Those are machine resources and cheap. Your manpower resources
running mixed servers are higher as you have to be a lot more careful
how you treat a mixed function dns server. Even pur bind shops these
days run there servers with only one function.

And all modern DNS software is either authoritative or recursive and
there is a good reason for that. Unless you believe people dealing
with this for decades are wrong.

So long
-Ralf
—--
Ralf Weber