Skip to content

[dns] Recursion and cache - NS resolvers deployment

cielito.system.dns role is designed to deploy authoritative NS servers. recursion is hard coded to NO.

We need also to deploy our local net DNS resolvers, which will require further BIND9 configuration. Two possible approaches:

  • complete present cielito.system.dns role, to cover bind characteristics to ensure resolver's configuration,
  • code a separate role for a dns resolver service.

As it is recommended to "not combine authoritative and recursive name server functions on the same server -- have each function performed by separate server sets", we may prefer the second approach (even if it is less universal), an it is secure by design. We have less risk to configure undue accesses by error.