I do see 3 major benefits to combine/unify these: - "saving" IP addresses (depending of how many you run of course[1]) Should not be a problem with IPv6, and running the same function
Moin! On 11 Jun 2019, at 20:40, Jonas Frey wrote: like http on the same IP is quite different from running different functions (recursive vs authoritative DNS) on the same IP.
- less effort managing (not having multiple places for configuration thus unifiying [automated] setup) That is wrong. You have more efforts managing as you need to update the sever software more often. I can not count the numbers of times some CVE in bind was caused by the fact that it is both a recursive and authoritative server. From a security these have different attack scenarios and you now need to take care of both and some mitigations are only applicable to one function.
- saving ressources (servers, virtual machines, whatever they run on) Those are machine resources and cheap. Your manpower resources running mixed servers are higher as you have to be a lot more careful how you treat a mixed function dns server. Even pur bind shops these days run there servers with only one function.
And all modern DNS software is either authoritative or recursive and there is a good reason for that. Unless you believe people dealing with this for decades are wrong. So long -Ralf —-- Ralf Weber