Questions and Answers

Jim McKinstry and Amy Rich

Q: I've heard that you should not run your authoritative name servers on the same machines as your caching name servers. Why not, and how do I separate the two?

A: An authoritative server is one that's listed as an NS record for a given domain. It doesn't need to know anything about querying the root nameservers, only answering queries from other machines. A caching name server should be used by a smaller set of people (i.e., employees of Company Foo) to look up many requests for varying domains. The caching nameserver needs to know how to query the root nameservers, expire cache data, and walk delegation chains.

While the authoritative server must accept connections from the entire Internet, you can protect the caching server so that connection requests are limited to the IP range of Company Foo. If you put your caching server and your authoritative server on the same instance, then you run the risk of forged information corrupting your cached data (known as cache poisoning).

The other reason to separate caching and authoritative servers is mostly important if you have a large number of people using your name server for cached data. If the caching server and the authoritative server for domain foo.com are on the same machine (let's call the machine ns.bar.com), and foo.com changes its name servers over to another provider (ns.baz.com), ns.bar.com will still think its authoritative for foo.com if the defunct zone file for foo.com is not removed. Anyone using ns.bar.com as a caching server will get the wrong information. If ns.bar.com were a caching-only server, it would no longer think that it was authoritative for foo.c