Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: AW: Odd policy question.

  • From: William Yardley
  • Date: Fri Jan 13 17:07:35 2006

On Fri, Jan 13, 2006 at 01:47:48PM -0800, David W. Hankins wrote:
> On Fri, Jan 13, 2006 at 10:09:51AM -1000, Randy Bush wrote:

> > > it is a best practice to separate authoritative and recursive
> > > servers.

> > why?
 
> I'm not sure anyone can answer that question.  I certainly can't.
> Not completely, anyway.  There are too many variables and motivations.
[...] 
> Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's
> been discussed already.  Note that I can't seem to find the same claim
> in RFC2870, which obsoletes 2010 (and the direction against recursive
> service is still there).

In an environment where customers may be able to add zones (such as a
web-hosting environment), not separating the two may cause problems when
local machines resolve off of the authoritative nameservers. This could
be due to someone maliciously or accidentally adding a domain they don't
control, or simply to someone setting up their domain prior to changing
over the nameservers.

w





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.