North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: AW: Odd policy question.
- From: William Yardley
- Date: Fri Jan 13 17:07:35 2006
On Fri, Jan 13, 2006 at 01:47:48PM -0800, David W. Hankins wrote:
> On Fri, Jan 13, 2006 at 10:09:51AM -1000, Randy Bush wrote:
> > > it is a best practice to separate authoritative and recursive
> > > servers.
> > why?
> I'm not sure anyone can answer that question. I certainly can't.
> Not completely, anyway. There are too many variables and motivations.
> Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's
> been discussed already. Note that I can't seem to find the same claim
> in RFC2870, which obsoletes 2010 (and the direction against recursive
> service is still there).
In an environment where customers may be able to add zones (such as a
web-hosting environment), not separating the two may cause problems when
local machines resolve off of the authoritative nameservers. This could
be due to someone maliciously or accidentally adding a domain they don't
control, or simply to someone setting up their domain prior to changing
over the nameservers.