how to protect name servers against cache corruption
Robert Bowman
rob at elite.exodus.net
Tue Jul 22 20:57:44 UTC 1997
Isolating recursive from non-recursive servers has a ton of benefits:
1. measuring your external from internal queries becomes easier, hence
budgeting for the appropriate servers has a cost matching ability
2. to use distributed director from cisco, you need non-recursive
authoritative servers
3. your authoritative servers become less susceptible to corruption
from a looped delegation, hence isolating your DNS problems to
the recursive resolvers instead of taking down all your authoritative
abilities
etc. etc.
Rob
>
> a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do,
> see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
> (the root name servers are all running modern software at this point.)
>
> alternic's corruption works by locating authoritative name servers via the
> "NS RR"'s published in various zones. if you run these as authoritative-
> only (recursion disabled) then they will never fetch any data from anywhere.
> (the root name servers are configured this way, for example.) the downside
> is that you can't list such nameservers in your "resolv.conf" files or PC
> equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.)
> this means you need more name servers if you separate recursive from non-
> recursive.
>
More information about the NANOG
mailing list