AW: Odd policy question.

Steven M. Bellovin smb at cs.columbia.edu
Fri Jan 13 20:35:36 UTC 2006


In message <838DBE2645430DF70BAFFC9C at dhcp-2-206.wgops.com>, Michael Loftis writ
es:
>
>
>
>--On January 13, 2006 10:09:51 AM -1000 Randy Bush <randy at psg.com> wrote:
>
>>
>>> it is a best practice to separate authoritative and recursive servers.
>>
>> why?
>
>Cache poisoning (though this is less likely with more modern bind's and 
>other resolvers) and the age old your view is NOT the same as the world 
>view.  IE if you've got a customer who has offsite DNS, but hasn't told 
>you, and you've got authoritative records for his zone, you might be 
>delivering mail locally, or to the wrong place, and it can take a long time 
>to figure this out.

Yes.  However, that has to be weighed against the greater immunity to 
cache poisoning in authoritative servers -- if a server *knows* it has 
the real data, it has much stronger grounds for rejecting nonsense.  
This is, in fact, one of the tests used.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb





More information about the NANOG mailing list