AW: Odd policy question.
Steven M. Bellovin
smb at cs.columbia.edu
Fri Jan 13 20:35:36 UTC 2006
In message <838DBE2645430DF70BAFFC9C at dhcp-2-206.wgops.com>, Michael Loftis writ
es:
>
>
>
>--On January 13, 2006 10:09:51 AM -1000 Randy Bush <randy at psg.com> wrote:
>
>>
>>> it is a best practice to separate authoritative and recursive servers.
>>
>> why?
>
>Cache poisoning (though this is less likely with more modern bind's and
>other resolvers) and the age old your view is NOT the same as the world
>view. IE if you've got a customer who has offsite DNS, but hasn't told
>you, and you've got authoritative records for his zone, you might be
>delivering mail locally, or to the wrong place, and it can take a long time
>to figure this out.
Yes. However, that has to be weighed against the greater immunity to
cache poisoning in authoritative servers -- if a server *knows* it has
the real data, it has much stronger grounds for rejecting nonsense.
This is, in fact, one of the tests used.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list