North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: AW: Odd policy question.
In message <[email protected]>, Michael Loftis writ es: > > > >--On January 13, 2006 10:09:51 AM -1000 Randy Bush <[email protected]> wrote: > >> >>> it is a best practice to separate authoritative and recursive servers. >> >> why? > >Cache poisoning (though this is less likely with more modern bind's and >other resolvers) and the age old your view is NOT the same as the world >view. IE if you've got a customer who has offsite DNS, but hasn't told >you, and you've got authoritative records for his zone, you might be >delivering mail locally, or to the wrong place, and it can take a long time >to figure this out. Yes. However, that has to be weighed against the greater immunity to cache poisoning in authoritative servers -- if a server *knows* it has the real data, it has much stronger grounds for rejecting nonsense. This is, in fact, one of the tests used. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
|