nanog mailing list archives
Re: AW: Odd policy question.
From: William Yardley <nanog () veggiechinese net>
Date: Fri, 13 Jan 2006 17:03:45 -0500
On Fri, Jan 13, 2006 at 01:47:48PM -0800, David W. Hankins wrote:
On Fri, Jan 13, 2006 at 10:09:51AM -1000, Randy Bush wrote:
it is a best practice to separate authoritative and recursive servers.
why?
I'm not sure anyone can answer that question. I certainly can't. Not completely, anyway. There are too many variables and motivations.
[...]
Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's been discussed already. Note that I can't seem to find the same claim in RFC2870, which obsoletes 2010 (and the direction against recursive service is still there).
In an environment where customers may be able to add zones (such as a web-hosting environment), not separating the two may cause problems when local machines resolve off of the authoritative nameservers. This could be due to someone maliciously or accidentally adding a domain they don't control, or simply to someone setting up their domain prior to changing over the nameservers. w
Current thread:
- Re: AW: Odd policy question., (continued)
- Re: AW: Odd policy question. Randy Bush (Jan 14)
- Re: AW: Odd policy question. Jeffrey I. Schiller (Jan 14)
- Re: AW: Odd policy question. David W. Hankins (Jan 17)
- Re: AW: Odd policy question. Valdis . Kletnieks (Jan 14)
- Re: AW: Odd policy question. Joseph S D Yao (Jan 14)
- Re: AW: Odd policy question. Martin Hannigan (Jan 13)
- Re: AW: Odd policy question. Christopher L. Morrow (Jan 13)
- Re: AW: Odd policy question. Martin Hannigan (Jan 13)
- Re: AW: Odd policy question. Florian Weimer (Jan 14)
- Re: AW: Odd policy question. William Yardley (Jan 13)
- Re: AW: Odd policy question. Randy Bush (Jan 13)
- Re: AW: Odd policy question. David W. Hankins (Jan 13)
- Re: AW: Odd policy question. Randy Bush (Jan 13)