Separation of authoritative and recursive functions (was: cTLD and DNS upgrade)
Niall O'Reilly
Niall.oReilly at ucd.ie
Tue Jul 5 19:48:15 UTC 2005
On 5 Jul 2005, at 08:08, Stephane Bortzmeyer wrote (perhaps as a
rhetorical question?):
> But I wonder if there is today, with the current BIND, a specific
> technical reason to do so (such as a known security issue) or if it is
> just good practice to put widely different functions on different
> servers, just in case.
And on 5 Jul 2005, at 08:44, Mark Andrews, answering Stephane, chose not
to grasp this particular nettle. I can't fault him for that choice.
I think it would be good if one or two people who know more about this
issue than I do could answer the question Stephane raises, focusing, as
he does, on the _current_ BIND.
I'm sure there are a couple of such people out there. 8-)
As for me, I find it useful to draw a line between
(a) advertising the domains for which I am responsible, and
(b) providing a name-resolution service to customers on the
networks for which I am responsible.
The few servers I'm involved with provide one or other of these
services,
but not both.
My 'a' servers are advertised in the parent zone and in the zone(s) for
which they provide service, are authoritative, do not provide recursion,
and are publicly accessible. After all, we want the world to be able to
find us.
My 'b' servers are advertised internally using DHCP and
customer-directed
documentation, are recursive, may carry 'stealth' authoritative copies
of
internal zones, and refuse queries from outside the networks for which
they provide service.
/Niall
More information about the bind-users
mailing list