DNS Security

[wwebb at adni.net]

> Your question is ambiguously worded. Are you concerned about slave
> zones in general that have (or don't have) ACLs or are you asking
> about slave servers for a zone where its master server has an ACL?

Excuse my lack of clarity.  I will endeavour to persevere in 
clarifying my issues.   I'm interested in maximizing security against 
spoofing attacks.   Options are set to allow-recursion for specific 
internal servers only and fetch-glue is set to "no."   This being the 
case, there are several points to which I'm not totally clear:

1.  What, if any, security advantage is obtained by not setting allow-
query { any; }  in a particular master or slave zone ?   

2.	If allow-recursion is set for specific internal servers only, what  
disadvantage is there to not including in a master zone  statement 
the allow-query { any; } ??    I understand,  for example, if a third 
level domain had been delegated to other name servers, then a 
recursive inquiry for record information within that delegated zone 
would only result in a reply sending them to the name servers 
serving the delegated zone.  But aside from such a limited 
circumstance,   why else would you want recursion turned back on 
for a particular zone  ?

Bill Webb