forwarding to a child zone is different!!

Brad Knowles brad.knowles at skynet.be
Wed Apr 25 07:01:54 UTC 2001 

At 10:04 PM -0400 4/24/01, Kevin Darcy wrote:

>             So am I "clueless" because I'm effectively mixing authoritative
>  with non-authoritative data, recursing some of the time but not always? I
>  don't think so (obviously). I'm just tuning my nameservers to my local usage
>  patterns.

	You are certainly risking the propagation of polluted caches, 
which would at the very least be much, much less likely if the 
caching servers were not authoritative for anything.  Moreover, the 
method of caching and the TTLs used, etc... should ensure that most 
of those records would stay locally available (at least, those that 
are used) even if the servers in question weren't authoritative.

	Therefore, they shouldn't need to be authoritative for the zones 
in question in order to ensure good performance, and if they do, I 
submit that you probably have larger problems you need to solve and 
that trying to "fix" them with your nameserver is an ill-conceived 
band-aid to be applying.


	However, you are capable of reading the documentation, and if you 
really want to take these risks, you are capable of configuring the 
machines so as to allow you to do this.

	No, I'm much more worried about the other 99.99999% of the people 
who do this sort of stuff (and far worse) out of ignorance.


	Check out the nameservers for Critical Path (criticalpath.net) sometime.

	Having unadvertised caching servers that also happen to be 
authoritative for certain zones does have some security risks (which 
might be mitigated if they are on private networks and not publicly 
accessible), but we know that having advertised authoritative servers 
that are also caching & recursive is a *far* more dangerous risk.

	We also know that it is the height of stupidity to expect that 
your nameservers will be protected from zone transfers by blocking 
port 53/TCP, since we also know that there are legitimate uses of 
port 53/TCP and blocking that as a whole does more harm than good.

	And these guys are supposed to be world market leaders in the 
field of outsourcing your e-mail?  If they are this incompetent with 
regards to managing their DNS, I wouldn't trust them to puke on my 
shoes, much less manage anything of any real value to me.


	Hell, check out most of the ccTLD nameservers in the world -- 
most of them are caching & recursive, too.  You'd think that someone, 
somewhere, might actually pay attention to things like RFC 2870.


	But then, even K. Robert Elz was running munnari (a major 
nameserver in Australia, which happens to be a secondary for many 
ccTLD zones around the world) as a caching recursive nameserver for a 
very long time, and you don't get too much more experienced in this 
business than him.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list