forwarding to a child zone is different!!
Brad Knowles
brad.knowles at skynet.be
Wed Apr 25 07:01:54 UTC 2001
At 10:04 PM -0400 4/24/01, Kevin Darcy wrote:
> So am I "clueless" because I'm effectively mixing authoritative
> with non-authoritative data, recursing some of the time but not always? I
> don't think so (obviously). I'm just tuning my nameservers to my local usage
> patterns.
You are certainly risking the propagation of polluted caches,
which would at the very least be much, much less likely if the
caching servers were not authoritative for anything. Moreover, the
method of caching and the TTLs used, etc... should ensure that most
of those records would stay locally available (at least, those that
are used) even if the servers in question weren't authoritative.
Therefore, they shouldn't need to be authoritative for the zones
in question in order to ensure good performance, and if they do, I
submit that you probably have larger problems you need to solve and
that trying to "fix" them with your nameserver is an ill-conceived
band-aid to be applying.
However, you are capable of reading the documentation, and if you
really want to take these risks, you are capable of configuring the
machines so as to allow you to do this.
No, I'm much more worried about the other 99.99999% of the people
who do this sort of stuff (and far worse) out of ignorance.
Check out the nameservers for Critical Path (criticalpath.net) sometime.
Having unadvertised caching servers that also happen to be
authoritative for certain zones does have some security risks (which
might be mitigated if they are on private networks and not publicly
accessible), but we know that having advertised authoritative servers
that are also caching & recursive is a *far* more dangerous risk.
We also know that it is the height of stupidity to expect that
your nameservers will be protected from zone transfers by blocking
port 53/TCP, since we also know that there are legitimate uses of
port 53/TCP and blocking that as a whole does more harm than good.
And these guys are supposed to be world market leaders in the
field of outsourcing your e-mail? If they are this incompetent with
regards to managing their DNS, I wouldn't trust them to puke on my
shoes, much less manage anything of any real value to me.
Hell, check out most of the ccTLD nameservers in the world --
most of them are caching & recursive, too. You'd think that someone,
somewhere, might actually pay attention to things like RFC 2870.
But then, even K. Robert Elz was running munnari (a major
nameserver in Australia, which happens to be a secondary for many
ccTLD zones around the world) as a caching recursive nameserver for a
very long time, and you don't get too much more experienced in this
business than him.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list