forwarding to a child zone is different!!
Brad Knowles
brad.knowles at skynet.be
Thu Apr 26 08:32:15 UTC 2001
At 8:37 PM -0400 4/25/01, Kevin Darcy wrote:
> Why don't we just agree that separating recursive from non-recursive
> functions is generally recommended on/between network boundaries, i.e. where
> there are differing levels of trust wrt the respective networks, a higher
> danger of cache pollution, denial-of-service attacks, etc., but outside of
> that context, hybrid recursive/non-recursive configurations are often
> appropriate.
I can agree that in certain very limited circumstances (such as
when you have internal nameservers that are behind one or more
firewalls and have no possible way of accessing the outside world and
vice-versa) that it *MAY* be an acceptable risk to mix authoritative
services with recursive/caching services on the same machine.
However, outside of that context, I believe that to do something
of this sort is far too dangerous, and indeed is as bad as, or worse
than, using forwarding or wildcard RRs.
In other words, it is to be avoided at all possible costs, unless
you really, really know what you're doing, and is not something to be
advocating publicly.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list