SERVFAIL for some domains on some servers
Kevin Darcy
kcd at chrysler.com
Mon Mar 1 19:20:43 UTC 2010
On 3/1/2010 5:44 AM, Stephane Bortzmeyer wrote:
> On Sat, Feb 27, 2010 at 06:51:44PM +0100,
> Oliver Henriot<Oliver.Henriot at imag.fr> wrote
> a message of 104 lines which said:
>
>
>> but my computing skills are scarce and I still have a lot to learn.
>>
> For instance, that you should always use real names
> <http://dougbarton.us/DNS/bind-users-FAQ.html#RealNames>
>
>
>> - servers "2", "3" and "4" : slaves for my domain, recusrion allowed for
>> all, official resolvers for my clients, same configuration on all 3.
>>
> Bad setup: you should really completely separate authoritative and
> recursive services.
>
>
I'm not sure those recommendations apply as strongly as they used to.
Now we have views and (if the original poster were to upgrade to 9.4.x
or higher) fine-grained control over access to cached data.
Also, I'm not sure the authoritative zone mentioned by the original
poster is actually being served to the Internet. If it's only internal,
that might alter the threat model slightly.
Then again, I'm not sure exactly what you mean by "completely separate".
Separate hardware? That might be hard to justify economically (cost
versus benefit).
- Kevin
More information about the bind-users
mailing list