nanog mailing list archives

Re: AW: Odd policy question.

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Fri, 13 Jan 2006 15:35:36 -0500


In message <838DBE2645430DF70BAFFC9C () dhcp-2-206 wgops com>, Michael Loftis writ
es:




--On January 13, 2006 10:09:51 AM -1000 Randy Bush <randy () psg com> wrote:

it is a best practice to separate authoritative and recursive servers.


why?


Cache poisoning (though this is less likely with more modern bind's and 
other resolvers) and the age old your view is NOT the same as the world 
view.  IE if you've got a customer who has offsite DNS, but hasn't told 
you, and you've got authoritative records for his zone, you might be 
delivering mail locally, or to the wrong place, and it can take a long time 
to figure this out.


Yes.  However, that has to be weighed against the greater immunity to 
cache poisoning in authoritative servers -- if a server *knows* it has 
the real data, it has much stronger grounds for rejecting nonsense.  
This is, in fact, one of the tests used.

                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Current thread:

AW: Odd policy question. John van Oppen (Jan 13)
- Re: AW: Odd policy question. Randy Bush (Jan 13)
  - Re: AW: Odd policy question. Michael Loftis (Jan 13)
    - Re: AW: Odd policy question. Randy Bush (Jan 13)
    - Re: AW: Odd policy question. Steven M. Bellovin (Jan 13)
  - Re: AW: Odd policy question. Joe Abley (Jan 13)
    - Re: AW: Odd policy question. Randy Bush (Jan 13)
    - Re: AW: Odd policy question. Joe Abley (Jan 13)
    - Re: AW: Odd policy question. David W. Hankins (Jan 13)
    - Re: AW: Odd policy question. Randy Bush (Jan 13)
    - Re: AW: Odd policy question. David W. Hankins (Jan 13)
    - Re: AW: Odd policy question. Jeffrey I. Schiller (Jan 13)
    - Re: AW: Odd policy question. Sean Donelan (Jan 13)
    - Re: AW: Odd policy question. Joe Abley (Jan 13)
    - Re: AW: Odd policy question. william(at)elan.net (Jan 13)

(Thread continues...)