Re: how to protect name servers against cache corruption

[Robert Bowman <rob () elite exodus net>]

Isolating recursive from non-recursive servers has a ton of benefits:

1.  measuring your external from internal queries becomes easier, hence
budgeting for the appropriate servers has a cost matching ability
2.  to use distributed director from cisco, you need non-recursive
authoritative servers
3.  your authoritative servers become less susceptible to corruption
from a looped delegation, hence isolating your DNS problems to
the recursive resolvers instead of taking down all your authoritative
abilities
etc. etc.

Rob

> a BIND 4.9.6 or 8.1.1 server is immune.  so, you could upgrade.  to so do,
> see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
> (the root name servers are all running modern software at this point.)
>
> alternic's corruption works by locating authoritative name servers via the
> "NS RR"'s published in various zones.  if you run these as authoritative-
> only (recursion disabled) then they will never fetch any data from anywhere.
> (the root name servers are configured this way, for example.)  the downside
> is that you can't list such nameservers in your "resolv.conf" files or PC
> equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.)
> this means you need more name servers if you separate recursive from non-
> recursive.