Re: how to protect name servers against cache corruption

[Paul A Vixie <vixie () vix com>]

Since I believe that the security aspects of DNS are relevant to network
operations, I'm explicitly choosing to answer some messages here today
even though Paul Ferguson has issued a very reasonable request that DNS
*politics* not be discussed.

> Correct me if I'm wrong, but this implies that nameservers whose sole
> purpose is to act as primary and secondary for customer domains can run
> with recursion disabled. I.e. all those nameservers whose identity is
> readily discernable from public databases such as the Internic, RIPE, etc.,
> could run in this configuration as long as they are not also intended to do
> lookups for local machines on your local network.

Yes, that's what it is and that's why it works.  I couldn't've said it better.