[11172] in North American Network Operators' Group
Re: how to protect name servers against cache corruption
daemon@ATHENA.MIT.EDU (Robert Bowman)
Tue Jul 22 17:03:06 1997
From: Robert Bowman <rob@elite.exodus.net>
To: vixie@vix.com (Paul A Vixie)
Date: Tue, 22 Jul 1997 13:57:44 -0700 (PDT)
Cc: nanog@merit.edu
In-Reply-To: <199707222024.NAA14009@wisdom.rc.vix.com> from "Paul A Vixie" at Jul 22, 97 01:24:59 pm
Isolating recursive from non-recursive servers has a ton of benefits:
1. measuring your external from internal queries becomes easier, hence
budgeting for the appropriate servers has a cost matching ability
2. to use distributed director from cisco, you need non-recursive
authoritative servers
3. your authoritative servers become less susceptible to corruption
from a looped delegation, hence isolating your DNS problems to
the recursive resolvers instead of taking down all your authoritative
abilities
etc. etc.
Rob
>
> a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do,
> see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/.
> (the root name servers are all running modern software at this point.)
>
> alternic's corruption works by locating authoritative name servers via the
> "NS RR"'s published in various zones. if you run these as authoritative-
> only (recursion disabled) then they will never fetch any data from anywhere.
> (the root name servers are configured this way, for example.) the downside
> is that you can't list such nameservers in your "resolv.conf" files or PC
> equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.)
> this means you need more name servers if you separate recursive from non-
> recursive.
>
