[87889] in North American Network Operators' Group
Re: AW: Odd policy question.
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Jan 13 15:37:10 2006
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Michael Loftis <mloftis@wgops.com>
Cc: nanog@merit.edu
In-Reply-To: (Your message of "Fri, 13 Jan 2006 13:25:23 MST.")
<838DBE2645430DF70BAFFC9C@dhcp-2-206.wgops.com>
Date: Fri, 13 Jan 2006 15:35:36 -0500
Errors-To: owner-nanog@merit.edu
In message <838DBE2645430DF70BAFFC9C@dhcp-2-206.wgops.com>, Michael Loftis writ
es:
>
>
>
>--On January 13, 2006 10:09:51 AM -1000 Randy Bush <randy@psg.com> wrote:
>
>>
>>> it is a best practice to separate authoritative and recursive servers.
>>
>> why?
>
>Cache poisoning (though this is less likely with more modern bind's and
>other resolvers) and the age old your view is NOT the same as the world
>view. IE if you've got a customer who has offsite DNS, but hasn't told
>you, and you've got authoritative records for his zone, you might be
>delivering mail locally, or to the wrong place, and it can take a long time
>to figure this out.
Yes. However, that has to be weighed against the greater immunity to
cache poisoning in authoritative servers -- if a server *knows* it has
the real data, it has much stronger grounds for rejecting nonsense.
This is, in fact, one of the tests used.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
