[87891] in North American Network Operators' Group
Re: AW: Odd policy question.
daemon@ATHENA.MIT.EDU (Joe Abley)
Fri Jan 13 16:33:03 2006
In-Reply-To: <17352.2319.950212.765685@roam.psg.com>
Cc: "John van Oppen" <john@vanoppen.com>, <nanog@merit.edu>
From: Joe Abley <jabley@isc.org>
Date: Fri, 13 Jan 2006 16:32:32 -0500
To: Randy Bush <randy@psg.com>
Errors-To: owner-nanog@merit.edu
On 13-Jan-2006, at 15:09, Randy Bush wrote:
>> it is a best practice to separate authoritative and recursive
>> servers.
>
> why?
Because it prevents stale, authoritative data on your nameservers
being returned to intermediate-mode resolvers in the form of
apparently authoritative answers, bypassing a valid delegation chain
from the root.
Stale data might be present due to a customer re-delegating a domain
away from your nameservers without telling you, or from the necessity
with some registries of having to set up a domain on the auth NS set
before domain registration can proceed (or be denied). It might also
be introduced deliberately, as described by you in this thread.
While periodically checking the zones your authority servers are
hosting so that you know when they have been re-delegated away is a
good idea, and can reduce the period during which bad answers get
sent to clients from a combined auth/res server, segregating the two
roles between different nameservers avoids returning *any* stale
answers. (Using multiple instances of nameserver daemon running on
the same host, bound to different addresses might well be sufficient;
you don't necessarily need to add hardware.)
This reasoning is orthogonal to the observation that various species
of DNS server software (including BIND) have, in the past, featured
bugs for which a workaround is to keep authority/cache functions
separate. For people using such software, however, this provides
additional incentive.
Joe
