[87894] in North American Network Operators' Group
Re: AW: Odd policy question.
daemon@ATHENA.MIT.EDU (William Yardley)
Fri Jan 13 17:06:30 2006
Date: Fri, 13 Jan 2006 17:03:45 -0500
From: William Yardley <nanog@veggiechinese.net>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <20060113214748.GD18721@isc.org>
Errors-To: owner-nanog@merit.edu
On Fri, Jan 13, 2006 at 01:47:48PM -0800, David W. Hankins wrote:
> On Fri, Jan 13, 2006 at 10:09:51AM -1000, Randy Bush wrote:
> > > it is a best practice to separate authoritative and recursive
> > > servers.
> > why?
> I'm not sure anyone can answer that question. I certainly can't.
> Not completely, anyway. There are too many variables and motivations.
[...]
> Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's
> been discussed already. Note that I can't seem to find the same claim
> in RFC2870, which obsoletes 2010 (and the direction against recursive
> service is still there).
In an environment where customers may be able to add zones (such as a
web-hosting environment), not separating the two may cause problems when
local machines resolve off of the authoritative nameservers. This could
be due to someone maliciously or accidentally adding a domain they don't
control, or simply to someone setting up their domain prior to changing
over the nameservers.
w
