On Fri, Jan 13, 2006 at 01:47:48PM -0800, David W. Hankins wrote:
On Fri, Jan 13, 2006 at 10:09:51AM -1000, Randy Bush wrote:
it is a best practice to separate authoritative and recursive servers.
why?
I'm not sure anyone can answer that question. I certainly can't. Not completely, anyway. There are too many variables and motivations. [...] Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's been discussed already. Note that I can't seem to find the same claim in RFC2870, which obsoletes 2010 (and the direction against recursive service is still there).
In an environment where customers may be able to add zones (such as a web-hosting environment), not separating the two may cause problems when local machines resolve off of the authoritative nameservers. This could be due to someone maliciously or accidentally adding a domain they don't control, or simply to someone setting up their domain prior to changing over the nameservers. w