On 13-Jan-2006, at 15:09, Randy Bush wrote:
it is a best practice to separate authoritative and recursive servers.
why?
Because it prevents stale, authoritative data on your nameservers being returned to intermediate-mode resolvers in the form of apparently authoritative answers, bypassing a valid delegation chain from the root. Stale data might be present due to a customer re-delegating a domain away from your nameservers without telling you, or from the necessity with some registries of having to set up a domain on the auth NS set before domain registration can proceed (or be denied). It might also be introduced deliberately, as described by you in this thread. While periodically checking the zones your authority servers are hosting so that you know when they have been re-delegated away is a good idea, and can reduce the period during which bad answers get sent to clients from a combined auth/res server, segregating the two roles between different nameservers avoids returning *any* stale answers. (Using multiple instances of nameserver daemon running on the same host, bound to different addresses might well be sufficient; you don't necessarily need to add hardware.) This reasoning is orthogonal to the observation that various species of DNS server software (including BIND) have, in the past, featured bugs for which a workaround is to keep authority/cache functions separate. For people using such software, however, this provides additional incentive. Joe