Isolating recursive from non-recursive servers has a ton of benefits: 1. measuring your external from internal queries becomes easier, hence budgeting for the appropriate servers has a cost matching ability 2. to use distributed director from cisco, you need non-recursive authoritative servers 3. your authoritative servers become less susceptible to corruption from a looped delegation, hence isolating your DNS problems to the recursive resolvers instead of taking down all your authoritative abilities etc. etc. Rob
a BIND 4.9.6 or 8.1.1 server is immune. so, you could upgrade. to so do, see http://www.isc.org/isc/ which will lead you to ftp://ftp.isc.org/isc/. (the root name servers are all running modern software at this point.)
alternic's corruption works by locating authoritative name servers via the "NS RR"'s published in various zones. if you run these as authoritative- only (recursion disabled) then they will never fetch any data from anywhere. (the root name servers are configured this way, for example.) the downside is that you can't list such nameservers in your "resolv.conf" files or PC equivilents (Control Panel\\Networking\\TCP IP Settings, or some such rot.) this means you need more name servers if you separate recursive from non- recursive.