On Dec 16, 2011, at 11:22 AM, sasa sasa wrote:
I'm trying to setup a DNS for an ISP, this ISP's DNS is in
delegation tree (answering world), and I know about cache
vulnerabilities so I was wondering what is the best solution for ISPs?
By separating cache from authorities, you mean implementing 2 DNSs
(2 different IPs)? This doesn't sound practical.
Then I suspect you know all this, but...
The practicality certainly depends upon your site's situation. Many
sites have enough IPs to allocate a few more to DNS, and enough server
capacity to run more bind instances, but I imagine some don't.
Two such bind instances could be on different hardware or the same,
but two IPs would be necessary. Bind typically runs on OSes that,
without
tricks such as natting, generally support just one program listening
to a specific
port/ip. Bind's "view" feature allows a single bind instance on a
single IP to
act like a bit like two instances, offering some of the advantages of
isolating
their respective functions.
Aside from this, a bind instance can be configured not answer queries
to non-authoritative data from outside your address space. This also
gives
you some of the risk advantages you'd get from running separate
instances.
John Wobus
Cornell University
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users