On Fri, Jan 13, 2006 at 01:47:48PM -0800, David W. Hankins wrote: > On Fri, Jan 13, 2006 at 10:09:51AM -1000, Randy Bush wrote:
> > > it is a best practice to separate authoritative and recursive > > > servers. > > why? > I'm not sure anyone can answer that question. I certainly can't. > Not completely, anyway. There are too many variables and motivations. [...] > Well, RFC2010 section 2.12 hints at cache pollution attacks, and that's > been discussed already. Note that I can't seem to find the same claim > in RFC2870, which obsoletes 2010 (and the direction against recursive > service is still there). In an environment where customers may be able to add zones (such as a web-hosting environment), not separating the two may cause problems when local machines resolve off of the authoritative nameservers. This could be due to someone maliciously or accidentally adding a domain they don't control, or simply to someone setting up their domain prior to changing over the nameservers. w