Home page logo

nanog logo nanog mailing list archives

Re: AW: Odd policy question.
From: Joe Abley <jabley () isc org>
Date: Fri, 13 Jan 2006 17:28:54 -0500

On 13-Jan-2006, at 17:07, Randy Bush wrote:

it is a best practice to separate authoritative and recursive
Because it prevents stale, authoritative data on your nameservers
being returned to intermediate-mode resolvers in the form of
apparently authoritative answers, bypassing a valid delegation chain
from the root.

and thereby hiding the fact that someone has either lame delegated
or i have forgotten to remove an auth zone, both cases i want to
catch.  not a win here.

If someone has a lame delegation to one of your servers, that's a different problem (and the one that this thread began with). The link between that problem and the one I'm talking about is the decision to treat the former with bogus data as an incentive for the lame delegator to fix their records.

The impact of forgetting to remove a zone is greatly reduced if nobody ever has a reason to send a query for that data to your nameserver. To all intents and purposes, hosting random, non- delegated zones on an authority-only server doesn't break anything.

However, it's still a good idea to check (e.g. using a script) for forgotten zones, as you say, in the interests of good hygiene.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]