Re: AW: Odd policy question.

[Joe Abley <jabley () isc org>]

On 13-Jan-2006, at 15:09, Randy Bush wrote:

> > it is a best practice to separate authoritative and recursive  
> > servers.
>
> why?

Because it prevents stale, authoritative data on your nameservers  
being returned to intermediate-mode resolvers in the form of  
apparently authoritative answers, bypassing a valid delegation chain  
from the root.

Stale data might be present due to a customer re-delegating a domain  
away from your nameservers without telling you, or from the necessity  
with some registries of having to set up a domain on the auth NS set  
before domain registration can proceed (or be denied). It might also  
be introduced deliberately, as described by you in this thread.

While periodically checking the zones your authority servers are  
hosting so that you know when they have been re-delegated away is a  
good idea, and can reduce the period during which bad answers get  
sent to clients from a combined auth/res server, segregating the two  
roles between different nameservers avoids returning *any* stale  
answers. (Using multiple instances of nameserver daemon running on  
the same host, bound to different addresses might well be sufficient;  
you don't necessarily need to add hardware.)

This reasoning is orthogonal to the observation that various species  
of DNS server software (including BIND) have, in the past, featured  
bugs for which a workaround is to keep authority/cache functions  
separate. For people using such software, however, this provides  
additional incentive.


Joe