Re: AW: Odd policy question.

[Joe Abley <jabley () isc org>]

On 13-Jan-2006, at 17:07, Randy Bush wrote:

> > > > it is a best practice to separate authoritative and recursive
> > > > servers.
> > > why?
> > Because it prevents stale, authoritative data on your nameservers
> > being returned to intermediate-mode resolvers in the form of
> > apparently authoritative answers, bypassing a valid delegation chain
> > from the root.
>
> and thereby hiding the fact that someone has either lame delegated
> or i have forgotten to remove an auth zone, both cases i want to
> catch.  not a win here.

If someone has a lame delegation to one of your servers, that's a  
different problem (and the one that this thread began with). The link  
between that problem and the one I'm talking about is the decision to  
treat the former with bogus data as an incentive for the lame  
delegator to fix their records.

The impact of forgetting to remove a zone is greatly reduced if  
nobody ever has a reason to send a query for that data to your  
nameserver. To all intents and purposes, hosting random, non- 
delegated zones on an authority-only server doesn't break anything.

However, it's still a good idea to check (e.g. using a script) for  
forgotten zones, as you say, in the interests of good hygiene.


Joe