Everybody Resolves this Domain but Us.
Chris Davis
chris.davis at computerjobs.com
Mon Jul 22 15:25:32 UTC 2002
>There is currently no requirement to have recursive DNS service
>available when setting up an authoritative name server.
>
>Indeed last time I set up a set of authoritative DNS servers it
>was in a secured computer room, on it's own test LAN, which I
>would suggest is best practice.
>
>The servers in question never did acquire recursive DNS service
>from any other name servers, there was never any need, they
>would probably only ever be directly "administered" when the DNS
>was broken in some way.
In the case of not participating in the public dns, the configuration option
to disable the sanity check would be used.
>The test proposed only eliminates records like
>"badns.example.com. NS 1.2.3.4.", as Mark pointed out the more
>common "badns2.example.com. NS 1.2.3.4" would pass the proposed
>test.
My proposed sanity check is no panacea. It would just reduce the problem of
NS RDATA being propagated with an invalid TLD. 2/10 of 1% of the NS RDATA
in my cache had this problem that I could recognize with just my eyes. It
would not solve the "badns2.example.com. NS 1.2.3.4" example problem. That
problem has been shown to be unpreventable, since it could very well be
legal.
More information about the bind-users
mailing list