cTLD and DNS upgrade

[Peter Dambier]

Stephane Bortzmeyer wrote:
> On Mon, Jul 04, 2005 at 09:31:29PM +0200,
>  Brad Knowles <brad at stop.mail-abuse.org> wrote 
>  a message of 25 lines which said:
> 
> 
>>> They are resolvers.
>>
>>	Joy.  More open recursive caching nameservers.
> 
> 
> By the way, I know that it is good practice to separate the
> authoritative function from the resolving/caching function (and I
> regret that BIND has no --authoritative-only option in its configure
> script). 

I have learned from cache poisoned resolvers it makes sense to
mirror all zones you can even on the resolver. I have seen many
ISP resolvers that do mirror the most important zones.

First it will prevent you from cache poisoning.

Second it will give you an earlier update than waiting for your
cache to expire.


Your official nameserver is different. Never allow it to cache.

> 
> But I wonder if there is today, with the current BIND, a specific
> technical reason to do so (such as a known security issue) or if it is
> just good practice to put widely different functions on different
> servers, just in case.
> 
>

Vixies company does a commercial version of Bind that is split into
two programmes, the resolver and the nameserver.

And there is djbdns.

Regards,
Peter and Karin Dambier
-- 
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
+1-360-226-6583-9563 (INAIC)
mail: peter at peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason