Vulnerable DNS servers, RFC

Florian Weimer fw at deneb.enyo.de
Tue Oct 25 06:46:44 UTC 2005


* Brad Knowles:

> 	If you follow the instructions at the bottom of that page, you 
> should be okay.

I don't understand why the authoritative/resolver split is
recommended.  Sure, it is a good idea in many cases, but in this
context, it only increases risk because you depend on the correctness
of the delegation from the root to your zones.

Few people seem to keep in mind that if you load unfiltered untrusted
zones into your name server, you lose, even if it's an
authoritative-only server.  (It's kind of obvious in the resolver
case.)



More information about the bind-users mailing list