[dns-operations] Best Practices in DNS security

gilles.massen at restena.lu gilles.massen at restena.lu
Fri Mar 17 12:26:59 UTC 2006

Thanks, but the link only says 'there is a problem' whithout actually 
explaining what the problem is.

I really don't see where cached data can conflict with authoritative data. 
If it's on the disk, it's authoritative, if not, it's not and can never 
be. The problem with cache poisoning still remains and could probably 
never be solved entirely without DNSSEC, but that's something diffferent.

Or were am I wrong?


6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473

gilles.massen at restena.lu wrote:
> Could you please give an example for this? 
> Basically I'm trying very hard to find how bad running authoritative and 

> recursive service on the same nameserver actually is. In our case 
> splitting them is on the todo list, but I'm unable to get a feeling for 
> the urgency....and what the real problems are (that won't be fixed in 
> another release of bind :) ).
> Gilles

Best source I can imgine:


I dont want to propose you install djbdns but then you would split
authority and resolver on different ip addresses fafourably on different
machines. I does make sense to use virtual machines. Seen from an
intruder they are still separate machines.

The resolver will always cache - even things it is authoritative for.

Now you have things in your cache that are not from you.

Your authoritative sees these things and publishes them as its own
authoritative data.

intruder.good-friend.my-domain can put intruder.my-domain into my
cache and my authoritative server does not know it is from the
cache not from its zone file.


More information about the dns-operations mailing list