[dns-operations] chrome's 10 character QNAMEs to detect NXDOMAIN rewriting
Doug Barton
dougb at dougbarton.us
Tue Dec 17 04:50:46 UTC 2013
On 12/16/2013 03:26 PM, Mark Andrews wrote:
>
> In message <52ACF0EE.3040404 at redbarn.org>, Paul Vixie writes:
>>
>> this is true. and i am a strong opponent of mixed-mode (recursive plus
>> authoritative) servers, and i believe these are deprecated in later DNS
>> RFC's, and in any case not even BIND 10 will have that feature mix --
>> but RFC 1034 and RFC 1035 describe all name servers as working this way,
>> and i expect that if "root zone hidden slave" configuration became
>> widespread, then many name servers who don't support it today, would add
>> it in some form -- perhaps only in this particular (root zone) form.
>
> I don't care about mixed-mode for a nominally recursive server.
>
> If you are a *listed* authoritative nameserver then you shouldn't
> be recursive also. That is the configuration that causes operational
> problems for others.
FWIW, big +1 from me. I have always slaved my local auth zones out to my
resolvers, and never had a problem with it.
That said, the bigger picture problem is people not understanding the
difference between that scenario and making the same server
authoritative to the outside world and also a resolver. I'm not sure
what the right answer is there.
Doug
PS, don't say "user education," since that's failed miserably for over a
decade.
More information about the dns-operations
mailing list