[dns-operations] recursive nameservers with "hidden" auth zones?

R.P. Aditya aditya at grot.org
Wed Mar 13 22:17:49 UTC 2013


In the interest of providing quick updates to a "trusted" population of
100k or so end clients, there is a desire to provide a few zones
authoritatively on the internal servers that provide recursion to the
same population. These servers are not reachable at the publically
listed IP addresses in the NS record for those zones.

Beyond the (real) risk of cache poisoning by the 100k "trusted" folks
(which exists even if we remove those select zones), what other
DNS-specific security risks might be minimized by a strict separation of
auth and recursive processes (beyond the usual modularity arguments)?

Pointers to public documentation of answers happily accepted.

Thanks,
Adi



More information about the dns-operations mailing list