[dns-operations] recursive nameservers with "hidden" auth zones?

R.P. Aditya aditya at grot.org
Thu Mar 14 12:21:32 UTC 2013


I didn't mean to be opaque, but just in case it clarifies more:

The question is "does the benefit of quicker updates outweigh the risks
involved in serving a few select zones authoritatively from a recursive
server that is open to a select population?" 

I do realize that that is a determination for my organization to make,
but if more of the risks were enumerated for non-open resolvers, it
would be easier to weigh.

Thanks,
Adi

On Wed, Mar 13, 2013 at 06:17:49PM -0400, R.P. Aditya wrote:
> In the interest of providing quick updates to a "trusted" population of
> 100k or so end clients, there is a desire to provide a few zones
> authoritatively on the internal servers that provide recursion to the
> same population. These servers are not reachable at the publically
> listed IP addresses in the NS record for those zones.
> 
> Beyond the (real) risk of cache poisoning by the 100k "trusted" folks
> (which exists even if we remove those select zones), what other
> DNS-specific security risks might be minimized by a strict separation of
> auth and recursive processes (beyond the usual modularity arguments)?
> 
> Pointers to public documentation of answers happily accepted.
> 
> Thanks,
> Adi
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list