On 04/01/2022 21:12, Grant Taylor via bind-users wrote:
Yep. This is where I have settled. But I don't feel I can defend
it when asked. Hence my seeking to better understand.
There are categories of bugs that specifically affect recursion, and in
BIND these are _much_ more common than those that affect authoritative
service. Adding auth service barely touches the attack surface.
And with BIND's separation between authoritative and recursively cached
trees there is (AFAIK) no risk of cache pollution affecting the
authoritative data.
Furthermore, having the auth data for your own zones present there
actually ensures that your own zones' data:
1. will always be served in preference to cached data
2. will be fresher (i.e. not subject to TTLs) assuming that
NOTIFYs and/or a short SOA refresh is in place
3. will be present if access to the authoritatives is lost
for some period of time (/me waves at Facebook!)
I really can't see any downside.
Ray
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
