[Systems] [gnu.org #552346] [Fwd: Reverse DNS for translate.sugarlabs.org]
Bernie Innocenti
bernie at codewiz.org
Fri Feb 19 11:07:34 EST 2010
On Fri, 2010-02-19 at 09:58 -0500, Ward Vandewege via RT wrote:
> > However, some of our nameservers are also answering recursive
> > queries for LAN clients and localhost.
>
> Ah - that's generally a bad idea. Mind you, we still do it at the FSF
> too - legacy setup. I'm going to fix that soon-ish here, and split up
> the recursive resolver from the authoritative nameserver.
Yeah, I also didn't know it was discouraged practice when I set up my
first nameservers.
I've read somewhere that it is now possible to keep the recursive and
authoritative resolvers relatively isolated from each other using views:
http://www.zytrax.com/books/dns/ch7/view.html
The whole DNS security story is very sad... DNSSEC is supposed to plug
all cache poisoning attacks for good, hopefully without introducing new
problems of its own. We'll find out in July if it's true...
--
// Bernie Innocenti - http://codewiz.org/
\X/ Sugar Labs - http://sugarlabs.org/
More information about the Systems
mailing list