On Dec 15, 2011, at 3:07 AM, sasa sasa wrote:
For an ISP, is there any risk in configuring BIND DNS as cache only and adding customer's reverse mapping zones?
If this copy of the reverse zone is for the world's use (i.e. in the delegation tree), then your DNS server would be answering queries from the world, and a caching server answering queries from the world is vulnerable to known cache vulnerabilities in the DNS protocol. On the other hand, if this copy of the reverse zone is only to answer your customer's queries, and the DNS server is configured not to answer queries from the world, then you've avoided the DNS protocol vulnerabilities and there's no special risk attached to serving this zone.
Aside from the issue of preventing known cache vulnerabilities in the DNS protocol, folks often separate caching from authoritative (specifically, in the delegation tree) as an insurance policy against bugs and vulnerabilities that haven't been found yet. It's hard to quantify risks associated with bugs and vulnerabilities
that no one has found yet and may not even exist.
Any other possible implementations?
We'd have to know what you're trying to accomplish. John Wobus Cornell U _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
