In the interest of providing quick updates to a "trusted" population of 100k or so end clients, there is a desire to provide a few zones authoritatively on the internal servers that provide recursion to the same population. These servers are not reachable at the publically listed IP addresses in the NS record for those zones.
Beyond the (real) risk of cache poisoning by the 100k "trusted" folks (which exists even if we remove those select zones), what other DNS-specific security risks might be minimized by a strict separation of auth and recursive processes (beyond the usual modularity arguments)? Pointers to public documentation of answers happily accepted. Thanks, Adi _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
