[Pdns-users] to recurse or not to recurse ...

Udo Rader udo.rader at bestsolution.at
Fri Dec 15 14:56:04 UTC 2006


Hi,

we are hosting a couple of domains using powerdns, filled by the LDAP
backend.

Now I've come across a site that tests DNS settings and essentially for
all the domains we host we get some warnings, so for example:

-------CUT--------
Took off 20 points since ns1.example.com does not respond
authoritatively (can cause unexpected responses and add delays).

Took off 10 points since ns1.example.com is an open DNS server (if 
abused, your DNS may be inaccessible, and over usage could result in 
slowdowns).
-------CUT--------

The first warning is about the notorious "authoritative" problem, dig
clearly shows that the AA bit has been set, so that's probably a false 
positive.

Yet the second warning frightens me a bit. This obviously means that
everybody can query our name server for any other domain. So far this
did not really scare me but after googling around this seems to be a 
risk.

No I have 2 questions: 

#1 is this really a "risk" except for potentially burdening our name
servers with queries from external clients?

#2 and if it is a risk, how would I limit the recursion so that only
our own domains are recursed? recursor.conf knows the auth-zone
directive, yet I can hardly use it with the LDAP backend. Or maybe I am
missing something basic here?

TIA

Udo Rader

-- 
bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20061215/54d1aba4/attachment.sig>


More information about the Pdns-users mailing list