On 11/3/20 4:36 PM, Steve Litt wrote:
> On Sat, 31 Oct 2020 09:08:50 +0900
> Simon Walter <simon@???> wrote:
>
>> On 10/30/20 7:29 AM, Rick Moen wrote:
>> ...
>>> FWIW, I am no longer comfortable with the idea of a combined
>>> authoritative/recursive server on a publicly exposed static IP.
>>> That has been deprecated for long decades as bad security,
>>> particularly because it increases the risk of cache poisoning of
>>> the recursive server. IMO, a LAN connected to public networks,
>>> even a small one, ought to have the authoritative service on a
>>> separate, public-facing host, and the recursive service on a
>>> protected, internal-network machine that is as shielded from public
>>> networks as possible.
>>
>> Thanks for the bits of wisdom.
>>
>> Do you know any papers/articles/sites that discuss and explain this
>> more?
>>
>> I have not updated my IT knowledge in years and am a bit thirsty.
>
> When it comes to separation of authoritative and resolver parts of DNS,
> the documentation from the old djbdns makes it very clear, and is an
> excellent starting point.

I'll have to check that out. Thanks!