NAMESERVER01 A name server should not be a recursor
To ensure consistency in DNS, an authoritative name server should not be configured to do recursive lookups. Also, open recursive resolvers are considered bad internet practice due to their capability of assisting in large scale DDoS attacks. The introduction to [RFC 5358] (https://tools.ietf.org/html/rfc5358) elaborates on mixing recursor and authoritative functionality, and the issue is further elaborated by D.J. Bernstein.
Section 2.5 of RFC 2870 have very specific requirement on disabling recursion functionality on root name servers.
The domain name to be tested.
- Retrieve all address records for all the name servers using Method 4 and Method 5.
- A SOA query for an almost certainly nonexistent name sent to the each name server IP address found in step 1, with the flag Recursion Desired (RD) set.
- If any answer of the queries made in step 2 contains an RCODE with NXDOMAIN, this test case fails.
If the response is a possible answer with the RCODE NXDOMAIN, this test case fails.
None.
None.
Copyright (c) 2013, 2014, 2015, IIS (The Internet Infrastructure Foundation)
Copyright (c) 2013, 2014, 2015, AFNIC
Creative Commons Attribution 4.0 International License
You should have received a copy of the license along with this work. If not, see https://creativecommons.org/licenses/by/4.0/.