Servers that are intended solely to provide a recursive service to clients (recursion yes; and/or with allow-recursion ACLs), will almost certainly also be operating with authoritative zones loaded from which authoritative query responses are provided. The existence of these authoritative zones mean that a resolver cannot be considered to be exclusively using recursive operation with no authoritative functionality at all.
ISC will endeavour to indicate in the content of its Security Advisories and Operational Notifications whether or not Recursive or Authoritative servers should be considered vulnerable. Operators of Recursive Resolvers are advised to further consider the information below when determining the risk to their own servers from a vulnerability that is primarily of concern to Authoritative server operators.
Authoritative zones loaded and served by Recursive Resolvers
Here are some examples of authoritative zones that may be loaded and used by recursive resolvers when constructing query responses to clients:
- Automatic empty zones are authoritative primary zones automatically added to a server's zone list when named starts. This behaviour can be globally disabled using
named.confoptionempty-zones-enable no;in the options statement or per view, but this would not be recommended. More likely, an operator might wish to disable one or more empty zones individually by zone name using optiondisable-empty-zone <zone-name>;. For more information on built-in empty zones and why they are important see: Automatic empty zones (including RFC 1918 prefixes)
- Manual empty zones are authoritative primary zones manually added to
named.conf. Often these zones are defined using the same empty zone file that has been constructed in such a way that it adopts the zone name itself in order to populate the RRsets when loaded by named. There are two typical use cases: the first is to supplement or replace automatic empty zones (see above); the second is to prevent recursive clients from accessing names that the resolver operator would like to block by implementing local answers that prevent recursion from taking place. The second case is less-frequently deployed since the introduction of Response Policy Zones (see below).
- Response Policy zones (RPZ) are defined first as normal primary or secondary zones in named.conf, but additionally are referenced in a
response-policywhich means that the loaded zone contents are used with a specific interpretation of the RRsets to create a response policy for responding to client queries. The authoritative and secondary zones are maintained in the same way as any other authoritative zones.
- Mirror Zones (zones of type
mirror) were created to allow a DNSSEC-validating resolver to host a local DNSSEC-validated copy of the root zone. Currently mirror zones are updated using normal secondary zone update processing, followed by a whole-zone validation process that is specific to the mirror zone implementation on BIND.
- Built-in "chaos" zones (from which answers are provided to queries for specific server information) are loaded by default when named starts although can also be manually defined too. For an explanation of their purpose and operation see How do I restrict people from looking up the server version? ). Note that your server is primary for these built-in zones and that their content would not normally be accessible to dynamic updates, although this may no longer be the case if an administrative decision has been taken to override the built-in zones by manually declaring and managing them.
Technically, the Root Hint zone (built-in or defined as zone type hint) is not quite the same as other primary and secondary authoritative zones. The root hints are used to prime the resolver cache (but for this purpose alone, and the zone itself is not actively maintained, even when defined directly in named.conf). See Root hints - a collection of operational and configuration FAQs for more information.