Mans, can you explain why? ISC (as for bind) itself only states that separting them has one purpose: protecting from downtimes should one fail [1] DJ Bernstein stated it also has protective reasons due to ressource exhaustion [2] (but that info is from 2003). With current hardware in 2019 i hardly see this possible. Even more unlikely if combined with RRL (on bind), which is neccessary for anything open nowadays. With uRPF on the network side this handles quite well. Given all this, what are the real reasons in 2019 to not combine recursor and auth.? - Jonas [1] https://kb.isc.org/docs/bind-best-practices-authoritative [2] https://cr.yp.to/djbdns/separation.html
And, open resolvers have no place on authoritative servers. Full stop.
-- Måns Nilsson SVT +46 8 7848628