By default BIND will happily serve as both an authoritative nameserver
and recursive resolver, but this is no longer a recommended or desirable
configuration. The previous default configuration did not draw attention
to this fact and the issues involved.
Users are now made to rename one of two sample configuration files,
named.conf.authoritative or named.conf.recursive. Comments inside either
file advise DNS administrators of the most prevalent security issues.
This ensures that users setting up an authoritative nameserver do not
unwittingly also operate a resolver. In the previous default
configuration, BIND would happily perform recursive resolution for
localhost, which means that the local machine may receive
non-authoritative data from what is supposed to be an authoritative
nameserver.
Both default configurations disable zone transfers by default, as BIND
defaults to enabling them for any host (!).
