DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

[David Cantrell]

Gregory Leblanc <gleblanc at cu-portland.edu> wrote:

> Do you have any expierence with djbdns?  Some people love it, and others
> hate it, but it comes with a security garuntee. :)  

I use it, and I like it.  I find the file format to be no more opaque
than bind's.  It is more basic than bind though.  You need seperate
programs for serving ordinary DNS over UDP; for doing TCP-ish things
like zone transfers; and for doing DNS caching.  This has its good
points and bad.

Good points - each program does one job and does it well.  Hence less
risk of bugs, and you don't waste memory with unneeded functionality.
I haven't benchmarked it, but it seems pretty fast.

Bad points - it's tricky to run both a DNS server and a caching server
on the same box.  Especially if you only have one ethernet interface.
As the zone files are very different from bind's, then you can't just
copy them back and forth.  djb also likes to make up his own logfile
formats which are easily machine-parsable, but are not so easy for a
human to read in an emergency.  See also the blecherous orribleness
that his ftp server gives you as a directory listing.

> P.S.  Anybody found a license for that package?  I've looked, but
> haven't been able to figure it out.

It's on djb's website, http://cr.yp.to.  In summary - you can use it for
free.  You may *not* distribute patched versions, and you may not
distribute binaries except under very particular circumstances.

-- 
David Cantrell | cthulhu at unixbeard.net | http://www.cantrell.org.uk/david/

  Rip, Mix, Burn, unless you're using our "most advanced operating system
   in the world" which we decided to release incomplete just for a laugh