[SunRescue] djbdns, BIND, and DNS Security

[Sebastian Marius Kirsch]

On Wed, May 30, 2001 at 12:50:55PM -0700, Drew Schatt wrote:
> Can anyone help me out here, and give me a specific list of what
> standards for mail qmail doesn't follow, and what standards for dns
> djbdns doesn't follow? I really prefer standards based software, and
> any ammunition might be a great thing.  I appreciate it.

That's someting I'd like too. All I've ever heard were vague references
to non-standard-compliant behaviour of djb's programs, but never any
citations.

Sure, djb's software often lacks in the feature department, but I think
it oftem makes up for that in speed and reliability. For example,
sendmail's sender rewriting capabilities are practically nonexistent in
qmail. Host rewriting is possible, but it's not possible to masquerade
an entire domain. (djb suggests using QMQP for hosts that don't do local
delivery.) Rewriting for local user addresses is AFAIK not possible; but
you can influence qmail-inject's behaviour by setting a couple of
environment variables. qmail doesn't support the standard .forward
mechanism -- you have to install dotforward for hat. (But qmail has
other forwarding and aliasing mechanisms that are very powerful.)
qmail-smtpd rejects SMTP messages where the line endings are terminated
by bare lf instead of crlf. (Which is in fact the standard -- it's just
that many other programs don't follow the standard.) djbdns doesn't have
a notion of 'secondary DNS servers' -- if you want to play secondary for
a domain, you have to get the zone data from there yourself, using
axfr-get, and check it occasionally for updates. (Just like bind does
updates, only that bind does it automatically.) (djb's point is that
it's easier to synchronize the data using a standard tool like rsync
rather than relying on a protocol as insecure as zone transfers
undoubtedly are.)

-- 
Yours, Sebastian Kirsch <skirsch at moebius.inka.de>

Life's a bitch, then you die.