DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

Loomis, Rip rescue at sunhelp.org
Sun May 27 20:42:09 CDT 2001 

<Continuing to beat dead horse>
1.  On the question of having a server that is
    both authoritative (has local data that it
    serves) and caching (stores remote data that
    it receives), it's specifically a bad idea
    under BIND because it's all one server and
    makes the server subject to cache poisoning
    (see AlterNIC/Eugene Kaspureff).  However,
    AFAIK djbdns is not susceptible since the
    authoritative piece and the caching piece
    are separate processes.  Anyone know differently?
    This is actually one of the things I like
    about the djbdns architecture.

    (Related note:  If you use BIND 8 or BIND 9,
    and your server is authoritative for anything
    [or even if it isn't], then *PLEASE* look
    into the "limit-recursion" directive--you'll
    be glad you did.)

2.  djbdns can use RFC-compliant zone files--however,
    it can also use its own non-compliant format.
    If you don't already have a format for such
    things, and all you care about is the subset
    of DNS that djbdns implements, then the non-
    compliant format is definitely superior.  If
    you need to use or import RFC-compliant zone
    files, then djbdns can do that too.

    The bad news is that (unlike even the Microsoft
    DNS servers) you can't then extract the data
    in a compliant format by zone transfers--that
    was one of the DNS standards that djb deemed
    optional.  At least that's my read on it...

</DEADHORSE...okay, or not if people actually
  consider it of interest...I'm too close to the
  problem...>

  --Rip

-----Original Message-----
From: woods at weird.com
To: rescue at sunhelp.org
Sent: 5/26/2001 1:24 PM
Subject: Re: DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

[ On Saturday, May 26, 2001 at 11:42:13 (+0100), David Cantrell wrote: ]
> Subject: DNS Security (was: RE: [SunRescue] hosts file And DNS
files??)
>
> Bad points - it's tricky to run both a DNS server and a caching server
> on the same box.  Especially if you only have one ethernet interface.

That's actually a "good point".  You should never serve authoritative
zones from a caching nameserver (i.e. never point public NS records at
a nameserver that's also a caching nameserver).

This is less of a problem in BIND-9, but still not something I'd advise.

> As the zone files are very different from bind's, then you can't just
> copy them back and forth.

That's a very very very bad point.  The master-file format is defined by
the RFCs.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>
<woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird
<woods at weird.com>
_______________________________________________
rescue maillist  -  rescue at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/rescue

More information about the rescue mailing list