To:
Edward Lewis <edlewis@arin.net>
Cc:
Bill Manning <bmanning@ISI.EDU>, edlewis@arin.net (Edward Lewis), dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Fri, 11 Oct 2002 19:26:13 +0200
In-Reply-To:
<a05111b22b9cb95ef2cbf@[192.149.252.231]>
Reply-By:
Wed, 1 Jan 1984 12:34:56 +0100
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
At 5:34 PM -0400 2002/10/10, Edward Lewis wrote:
> But that's not all we need to address. Tools, tools, tools. We need
> to make DNSSEC as simple as possible to use, but no simpler, and
> still be useful. (Twisting a trite statement about design.) I'm
> not sure we've identified the simplest way in which DNSSEC can work
> just yet.
I submit that there are other DNS problems that need to be solved first.
We need to get BIND changed so that it does not default to
running a caching/recursive resolver for anyone who wants to ask it a
question -- it should restrict queries to "local" networks.
When setting up an authoritative server, it should not default to
also being a caching/recursive server. Sure, you should be allowed
to turn on these features if you want them, but they should not be
turned on by default.
If we can get these two relatively simple problems fixed
out-of-the-box, we can make BIND more secure by default. That will
then help us to clear the field for additional enhanced security
features.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.