To:
Brad Knowles <brad.knowles@skynet.be>
cc:
Edward Lewis <edlewis@arin.net>, Bill Manning <bmanning@ISI.EDU>, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Sat, 12 Oct 2002 17:29:45 +0700
In-Reply-To:
<a05200516b9ccb9714ab1@[146.106.12.76]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
Date: Fri, 11 Oct 2002 19:26:13 +0200 From: Brad Knowles <brad.knowles@skynet.be> Message-ID: <a05200516b9ccb9714ab1@[146.106.12.76]> | We need to get BIND changed so that it does not default to | running a caching/recursive resolver for anyone who wants to ask it a | question -- it should restrict queries to "local" networks. How do you propose that it figure out what is a "local" network and what isn't? The only way would be explicit config, and other than configuring 0/0 as "local" what you create is a maintenance nighthmare. And in any case, answering queries for random clients from all over the place isn't a real security/reliability problem for anyone other than the random clients. They're the ones choosing to query some random remote server, so they can be expected to either understand what they're doing, or simply not care. Doing lookups for the universe might be a performance issue for the server (and hence perhaps a DoS issue), but that's a entirely different. | When setting up an authoritative server, it should not default to | also being a caching/recursive server. This one would be possible, and might make some difference. One would hope these days that any new enough version of BIND (or anything else) in which this could be implemented though would also be new enough to understand the cache/zone pollution issues, and avoid them as much as possible. I also half suspect that it is a bit late for this. People have already now learned how DNS servers should be run, and for the majority, that's a server that answer queries for local and remote users alike - doing recursive lookups when appropriate. Make it impossible to work that way, and much of the population will simply not use the new implementation. Make it optional (as you suggested) and much of the population will simply turn the switch back to the current mode. kre #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.