DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Brad Knowles <brad.knowles@skynet.be>
cc: Edward Lewis <edlewis@arin.net>, Bill Manning <bmanning@ISI.EDU>, dnsop@cafax.se
From: Robert Elz <kre@munnari.OZ.AU>
Date: Sat, 12 Oct 2002 17:29:45 +0700
In-Reply-To: <a05200516b9ccb9714ab1@[146.106.12.76]>
Sender: owner-dnsop@cafax.se
Subject: Re: the call for bind software

    Date:        Fri, 11 Oct 2002 19:26:13 +0200
    From:        Brad Knowles <brad.knowles@skynet.be>
    Message-ID:  <a05200516b9ccb9714ab1@[146.106.12.76]>

  | 	We need to get BIND changed so that it does not default to 
  | running a caching/recursive resolver for anyone who wants to ask it a 
  | question -- it should restrict queries to "local" networks.

How do you propose that it figure out what is a "local" network and what
isn't?   The only way would be explicit config, and other than
configuring 0/0 as "local" what you create is a maintenance nighthmare.

And in any case, answering queries for random clients from all over the
place isn't a real security/reliability problem for anyone other than the
random clients.  They're the ones choosing to query some random remote
server, so they can be expected to either understand what they're doing,
or simply not care.

Doing lookups for the universe might be a performance issue for the
server (and hence perhaps a DoS issue), but that's a entirely different.

  | 	When setting up an authoritative server, it should not default to 
  | also being a caching/recursive server.

This one would be possible, and might make some difference.  One would
hope these days that any new enough version of BIND (or anything else)
in which this could be implemented though would also be new enough to
understand the cache/zone pollution issues, and avoid them as much as
possible.

I also half suspect that it is a bit late for this.   People have already
now learned how DNS servers should be run, and for the majority, that's
a server that answer queries for local and remote users alike - doing
recursive lookups when appropriate.   Make it impossible to work that
way, and much of the population will simply not use the new implementation.
Make it optional (as you suggested) and much of the population will
simply turn the switch back to the current mode.

kre

#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.

Follow-Ups:
- Re: the call for bind software
  - From: Robert Elz <kre@munnari.OZ.AU>
- Re: the call for bind software
  - From: Brad Knowles <brad.knowles@skynet.be>

References:
- Re: the call for bind software
  - From: Brad Knowles <brad.knowles@skynet.be>
- Re: the call for bind software
  - From: Bill Manning <bmanning@ISI.EDU>
- Re: the call for bind software
  - From: Edward Lewis <edlewis@arin.net>

Prev by Date: Re: the call for bind software
Next by Date: Re: the call for bind software
Prev by thread: Re: the call for bind software
Next by thread: Re: the call for bind software
Index(es):
- Date
- Thread

Home | Date list | Subject list