To:
Robert Elz <kre@munnari.OZ.AU>
Cc:
Brad Knowles <brad.knowles@skynet.be>, Edward Lewis <edlewis@arin.net>, Bill Manning <bmanning@ISI.EDU>, dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Sat, 12 Oct 2002 18:01:32 +0200
In-Reply-To:
<20794.1034418585@munnari.OZ.AU>
Reply-By:
Wed, 1 Jan 1984 12:34:56 +0100
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
At 5:29 PM +0700 2002/10/12, Robert Elz wrote: > How do you propose that it figure out what is a "local" network and what > isn't? The only way would be explicit config, and other than > configuring 0/0 as "local" what you create is a maintenance nighthmare. Scan the interfaces (and their netmasks). BIND does that already. Of course, you can always add or over-ride network definitions. > And in any case, answering queries for random clients from all over the > place isn't a real security/reliability problem for anyone other than the > random clients. They're the ones choosing to query some random remote > server, so they can be expected to either understand what they're doing, > or simply not care. By turning off recursive/caching for non-local clients, you do reduce abuse of services (and potential DoS issues), but more importantly you teach them that they need to be running their own nameservers, and hopefully those machines will be more resistant to cache pollution/poisoning. > I also half suspect that it is a bit late for this. People have already > now learned how DNS servers should be run, I disagree. Many people seem to think they know how they should be run, but they are wrong. We should make the software more idiot-resistant. > and for the majority, that's > a server that answer queries for local and remote users alike - doing > recursive lookups when appropriate. That capability should exist, yes. But it should not be the default configuration. At the very least, if you were to turn on authoritative service and recursive/caching service on the same machine, the latter should be restricted to local clients. > Make it impossible to work that > way, and much of the population will simply not use the new implementation. I'm not suggesting that we make it impossible. Just that we make it optional and flip the switch the other way by default. > Make it optional (as you suggested) and much of the population will > simply turn the switch back to the current mode. Maybe. My experience is that the vast majority of people just take the default (whatever that is). If we can make the default more secure, then most people will benefit. -- Brad Knowles, <brad.knowles@skynet.be> "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania. GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++) tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++) #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.