Re: the call for bind software

[Brad Knowles <brad.knowles@skynet.be>]

At 5:29 PM +0700 2002/10/12, Robert Elz wrote:

>  How do you propose that it figure out what is a "local" network and what
>  isn't?   The only way would be explicit config, and other than
>  configuring 0/0 as "local" what you create is a maintenance nighthmare.

	Scan the interfaces (and their netmasks).  BIND does that 
already.  Of course, you can always add or over-ride network 
definitions.

>  And in any case, answering queries for random clients from all over the
>  place isn't a real security/reliability problem for anyone other than the
>  random clients.  They're the ones choosing to query some random remote
>  server, so they can be expected to either understand what they're doing,
>  or simply not care.

	By turning off recursive/caching for non-local clients, you do 
reduce abuse of services (and potential DoS issues), but more 
importantly you teach them that they need to be running their own 
nameservers, and hopefully those machines will be more resistant to 
cache pollution/poisoning.

>  I also half suspect that it is a bit late for this.   People have already
>  now learned how DNS servers should be run,

	I disagree.  Many people seem to think they know how they should 
be run, but they are wrong.  We should make the software more 
idiot-resistant.

>                                             and for the majority, that's
>  a server that answer queries for local and remote users alike - doing
>  recursive lookups when appropriate.

	That capability should exist, yes.  But it should not be the 
default configuration.  At the very least, if you were to turn on 
authoritative service and recursive/caching service on the same 
machine, the latter should be restricted to local clients.

>                                       Make it impossible to work that
>  way, and much of the population will simply not use the new implementation.

	I'm not suggesting that we make it impossible.  Just that we make 
it optional and flip the switch the other way by default.

>  Make it optional (as you suggested) and much of the population will
>  simply turn the switch back to the current mode.

	Maybe.  My experience is that the vast majority of people just 
take the default (whatever that is).  If we can make the default more 
secure, then most people will benefit.

-- 
Brad Knowles, <brad.knowles@skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.