To:
Brad Knowles <brad.knowles@skynet.be>
cc:
Edward Lewis <edlewis@arin.net>, Bill Manning <bmanning@ISI.EDU>, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Wed, 16 Oct 2002 18:55:20 +0700
In-Reply-To:
<a05200507b9d233a63eef@[146.106.12.76]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
Date: Tue, 15 Oct 2002 23:19:08 +0200 From: Brad Knowles <brad.knowles@skynet.be> Message-ID: <a05200507b9d233a63eef@[146.106.12.76]> | Nothing in the world is ever going to protect you from needing to | know what is "local" and what is not. Why should I care? It isn't the location of the system that matters for what I want to allow, but the identity of the user of the system. Further, I'm at a university, it is just as likely, if not more likely that attacks will come from local sources as remote ones. | Belt & suspenders. Go ahead and do the firewall, but don't | depend on it. I wasn't planning on depending upon it, nothing in this makes a difference, so it doesn't matter. | Configure the nameserver so as to be secure in the | absence of the firewall, Of course the nameserver should be secure. But answering queries for random outsiders is not insecure. It might be foolish to waste my resources that way, but it is not insecure. | Okay, then let's do this by default -- caching & authoritative | services are mutually exclusive, unless you know the magic | incantation to get them both running in the same BIND instance. I have less problem with that, though I can't think of any particularly good reason that the people working on bind should take any notice of your requests. | No, my method is not 100000% fool-proof. It is possible to work | around it. It is trivial to work around it. Not that it matters anyway. | Again, we're talking about improving the state of affairs for the | whole Internet, not just a particular local network. You keep asserting that, with no justification at all. A polluted (modern) bind cache affects only the people using it as a cache, and has no effect on anyone else whatever. How is the whole internet supposed to benefit from avoiding that pollution? | Or are you of the opinion that there is no purpose in doing RFC | 1918 address filtering at your egress routers? How did that random thought work its way into this discussion? What's the relevance? | No, they typically blindly take whatever the vendor gives them. If it works for them. Only if it works for them. If it doesn't, they either make the vendor fix it, or they fix it themselves using some info they acquire from somewhere. | But that's not what would happen for most people. Only a | relatively small group of people would have a problem whereby the | automatic interface/netmask scanning would fail to appropriately set | the list of "local" networks. They are the only edge condition that | we have to worry about. Huh? Most binds run on singly homed hosts - the only address/mask they can hope to find (even assuming the host is correctly configured) is the one for the local LAN. That means that you're asserting that "most people" live on networks that consist of exactly one LAN, no more. That's an interesting view of the state of the world. There certainly are a lot of small sites like that around, but most of them don't run their own DNS cache at all - they use one their provider supplies (when they're not connected to the internet they have no need of DNS resolution, usually using hosts file, NIS, or more typically, NMB or NBP for all the name resolution they need). kre #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.