To:
Brad Knowles <brad.knowles@skynet.be>
cc:
Edward Lewis <edlewis@arin.net>, Bill Manning <bmanning@ISI.EDU>, dnsop@cafax.se
From:
Robert Elz <kre@munnari.OZ.AU>
Date:
Wed, 16 Oct 2002 18:55:20 +0700
In-Reply-To:
<a05200507b9d233a63eef@[146.106.12.76]>
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
Date: Tue, 15 Oct 2002 23:19:08 +0200
From: Brad Knowles <brad.knowles@skynet.be>
Message-ID: <a05200507b9d233a63eef@[146.106.12.76]>
| Nothing in the world is ever going to protect you from needing to
| know what is "local" and what is not.
Why should I care? It isn't the location of the system that matters
for what I want to allow, but the identity of the user of the system.
Further, I'm at a university, it is just as likely, if not more likely
that attacks will come from local sources as remote ones.
| Belt & suspenders. Go ahead and do the firewall, but don't
| depend on it.
I wasn't planning on depending upon it, nothing in this makes a
difference, so it doesn't matter.
| Configure the nameserver so as to be secure in the
| absence of the firewall,
Of course the nameserver should be secure. But answering queries for
random outsiders is not insecure. It might be foolish to waste my
resources that way, but it is not insecure.
| Okay, then let's do this by default -- caching & authoritative
| services are mutually exclusive, unless you know the magic
| incantation to get them both running in the same BIND instance.
I have less problem with that, though I can't think of any particularly
good reason that the people working on bind should take any notice of
your requests.
| No, my method is not 100000% fool-proof. It is possible to work
| around it.
It is trivial to work around it. Not that it matters anyway.
| Again, we're talking about improving the state of affairs for the
| whole Internet, not just a particular local network.
You keep asserting that, with no justification at all. A polluted
(modern) bind cache affects only the people using it as a cache, and
has no effect on anyone else whatever.
How is the whole internet supposed to benefit from avoiding that
pollution?
| Or are you of the opinion that there is no purpose in doing RFC
| 1918 address filtering at your egress routers?
How did that random thought work its way into this discussion?
What's the relevance?
| No, they typically blindly take whatever the vendor gives them.
If it works for them. Only if it works for them. If it doesn't, they
either make the vendor fix it, or they fix it themselves using some info
they acquire from somewhere.
| But that's not what would happen for most people. Only a
| relatively small group of people would have a problem whereby the
| automatic interface/netmask scanning would fail to appropriately set
| the list of "local" networks. They are the only edge condition that
| we have to worry about.
Huh?
Most binds run on singly homed hosts - the only address/mask they can
hope to find (even assuming the host is correctly configured) is the one
for the local LAN.
That means that you're asserting that "most people" live on networks
that consist of exactly one LAN, no more. That's an interesting
view of the state of the world.
There certainly are a lot of small sites like that around, but most of
them don't run their own DNS cache at all - they use one their provider
supplies (when they're not connected to the internet they have no need
of DNS resolution, usually using hosts file, NIS, or more typically, NMB
or NBP for all the name resolution they need).
kre
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.