Bind Software diversity
Jonathan de Boyne Pollard
J.deBoynePollard at tesco.net
Mon Aug 11 16:51:00 UTC 2003
JdeBP> The opinion of "the BIND community" when asked, in essence,
JdeBP> "Rather than run the very latest version of BIND throughout,
JdeBP> should I run different, non-BIND, DNS server softwares?" is,
JdeBP> I suspect, going to be the obvious one.
SW> What, that like economists, there are at least as many views
SW> as members, and possibly more views than that.
Partly that, indeed; and partly that - also like economists (albeit
that we should be wary of stretching your simile too far) - there is a
mainstream opinion that is, in general, conservative and, to an
extent, dogmatic.
SW> Where the NS addresses are fixed some ISPs like to leave
SW> resolving servers accessible to the world for when clients
SW> plug their laptops into other peoples networks, so they
SW> don't have to change DNS settings. With DHCP supplying DNS
SW> in most places this is largely irrelevant.
Actually, the proxy DNS server IP addresses supplied by DHCP should,
best, be largely irrelevant, too. I've seen people say that in such
situations ISPs should employ VPNs, so that whilst the proxy DNS
service is only reachable by the ISP's customers, those customers can
reach it over the VPN from other networks. That's certainly one way
of tackling the issue. However, a different, but equally good (and
in some ways better), way of tackling it would be for such a laptop
itself to be running its _own_ resolving proxy DNS server, so that it
performed any query resolution that it needed itself. Thus the
machine would have no need of whatever proxy DNS server information
was supplied to it via DHCP, and all such information would be
irrelevant.
However, either way (communicating with the "home" ISP via a VPN or
running one's own resolving proxy DNS server on the machine itself)
there's _no_ need _at all_ for the ISP to run a promiscuous proxy
DNS server in order to satisfy roaming users. Doing so is a bad idea
and bodge that is used in place of satisfying the needs of the users
in a proper manner. Proxy DNS service is like proxy HTTP service and
SMTP Submission service in many ways. The reasons that good ISPs
don't provide promiscuous services for the latter two, despite the
equal applicability of the "But roaming users need it!" argument to
them, are also reasons for not providing promiscuous service for
the former.
I suspect that roaming users in fact readily accept that for all
three services, ISPs expect them to
(a) change their machine's settings for those services as
they roam from ISP to ISP;
(b) employ some form of either IP tunnelling or
authentication to access the "home" ISP's private
services when connected to another ISP;
or
(c) be first-class Internet citizens and run their
own services themselves.
SW> Also the lack of off network authoritative server might be
SW> worth reviewing, guess it depends how many off network
SW> services are referred in the DNS.
There are arguments against the need for making one's content DNS
service immune to single-point failure if all of one's other services
are provided over a single link and would be hit by the failure
anyway. However, when this subject was discussed in depth on the
"djbdns" mailing list in 2001-01 after the events that hit Microsoft
that month, Andy Dustman propounded a good argument, in favour of even
those organizations that have everything on a single IP address having
off-site content DNS service, that, two and a half years later, I have
yet to have seen properly countered.
<URL:http://marc.theaimsgroup.com./?l=djbdns&m=98038553100698>
More information about the bind-users
mailing list