Separation of authoritative and recursive functions

Brad Knowles brad at stop.mail-abuse.org
Thu Jul 7 22:34:19 UTC 2005 

At 5:28 PM -0400 2005-07-07, Kevin Darcy wrote:

>  With all due respect, that's kind of a FUD argument, isn't it?

	I don't see it that way, no.  I see it as belt-and-suspenders 
attitude towards being as secure as reasonably possible.

>                                                                  I mean,
>  has there ever been a serious "view leakage" problem with BIND 9?

	No, not to my knowledge.  However, all security holes are not 
known until such time as they are discovered.  If you only ever 
protected yourself against the known security holes, you'd have a lot 
of problems the next time that a new security hole is discovered.

>  In any case, if "view leakage" is the specific vulnerability to be
>  protected against, one can always go the "middle road" and run separate
>  nameserver instances on separate interfaces of the same box(es).

	Re-read what I said, and which you quoted yourself but you 
obviously did not read:

|                                          Separate instances of BIND or
| separate machines will guarantee that doesn't happen.

>                                                                   That's
>  still less drastic than devoting different boxes or sets of boxes to the
>  different functions.

	I still prefer the solution of using separate servers, but 
separate instances on the same server is a minimally acceptable 
alternative.

>  Let's not forget that installing, configuring and maintaining separate
>  boxes brings with it its own set of security challenges: that's more
>  boxes to keep patched up to date, more boxes to write firewall rules
>  for, more complexity on one's network, etc.

	If you're managing a network of boxes, it shouldn't be too much 
harder to add a couple more.  If it is, then I think you've got 
bigger problems that you need to work out first.

>                                               Simply put: more chances to
>  screw something up and create a vulnerability. Aren't most
>  vulnerabilities caused by misconfigurations as opposed to bad code?

	There are also plenty of vulnerabilities created by legacy 
configurations where machines are overloaded with too many functions, 
but it's too difficult to split them up.

	Just ask Randy Bush why the ccTLD servers he runs at psg.com are 
still open caching/recursive servers, amongst other things.

>  I still say there is no one simple answer that works for all
>  organizations.

	That is a statement that I will agree with.

>                                                         Given this,
>  I have no problem running authoritative-nameserver and
>  iterative-resolver functions as separate views within the same
>  nameserver instances on those boxes.

	There are certain minimum security floors below which I believe 
you should not go.  This is one of them.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list