Accuracy of DNSStuff reports
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 29 22:32:38 UTC 2006
Barry Margolin wrote:
> In article <ekgq85$2dbm$1 at sf1.isc.org>, Res <res at ausics.net> wrote:
>
>
>> On Mon, 27 Nov 2006, Barry Margolin wrote:
>>
>>
>>> My personal bugaboo with DNSReport is the red FAIL it reports for open
>>> recursive servers. While it's certainly a bad idea for authoritative
>>>
>> Actually I think it;s good idea, it alerts the admin who set it up they
>> are open to exploitation and abuse.
>>
>
> So make it a warning.
>
> The problem is that it confuses OTHER people who are trying to
> troubleshoot problems accessing the domain. They see the big red FAIL
> and think that it's due to the DNS misconfiguration.
>
>
I have to agree with Barry here. A site that is serving DNS flawlessly
to its clients shouldn't get any FAILs on its "health check". If
DNSStuff or any other "checker" wants to highlight a *security* problem,
as opposed to a *functional* problem, such that it gets a high fix
priority, then perhaps it should use a different term and/or different
color, like INSECURE or EXPLOITABLE in purple or something like that. Or
the format of the report could have a separate column for
security-related factors. But showing a FAIL on a working site is just
an open invitation to misunderstanding and confusion.
- Kevin
More information about the bind-users
mailing list