cTLD and DNS upgrade
Brad Knowles
brad at stop.mail-abuse.org
Tue Jul 5 08:20:49 UTC 2005
At 9:58 AM +0200 2005-07-05, Peter Dambier wrote:
> I have learned from cache poisoned resolvers it makes sense to
> mirror all zones you can even on the resolver. I have seen many
> ISP resolvers that do mirror the most important zones.
>
> First it will prevent you from cache poisoning.
I'm not convinced of that. It may avoid certain failure modes,
but I sincerely doubt that it will catch all of them.
What tests have you done to prove that all known failure modes
are covered by this solution?
> Vixies company does a commercial version of Bind that is split into
> two programmes, the resolver and the nameserver.
Vixie's company? You mean Nominum? He may have helped to found
the company, but everything I've heard from various people who've
worked there indicate that he hasn't had any material involvement in
it for a very long time.
Yes, Nominum does have the very best caching and
authoritative-only servers that I've ever seen. Unfortunately,
they're pretty expensive.
Note that PowerDNS also splits the caching/recursive functions
from the authoritative side, as do just about all the other programs
available that I am aware of.
Paul Vixie himself has said that he wishes that this was
something that could be changed about BIND, as he views the combined
services in one program to be a significant security weakness. I
disagree with him, but I do agree that the default configurations
should separate these functions.
Note that I have said these functions should be split ever since
doing the technical review for the 2nd edition of _DNS and BIND_,
advice which Cricket Liu unfortunately chose not to accept (or maybe
it just got lost through the cracks). And I'm sure that I wasn't the
first to come up with this idea, although alternatives to BIND at
that point were pretty thin on the ground.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list