[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..


On Sun, 30 Dec 2001, Russell Coker wrote:

> On Sun, 30 Dec 2001 22:02, jernej horvat wrote:
> > On Sunday 30 December 2001 18:46, P Prince wrote:
> > > The eaisest and most failsafe way to secure bind is to install djbdns.
> >
> > If you have nothing to say - do not speak.

Heh, I didn't send a blank message.  The point was clear.  It was not a

> Perhaps a discussion of the relative merits of djbdns and bind is in order.


> I wanted to move to djbdns at one time, but it was too painful.  Everything
> had to be redone (the config files were all incompatible), the documentation
> was inadequate, and there was no good amount of support on the net.

Of course the config files are incompatible - djbdns's file format is far

The documentation is excellent - and simple, because the system is simple.

> Has djbdns improved since then?

I don't think djbdns has ever been at the level you suggest.

I strongly *strongly* suggest that anyone considering setting up DNS, be it
BIND or djbdns, check out Daniel Bernstein's site on the subject,

> > Securing DNS:
> > http://www.psionic.com/papers/dns/
> 2.4.x kernels support the --bind option to mount which avoids the syslogd
> hackery described in this URL.  Also the authbind method supported by Debian
> is much more powerful and useful than using the chuid() functionality in
> bind.  Both these things aren't mentioned.
> > Cricket Liu's presentation on how to secure BIND:
> > http://www.acmebw.com/papers/securing.pdf
> I disagree with the supposed security benefits of disabling zone transfers,
> it's just security by obscurity.  Also when idiots read such advice and take
> it to heart it gets in the way when you have a genuine need for zone
> transfers.

What is wrong with security by obscurity?  It's an excellent strategy, albeit
not a complete one.

> --
> http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
> http://www.coker.com.au/projects.html Projects I am working on
> http://www.coker.com.au/~russell/     My home page


> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: