Re: Securing bind..
jernej horvat wrote:
[ snip ]
> And this is what djb has to say for zone transfers :-)
> "Zone transfers are an archaic alternative mechanism for copying DNS
``Zone transfers are an archaic alternative mechanism for copying DNS
information. Instead of immediately sending new data to the slaves, you
run a zone-transfer service that accepts periodic connections from the
slaves; your users complain while they're waiting for the slaves to
check for new data. The zone-transfer protocol isn't a modular
file-transfer system; it is an ad-hoc system tied to the details of DNS.
The protocol has terrible compression and no security. Every new zone on
the master requires manual reconfiguration of the slaves. Zone transfers
lose all information about client differentiation and scheduled record
It is always amazing to me how *intelligent* people try to make their
point by taking other people's words out of context . . .
Notice, that bind, current or not, has no answers to djb's concerns, as
expressed in his complete paragraph ;>
[ snip ]
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .