Re: Securing bind..
jernej horvat wrote:
> On Monday 31 December 2001 01:29, Michael D. Schleif wrote:
> > It is always amazing to me how *intelligent* people try to make their
> > point by taking other people's words out of context . . .
> > > http://cr.yp.to/djbdns/faq/axfrdns.html#what
> i added the URL so i that everyone could look it up. the WHOLE text.
> i added another quote from that URL..
> > Notice, that bind, current or not, has no answers to djb's concerns, as
> > expressed in his complete paragraph ;>
> "There has been some work on improving the zone-transfer protocol: a NOTIFY
> mechanism that wakes up the slaves (after a delay, and without a failure
> notice when something goes wrong); an experimental IXFR mechanism for
> incremental zone transfers (although the BIND implementation doesn't work for
> zone files modified by hand or by external tools); and several proposed
> security mechanisms, notably TSIG. BIND's May 2001 IXFR and TSIG
> implementations are supposedly free of the bugs that caused crashes, data
> corruption, and root exploits in previous versions of BIND. The BIND company
> occasionally mumbles about imaginary tools to handle new zones and client
> differentiation. By combining all these tools, you can finally approach the
> functionality of a trivial rsync script. Wow."
> Wow. May 2001.....it is 30.12.2001 now and BIND 9.2.0 is out.
> DNS Security
> DNSSEC (signed zones)
> TSIG (signed DNS requests)
> IP version 6
> Answers DNS queries on IPv6 sockets
> IPv6 resource records (A6, DNAME, etc.)
> Bitstring Labels
> Experimental IPv6 Resolver Library
> DNS Protocol Enhancements
> IXFR, DDNS, Notify, EDNS0
> Improved standards conformance
> One server process can provide multiple "views" of the DNS namespace, e.g.
> an "inside" view to certain clients, and an "outside" view to others.
> Multiprocessor Support
> Improved Portability Architecture
> djb should update his security concerned pages.
improved != resolved
By-the-by, what does ``Improved standards conformance'' mean? Does it
or does it *not* conform? Or, is it just a little bit pregnant?
``By combining all these tools, you can finally approach the
functionality of a trivial rsync script. Wow.''
Enough said . . .
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .