Re: Securing bind..
Hello,
On Sun, 30 Dec 2001, Russell Coker wrote:
> On Sun, 30 Dec 2001 22:02, jernej horvat wrote:
> > On Sunday 30 December 2001 18:46, P Prince wrote:
> > > The eaisest and most failsafe way to secure bind is to install djbdns.
> >
> > If you have nothing to say - do not speak.
Heh, I didn't send a blank message. The point was clear. It was not a
'troll'.
> Perhaps a discussion of the relative merits of djbdns and bind is in order.
Certainly.
> I wanted to move to djbdns at one time, but it was too painful. Everything
> had to be redone (the config files were all incompatible), the documentation
> was inadequate, and there was no good amount of support on the net.
Of course the config files are incompatible - djbdns's file format is far
simpler.
The documentation is excellent - and simple, because the system is simple.
> Has djbdns improved since then?
I don't think djbdns has ever been at the level you suggest.
I strongly *strongly* suggest that anyone considering setting up DNS, be it
BIND or djbdns, check out Daniel Bernstein's site on the subject,
http://cr.yp.to/djbdns.html
> > Securing DNS:
> > http://www.psionic.com/papers/dns/
>
> 2.4.x kernels support the --bind option to mount which avoids the syslogd
> hackery described in this URL. Also the authbind method supported by Debian
> is much more powerful and useful than using the chuid() functionality in
> bind. Both these things aren't mentioned.
>
> > Cricket Liu's presentation on how to secure BIND:
> > http://www.acmebw.com/papers/securing.pdf
>
> I disagree with the supposed security benefits of disabling zone transfers,
> it's just security by obscurity. Also when idiots read such advice and take
> it to heart it gets in the way when you have a genuine need for zone
> transfers.
What is wrong with security by obscurity? It's an excellent strategy, albeit
not a complete one.
> --
> http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
> http://www.coker.com.au/projects.html Projects I am working on
> http://www.coker.com.au/~russell/ My home page
Yours,
-Tech
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: