Re: Securing bind..

To: Russell Coker <russell@coker.com.au>
Cc: jernej horvat <j@aufbix.org>, P Prince <princep@charter.net>, Petre Daniel <dani@cyber.ro>, <debian-user@lists.debian.org>, <debian-isp@lists.debian.org>
Subject: Re: Securing bind..
From: P Prince <princep@charter.net>
Date: Sun, 30 Dec 2001 17:14:22 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.43.0112301708590.3798-100000@maximus>
In-reply-to: <[🔎] 20011230215857.318593906DC@lyta.coker.com.au>

Hello,

On Sun, 30 Dec 2001, Russell Coker wrote:

> On Sun, 30 Dec 2001 22:02, jernej horvat wrote:
> > On Sunday 30 December 2001 18:46, P Prince wrote:
> > > The eaisest and most failsafe way to secure bind is to install djbdns.
> >
> > If you have nothing to say - do not speak.

Heh, I didn't send a blank message.  The point was clear.  It was not a
'troll'.

> Perhaps a discussion of the relative merits of djbdns and bind is in order.

Certainly.

> I wanted to move to djbdns at one time, but it was too painful.  Everything
> had to be redone (the config files were all incompatible), the documentation
> was inadequate, and there was no good amount of support on the net.

Of course the config files are incompatible - djbdns's file format is far
simpler.

The documentation is excellent - and simple, because the system is simple.

> Has djbdns improved since then?

I don't think djbdns has ever been at the level you suggest.

I strongly *strongly* suggest that anyone considering setting up DNS, be it
BIND or djbdns, check out Daniel Bernstein's site on the subject,
http://cr.yp.to/djbdns.html

> > Securing DNS:
> > http://www.psionic.com/papers/dns/
>
> 2.4.x kernels support the --bind option to mount which avoids the syslogd
> hackery described in this URL.  Also the authbind method supported by Debian
> is much more powerful and useful than using the chuid() functionality in
> bind.  Both these things aren't mentioned.
>
> > Cricket Liu's presentation on how to secure BIND:
> > http://www.acmebw.com/papers/securing.pdf
>
> I disagree with the supposed security benefits of disabling zone transfers,
> it's just security by obscurity.  Also when idiots read such advice and take
> it to heart it gets in the way when you have a genuine need for zone
> transfers.

What is wrong with security by obscurity?  It's an excellent strategy, albeit
not a complete one.

> --
> http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
> http://www.coker.com.au/projects.html Projects I am working on
> http://www.coker.com.au/~russell/     My home page

Yours,
-Tech

> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Re: Securing bind..
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: Securing bind..
Next by Date: Windowmaker 0.80 key bindings
Previous by thread: Re: Securing bind..
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread