Re: Securing bind..
On Sun, Dec 30, 2001 at 08:34:32PM -0600, Michael D. Schleif wrote:
> Craig Sanders wrote:
> > On Sun, Dec 30, 2001 at 07:31:30PM -0600, Michael D. Schleif wrote:
> > > ``By combining all these tools, you can finally approach the
> > > functionality of a trivial rsync script. Wow.''
> > >
> > > Enough said . . .
> >
> > by throwing away all your existing zonefiles, DNS configuration, DNS
> > tools and a bunch of features which djbdns doesn't support, you get to
> > use rsync to transfer zonefiles around.
>
> And, perhaps, your point?
that throwing away all your existing configurations and starting from
scratch just to get a trivial feature (which can easily be had with a
shell script wrapper around named-xfer) is NOT a good idea.
there are two major problems with all of bernstein's software. the
first is that it requires you to throw away your existing
configuration...no big deal for a caching only name-server or if you
only have one or two domains to serve. a severe pain in the arse if you
have hundreds or thousands of domains.
the second is that it is incredibly inflexible - you can only use it in
the particular way that bernstein wants you to use it...and if you
actually need to use it some other way then you are, according to djb,
an idiot because he is never wrong.
bind is far from perfect. but it's a lot better than all of the
alternatives. if something actually better (as opposed to just loud &
grandiose claims of being better) came along, i'd switch to it in an
instant.
> Broken as many of them are, they still work quite well with djbdns,
> thank you.
named.conf doesn't work with djbdns - a minor problem.
more importantly, bind style zonefiles don't work with djbdns - the
idiot invented his own stupid format for zone files. if djbdns had been
"backwards-compatible" with bind zonefiles then it might have had some
vague chance of replacing bind.
> > an additional part of the price you pay is djb's moronic non-free
> > software license
>
> Really?
>
> <http://cr.yp.to/distributors.html>
yes, really. non-free.
if you don't understand WHY it's non-free then read the DFSG again.
> > and his rabid
> > reinvent-the-wheel-as-a-square-because-it-wasn't-invented-here
> > attitude.
>
> As you know, the software does *not* espouse his nor anybody else's
> views. So what?
unfortunately, bernstein's software is severely limited by his views.
he's a fairly good programmer....but a lousy systems administrator, with
no concept of how real world sysadmins use tools or how they automate
them.
> If conformance to standards is interesting to you, then check this
> out.
djbdns does not conform to standards. he proudly ignored any aspects of
the standards that were inconvenient to him.
> > bind can do rsync zone transfers merely by writing a wrapper script for
> > named-xfer. i've done it. it works.
>
> That, too, is my point -- glad you found it . . .
so your point is that it's better to throw away years of configuration
work so you can use djbdns than it is to write a simple wrapper script.
right. good thinking.
craig
--
craig sanders <cas@taz.net.au>
Fabricati Diem, PVNC.
-- motto of the Ankh-Morpork City Watch
Reply to: