Re: Securing bind..

To: debian-user@lists.debian.org
Subject: Re: Securing bind..
From: martin f krafft <madduck@madduck.net>
Date: Thu, 3 Jan 2002 15:45:15 +0100
Message-id: <[🔎] 20020103144515.GD15768@fishbowl.madduck.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <Pine.LNX.4.43.0112301708590.3798-100000@maximus>
References: <20011230215857.318593906DC@lyta.coker.com.au> <Pine.LNX.4.43.0112301708590.3798-100000@maximus>

also sprach P Prince <princep@charter.net> [2001.12.30.2314 +0100]:
> I strongly *strongly* suggest that anyone considering setting up DNS, be it
> BIND or djbdns, check out Daniel Bernstein's site on the subject,
> http://cr.yp.to/djbdns.html

or just subscribe to bind-users or bind9-users, where bernstein will sit
and reply to every problem someone asks about: "this would not be the
case with djbdns", or "see how easy this is with djbdns..."

sorry, but that form of behaviour, IMHO, belongs into kindergarten.
look at his site, how he compares why djbdns is better than BIND. and
then compare how he and wietse venema go about their functionally
equivalent and absolutely comptetive products qmail and postfix. djb has
more than simple problems with his ego...

> > 2.4.x kernels support the --bind option to mount which avoids the syslogd
> > hackery described in this URL.  Also the authbind method supported by Debian
> > is much more powerful and useful than using the chuid() functionality in
> > bind.  Both these things aren't mentioned.

because 2.4.x kernels are far from stable, no real sysadmin would use
them on a productive nameserver, and because the paper isn't about
debian. but do tell about authbind. where do i get info?

> > I disagree with the supposed security benefits of disabling zone transfers,
> > it's just security by obscurity.  Also when idiots read such advice and take
> > it to heart it gets in the way when you have a genuine need for zone
> > transfers.
> 
> What is wrong with security by obscurity?  It's an excellent strategy, albeit
> not a complete one.

yes, precisely. it's not a universal security method, but it's also
wrong to believe what the rest of the world seems to believe: that
security through obscurity is bad because unsafe. bollocks. you must not
rely on it ever, but it's always a nice addition. or else, seriously,
we'll have to make way without one-time passwords... now *that* would
suck.

zone transfers are not that much of a deal, i find, unless of course you
have a huge zone and want to minimize volume. i stand behind the opinion
that you should be able to post a complete topology of your company
network, along with all DMZs, server configurations, firewall rules, and
other information onto the net. that's zero security by obscurity then,
but your network must still be able to withstand all attacks. once you
reached that status, it doesn't hurt to hide information from others.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
  
"you grabbed my hand and we fell into it,
like a daydream - or a fever."
                                         -- godspeed you black emperor

Attachment: pgpygllinqJ8t.pgp
Description: PGP signature

Reply to:

Prev by Date: Re: Securing bind..
Next by Date: Re: printing stopped working--any ideas?
Previous by thread: Re: Securing bind..
Next by thread: The right way to power off a computer as non-root
Index(es):
- Date
- Thread