Re: Securing bind..

To: martin f krafft <madduck@madduck.net>
Cc: debian-user@lists.debian.org
Subject: Re: Securing bind..
From: George Karaolides <george@karaolides.com>
Date: Fri, 4 Jan 2002 14:43:25 +0200 (EET)
Message-id: <[🔎] Pine.LNX.4.40.0201041354010.21642-100000@phobos.internal.parmastocks.com>
In-reply-to: <[🔎] 20020103150408.GE15768@fishbowl.madduck.net>

Hi Martin,

On Thu, 3 Jan 2002, martin f krafft wrote:

<snip djbdns data example>

> i find this horrible. BIND zonefiles at least allow for usage of tabs to
> organize your zone into tabular data.

Everyone has their favourite wokrkign techniques.  You like your tabular
BIND zone files.  I like my line-based djbdns data files.  Fine.

> > I know there are management tools that automate synchronisation of
> > forward and reverse mappings in BIND zone files, but why should the
> > reverse-mapping information be in a file separate from the forward
> > information?
>
> why does the DNS protocol even allow this? keeping them in sync is
> really what you should do, but there are cases, where they may need to
> be out of sync. for instance, domain.com and mail.domain.com for small
> domains usually get the same A record on my servers, if what i
> delegate to mydomain.com is a single IP address. that's not a CNAME,
> that's an A record. but what does the IP map to? *not* mail.domain.com.
> i find it very handy to have explicit control over the mappings.

As I've written to Craig, you can do all this with djbdns.  But where you
can keep the foward and reverse data on the same server, djbdns allows you
to make a single entry that takes care of both the A nd PTR record.  I
like the convenience of that, and the reduction of the potential for
mistakes.

> priorities or preferences. i find BIND does it's job. it might not be
> optimal, but it's free, and it works.

No arguments there.  BIND is free.  BIND works.  But I suggested that with
djbdns, you get the security by default that you have to configure into
BIND, and that for a setup as needed by the original poster, djbdns could
be easier to administer.

> djbdns might even be better,
> smaller, faster, more secure. but my nameservers are not going to be
> running a piece of software because of either of two reasons: (a) the
> author is braindead in many aspects; and (b) it's non-free.

I use djbdns.  It works.  I can administer it.  I didn't need to read a
HOWTO about how to run it securely.  It's packaged in Debian, and the
above benefits are available to Debian users.  Issues to do with its
license and the brain-deadedness or otherwise of its author are off-topic
so I agree with you; this discussion is best continued elsewhere.

> we'd like to package it, not require the end-user to download the
> -source package, which includes voodoo magic to compile djbdns without
> the user ever knowing what gcc is. the problem is that this is an
> aweful job for the maintainer, and that it requires some -dev libraries
> on the target system, as well as the entire gcc family, which might not
> be needed otherwise...

This too finds me in perfect agreement.  I would love it if djb would GPL
his software.

> let's take this discussion somewhere else.

As stated above, agreed.

Best regards,

|      George Karaolides       8, Costakis Pantelides St.,         |
|      tel:   +357 99 68 08 86                  Strovolos,         |
|      email: george@karaolides.com       Nicosia CY 2057,         |
|      web:   www.karaolides.com      Republic  of Cyprus          |

Reply to:

References:
- Re: Securing bind..
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: Howto print from Opera using CUPS?
Next by Date: Re: iptables ruleset
Previous by thread: Re: Securing bind..
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread