Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
RE: [suse-security] Is bind 9.1.0 secure?
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 21 Jan 2002 10:04:20 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56CD4@xxxxxxxxxxxxxxxxx>
> We had a discussion about djbdns on a local maillinglist in
> Berlin. It's not offering all features that bind offers.

While this may well be true, many people probably don't need certain
features at all. And there are workarounds or patches for quite a few of the
'problems' that a certain number of people have with the pure djbdns.
Perhaps you could point out which specific features you miss?

> I don't
> know if zone transfers are supported currently, some time ago you
> had to fiddle around with rsync or such things.

Zone transfers are supported in the current version (djbdns 1.05), but you
need the separate ucspi-tcp package to provide TCP client and server. DJB
argues against zone transfers and urges people to use rsync (preferrably
over SSH) instead, for several reasons outlined on his web page. However,
tinydns (the DNS server) in combination with axfrdns (the TCP request and
AXFR responder) servers zone transfers just fine. tinydns does not pull
zones per zone transfer automatically, so you need to use cron jobs to pull
from the clients on a regular basis to emulate AXFR behaviour. DJB favours a
push approach (which BIND8, I believe, has introduced with NOTIFY as well)
via rsync/ssh. You could also use SSH with automatic command execution
(command='cd /etc/tinydns/root && tcpclient 1.2.3.4 53 axfr.get zone data
data.tmp && && make') to achieve the same effect.

> For non-trivial
> setups (i.e. some hunderds zones and a handful secondaries) I
> would not recommend such approach but use bind8 instead.

IMHO, that depends on what you favour: a relatively bloated piece of
software with a pretty poor security track that most organisations and
documents expect, which therefore means that you'll find HowTos, etc. geared
towards it, or a couple of small, highly secure tools that work differently
than the former and may require some scripting around them to achieve the
same features, however usually implemented with higher quality.

> If you
> need cryptography, I think there is no way around bind9
> currently. For a small private caching only server djbdns may be
> a nice solution.

Hmm, what do you mean with 'cryptography'? You may be right, if you mean
that djbdns doesn't support 'SecDNS', which DJB doesn't believe in, BTW
(this is meant merely as an explanation, my opinion doesn't necessarily
converge with DJB here or elsewhere). It can be configured to support
FreeS/WAN's opportunistic encryption by handing out KEY records, and the
FreeS/WAN docs speak of SecDNS... so maybe djbdns does actually support
'cryptography'. I don't know enough about the so-called Secure DNS to be
able to say.

Cheers
Tobias

< Previous Next >