[CentOS] DNS wizard
Les Mikesell
lesmikesell at gmail.com
Mon Jan 2 20:35:21 UTC 2006
On Mon, 2006-01-02 at 12:04, Maciej Żenczykowski wrote:
> >> we could decide that bind is screwed anyway and DNS servers and cache's
> >> are two fundamentally different animals and shouldn't be mixed anyway (ie.
> >> no DNS server should ever be a cache and vice versa)
> >
> > Except that decision doen't make a lot of sense.
>
> It does from a security standpoint - take a look at how many bugs there
> are/were in BIND - how many breakins have happened through BIND. And
> consider that having server and cache running as the same servers makes it
> a good deal harder to implement both correctly and to prevent
> cross-poisoning and other attacks - it's a matter of simplicity giving
> bug-freeness and security.
>
> >> The reason why CNAME's are used for reverse delegation is because
> >> administrators are lazy and BIND makes the proper non-CNAME using solution
> >> tiresome to implement. It's a breeze with tinydns/djbdns (once you get to
> >> know the program, but that's normal).
> >
> > If there is some advantage to delegating NS's for individual
> > addresses instead of using CNAME's I think you forgot to
> > mention it. CNAME's inherit the robustness of the referenced
> > domain. If you do it by delegation, you'll have to provide
> > multiple NS records for every address, and the admin of the
> > delegating zone must track any changes. The point of using
> > CNAMEs is for the delegating zone to not need to track anything
> > about the real names - if they did they could just supply the
> > correct PTR address in the first place.
>
> I don't see where your argument lies. Using CNAME's require specifying
> NS'es for the domain you CNAME too - using NS'es requires exactly the same
> amount of entries at the delegating server - indeed using CNAMEs requires
> more entries at the delegating server (1 line per NS for CNAME domain +
> 1 line for generating the CNAMEs, versus, 1 line per NS for
> generating NS'es). As for what happens at the client domain nameserver
> (the one being delegated too) - this is indeed where CNAME's are easier -
> but that's due to BIND and not integral to the DNS protocol at all (in
> tinydns it's far easier to set up zones, etc. and indeed CNAME's cause all
> sorts of extra headaches since automatic reverse-IP delegation doesn't
> (and can't) work for them...).
>
> As for robustness - I see no difference either way - in both cases there's
> exactly one NS referring line per nameserver.
>
> And the second half of your paragraph (about tracking changes) makes no
> sense whatsoever - are you sure you've understood what I've written?
> There's no need to track any changes once it's set up -- all changes are
> made by wherever the stuff has been delegated to (unless you want to
> change the nameservers but that's EXACTLY the same with CNAMEs).
>
> Cheers,
> MaZe.
>
> PS. I won't be replying on-list to this thread anymore - it's not
> CentOS'ish enough.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list