Contributed by jose on from the never-fully-implemented-standards dept.
The first is to the SANS Reading Room on secure DNS . It has a decent set of links and a fair introduction to the subject. A really good set of documents is housed at the DNSSEC domain . Lastly, the DNSSEC project hosted by NLnet Labs has a good set of things to investigate as well.
I'm looking for documentation on implementing DNS security (in the DNSSec standards) for OpenBSD. If you have any, please share them. Note that BIND9, in ports, offers many of these standards partially implemented.
(Comments are closed)
By Boris () spam@localhost on --
http://cr.yp.to/djbdns/forgery.html
There are other "views" about DNSSec.
By kremlyn () on
Whoa. Problem solved.
Beer anyone?
//kremlyn
By Skinny Puppy () on http://www.shitbomb.com
But one thing that did come out of a DNSSEC, that really has nothing to do with it (maybe it did I never finished reading the RFCs) is the secure zone transfers. You can use this to verify that your slaves and master servers will only respond and deal with each other for exchaning data and update notices. Basicly no man in the middle attacks between your servers. This is a nice feature but I still prefer the ssh method that DJB takes. It is simple and works and is easy as hell to debug (I hate hate hate hate nameds logging messages cryptic and a general a pain in my ass)
Skinny "Not a DNS admin anymore thank god" Puppy
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Jakob () jakob@crt.se on mailto:jakob@crt.se
Comments
By niekze () on
By Roy Arends () roy@logmess.com on mailto:roy@logmess.com
DNSSEC does not protect you against implementation bugs. A secured DNS server does not protect you against a forged DNS message response.
By ArSa () newarsa@yahoo.com on mailto:newarsa@yahoo.com
I do understand that it might cost 300 for site verification, i just don't want to deal with another Verisign...
Comments
By Matt Ostiguy () on
By Jakob () jakob@openbsd.org on mailto:jakob@openbsd.org
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By W () on
Comments
By Jakob () jakob@openbsd.org on mailto:jakob@openbsd.org
IXFR
Dynamic update
TSIG
DNSSEC
... the list goes on
Comments
By RSS () robin-deadly@socha.net on http://socha.net
And just so you don't get me wrong:
(root@hellfire):(~)# cat /etc/motd OpenBSD 3.2-current (HELLFIRE) #2: Thu Dec 26 12:31:33 CET 2002
BIND is a rotten mess - and what were your arguments again?
Comments
By Roy Arends () roy@logmess.com on mailto:roy@logmess.com
3) res-disaster was not the reason DJB did not implement dynups. IMHO dynups are not required to have a fully operational authoritative DNS server.
4) In the eye of the beholder. If you have a dedicated DNS box, (i.e. no other services), I'm happy with TSIG or SIG(0), since its _so_ easy to setup.
5) Show me an implementation of DJB's top priority Nym-based security for his DJBDNS imps. Note that one of the design goals of DNS to ease the requirement of remembering IP-addresses.
"The disadvantage is that it requires long host names, too long to remember."
Think for yourself. Stop blindly quoting others (and at least READ and understand their quotes first), or you're just another quote-zombie.
Roy
By Anonymous Coward () on
By Jakob () jakob@openbsd.org on mailto:jakob@openbsd.org
IXFR
Dynamic update
TSIG
DNSSEC
... the list goes on
By Anonymous Coward () on
By W () on
And by the way: MERRY CHRISTMAS!! :-)
Comments
By Skinny Puppy () on http://www.shitbomb.com
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Roy Arends () roy@logmess.com on mailto:roy@logmess.com
Does it use DNSJava ? Or really built from scratch ? Seperate Authoritative & recursive ? Does the recursive side cache ? DNSSEC ? TSIG (TKEY) ? Sec.Dyn.Update ? [AI]FXR ? Views ?
This is really interesting. You might wanna talk to NLnetLabs/Ripe wrt their DISTEL project to test behaviour:
http://www.ripe.net/ripe/meetings/archive/ripe-42/presentations/ripe42-dns-distel/
DNSJava
http://www.xbill.org/dnsjava/
Regards,
Roy
Comments
By Anonymous Coward () on
As for DNSSEC, it doesn't support that at all yet. I don't think any clients are using that right now. Maybe I'll put that in later. XFER is not supported at all. I think zone transfers are a broken way to replicate a database. Views are not supported, but it would be easy to add them.
java.nio is way cool. I get all the safety of Java without losing the speed of C. Its performance is about equal to bind9. Java is definitely the way to go for network daemons that have to handle dangerous input from the net.
Comments
By Roy Arends () roy@logmess.com on mailto:roy@logmess.com
XFER is the way to replicate individual zones. rsync-ssh is a way to replicate a complete server, but not part of the protocol (no value judgement here on which to use).
Good luck ! keep me posted !
Roy
By Anonymous Coward () on
Let me ask: How can you stand him? I can't; I think he's an ass. (That's why I don't use his software. It might be a stupid reason, but that's why). It's the same reason why I loathe to use anything that's been touched by RMS.
Now, before someone gets smart and compares djb to Theo, let me point out that while they can both be grating, they have very different personalities. While Theo can be abusive, he is always, always direct, and if he is hostile I feel that it is for good reason. On the other hand, I do not think I have ever read any email or web page by djb that is not condescending or sarcastic. djb feels t, so Iantisocial to me, as if he were hostile not just to certain people but to all of humanity. I can't stand him.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
iirc it is done for speed, not for faking anything.
qmail uses cdb for ondisk databases.
Wonderfull days to all off you!
By Anonymous Coward () on
But the licence... now theres something to not like.
By kremlyn () on
Firstly, don't compare TDR to DJB. Heck, while we're at it, lets compare George W Bush to the toothfairy (although, the jury is out on which would make a better world leader). Each is an individual, and has their own way of dealing with situations, circumstances and individuals. Appreciate it and move on.
In the Open Source world, code talks and bullshit walks. Here, obviously, DJB's code has spoken loud and clear. It's clean, logical, it works, it's secure.. heck, it's even easy to use. Put aside issues of personality - we're *all* on the same side here.
In the end if we decide not to use certain software because we don't like the people who wrote it, we're cutting our own noses off in spite of our faces.
Sure, attack the license; personally, I don't agree with it a whole lot. But think of it this way - the code is good, the code is free, and the code is clean enough such that an install from source will work good anywhere. Hence, no need for a port/package. Also, consider that DJB is his own task master, *he* strives for the same security goals as OpenBSD, but, for whatever reason, he wants to remain authoritative as to what goes into the code and what goes out - same way as Theo remains so for OpenBSD. I assure you, having DJB make the final call is *not* a bad thing. Let Theo do his work (brilliantly) and DJB continue to do his work (brilliantly).
:wq!
Comments
By Anonymous Coward () on
Yes, we are. At least, I'd hope so.
You see, I really get the feeling that djb does a lot of things just to inflate his ego. And that really bothers me. When I run someone's software, I feel like I'm approving of that person's job. I don't want to approve of arrogance. Maybe that's a distant reason to some of you, but it feels very important and very nearby to me. As I said before, it's the same reasoning that makes me avoid anything done by RMS (though it's his political philosophy that disturbs me so much).
I'll readily admit that I'm not maintaining a hundred machines; I'm just a hobbyist with a home network, and that gives me the flexibility to accept some of the grief that may come with a low-quality tool. So maybe I am hurting myself here; I don't actually know, because I refuse to try djb's tools. Nevertheless, this is a compelling reason to me, and maybe I'm just close-minded, but I don't see why more people object to him on those grounds. A lot of people object to his license; to me his license is just a demonstration of what I don't like about him.
By W () on
By Anonymous Coward () on
Perhaps you don't understand his dry humor.
By Lars Hansson () lars@unet.net.ph on mailto:lars@unet.net.ph
I dont care if they like eachother. I dont care if they get off on humping garden gnomes. It's completely goddamn irrelevant for the quality of their work.
And why is it that as soon as someone mentions DJB people have to complain over and over about how he's an ass, how much his license sucks, how X is better than is software etc etc ad infinitum.
It's almost as old and dreafully boring as "my dad is stronger than your dad".
Comments
By Anonymous Coward () on
Ah. Well, you answered my question. I do. Obviously you don't.
By Anonymous Coward () on
:-D