Don't provide promiscuous proxy DNS service
Roy Arends
Roy.Arends at nominum.com
Thu Sep 6 09:56:30 UTC 2001
On 6 Sep 2001, D. J. Bernstein wrote:
> Kevin Darcy writes:
>
> > it appears that you're trying to use this terminology shift to prove
> > that djbdns's structure (in which the so-called "proxy server"
> > component is separated from the so-called "content server" component)
> > is superior to BIND's.
>
> As for terminology: The djbdns documentation uses ``DNS client'' and
> ``DNS cache'' and ``DNS server.'' RFC 1035, one of the DNS standards,
> has a clear picture of these three different pieces on page 6.
Yes, and in the standards, the 3 different pieces are stub resolver,
recursive and authoritative nameserver, which is something different then
content and proxy server.
> As for superiority: The DNS-and-BIND book, in the ``Securing Your Name
> Server'' section, specifically recommends keeping caches separate from
> servers, for the same reasons that they're separate in djbdns.
Yes. It is a good idea (security-wise) to seperate a recursive and
authoritative nameserver. djbdns uses a different server for each, and
bind can be configured to play the two different roles.
Regards,
Roy Arends,
Nominum
-------------
0-14-023750-X dcrpt ths 43.0D.01 01.05.0C 84.18.03 8A.13.04 2D.0B.0A
More information about the bind-users
mailing list