Master to Slave Schedule to Avoid Poison Propegation

Brad Knowles brad at stop.mail-abuse.org
Fri Aug 12 19:26:55 UTC 2005


At 6:29 AM -0700 2005-08-12, Danimal wrote:

>  So for example if the master somehow became compromised we could remove
>  it from the network before it infected the DNS records of the slave.
>
>  So two questions:
>
>  1) Is this a common goal?

	I've never heard it before, no.

>  2) What setup would achieve this goal?

	Hmm.  Well, I guess you could turn off NOTIFY, and you could set 
the refresh period to be very long.  However, if the compromise were 
to happen right before a refresh, you could still have both servers 
compromised very quickly.

	Better might be to have all of the servers run as primaries, and 
handle the zone transfer via rsync or some other out-of-bound 
mechanism.  That would give you a chance to check the data before 
copying it to the so-called secondaries.  But that's assuming that 
you can actually detect a compromise before the data is copied.


	Of course, if you completely separate your authoritative servers 
from the caching/recursive servers, then the authoritative servers 
can't be polluted or poisoned, and the only thing you'd have to worry 
about there is people breaking into the machines and manually 
modifying your zone data.

	The caching/recursive servers might be able to be 
polluted/poisoned, but so long as they are caching-only and running 
modern code (like a BIND-9.3.1 or other recent version of BIND-9), 
that should pose a lesser risk to your clients.

>  If a setup like this is advisable it would seem there are two options:
>  multiples masters or master/slave with delayed zone transfers.  I have
>  some ideas about what might work but I won't confuse this topic by
>  interjecting incorrect information.

	I think you're going to have a tough time managing to do this.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list