Master to Slave Schedule to Avoid Poison Propegation
Brad Knowles
brad at stop.mail-abuse.org
Fri Aug 12 19:26:55 UTC 2005
At 6:29 AM -0700 2005-08-12, Danimal wrote:
> So for example if the master somehow became compromised we could remove
> it from the network before it infected the DNS records of the slave.
>
> So two questions:
>
> 1) Is this a common goal?
I've never heard it before, no.
> 2) What setup would achieve this goal?
Hmm. Well, I guess you could turn off NOTIFY, and you could set
the refresh period to be very long. However, if the compromise were
to happen right before a refresh, you could still have both servers
compromised very quickly.
Better might be to have all of the servers run as primaries, and
handle the zone transfer via rsync or some other out-of-bound
mechanism. That would give you a chance to check the data before
copying it to the so-called secondaries. But that's assuming that
you can actually detect a compromise before the data is copied.
Of course, if you completely separate your authoritative servers
from the caching/recursive servers, then the authoritative servers
can't be polluted or poisoned, and the only thing you'd have to worry
about there is people breaking into the machines and manually
modifying your zone data.
The caching/recursive servers might be able to be
polluted/poisoned, but so long as they are caching-only and running
modern code (like a BIND-9.3.1 or other recent version of BIND-9),
that should pose a lesser risk to your clients.
> If a setup like this is advisable it would seem there are two options:
> multiples masters or master/slave with delayed zone transfers. I have
> some ideas about what might work but I won't confuse this topic by
> interjecting incorrect information.
I think you're going to have a tough time managing to do this.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list