cTLD and DNS upgrade

Peter Dambier peter at peter-dambier.de
Tue Jul 5 10:15:07 UTC 2005


Brad Knowles wrote:
> At 9:58 AM +0200 2005-07-05, Peter Dambier wrote:
> 
> 
>> I have learned from cache poisoned resolvers it makes sense to
>> mirror all zones you can even on the resolver. I have seen many
>> ISP resolvers that do mirror the most important zones.
>>
>> First it will prevent you from cache poisoning.
> 
> 
> 	I'm not convinced of that.  It may avoid certain failure modes, 
> but I sincerely doubt that it will catch all of them.
> 
> 	What tests have you done to prove that all known failure modes 
> are covered by this solution?

I did run resolvers again and again and I gave up again and again.
Bind4, Bind8, ens and built in resolvers from the router all of them
had a couple of problems. Most of the problem was my ISP disconnecting
me at least once every day. My resolvers cached the negative answer
and when my router reconnected I was told "that host does not exist".

And my resolvers changed roots. Asking  a servers something it does
know it might return the root-servers. Sometimes the wrong
root-servers. Slaving '.' solved this problem.

Seeing in practice how cache-poisoning even root-poisoning accidently
works I am glad I can prevent this with mirroring all important zones
on my resolver. I have seen banks and agencies do the same and exchange
zone files among them happyly.

> 
>> Vixies company does a commercial version of Bind that is split into
>> two programmes, the resolver and the nameserver.
> 
> 
> 	Vixie's company?  You mean Nominum?  He may have helped to found 
> the company, but everything I've heard from various people who've 
> worked there indicate that he hasn't had any material involvement in 
> it for a very long time.

For my small memory Bind is Vixie, not the money but the brain.

> 
> 	Yes, Nominum does have the very best caching and 
> authoritative-only servers that I've ever seen.  Unfortunately, 
> they're pretty expensive.

They did a good job with Bind9. They solved a lot of problems a had
with earlier versions. That is why I think of them as Vixies
company. Bind9 is his child.

I guess it is worth the money - if it was not running on windows.

Probably that is the reason why they had to split resolver and
authoritative nameserver. Windows is famous for caching used
horseshoes thrown at it besides NetBIOS and other non-DNS packets.

> 
> 
> 	Note that PowerDNS also splits the caching/recursive functions 
>>from the authoritative side, as do just about all the other programs 
> available that I am aware of.
> 
> 	Paul Vixie himself has said that he wishes that this was 
> something that could be changed about BIND, as he views the combined 
> services in one program to be a significant security weakness.  I 
> disagree with him, but I do agree that the default configurations 
> should separate these functions.
> 
> 	Note that I have said these functions should be split ever since 
> doing the technical review for the 2nd edition of _DNS and BIND_, 
> advice which Cricket Liu unfortunately chose not to accept (or maybe 
> it just got lost through the cracks).  And I'm sure that I wasn't the 
> first to come up with this idea, although alternatives to BIND at 
> that point were pretty thin on the ground.
> 

Very theoretically I see two alternatives:

/etc/hosts

It was never reached by DNS. /etc/hosts could give you all aliases for
a given hostname or ip. Forward or backward /etc/hosts gave you the
same results.

Of course DNS does a lot of things /etc/hosts cannot do.

NIS or yellow pages

NIS does everything /etc/host can do and it does it a lot faster.
Unlike /etc/hosts it is more centralised. But it does not scale.

Like DNS NIS can do things that /etc/hosts cannot.

NIS+ was a dead horse from the beginning. It might have been an
alternative to DNS if there had been tools to manage it.

I had to learn DNS to get around the f**ed up DNS-servers in germany
that care more about giving no answers about censored sites than
giving answers in the first place. That is how I found out there is
more than one root since a very long time. I guess there are some
20. I can count 8 of them for shure.

Did you ever read the '.' zone file and make it an /etc/hosts?

http://iason.site.voila.fr
http://www.kokoom.com/iason

has the tools. Append it to your /etc/hosts and try the difference.

I used check_soa from the O'Reilly book 'DNS and Bind' and was
shocked how many errors I got on so many toplevel domains.

After updating my /etc/hosts most of them were gone. So there is
information in DNS that you cannot query. Not to mention the
bad if existing at all reverse lookup.


Yes there are other DNS-servers or caches but it is really difficult
to stay compatible with Bind. Building a cache may be easier than
building a DNS-server. I'll try..

Regards,
Peter and Karin

-- 
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
+1-360-226-6583-9563 (INAIC)
mail: peter at peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason



More information about the bind-users mailing list