cTLD and DNS upgrade

Brad Knowles brad at stop.mail-abuse.org
Tue Jul 5 11:56:41 UTC 2005 

At 12:15 PM +0200 2005-07-05, Peter Dambier wrote:

>  Seeing in practice how cache-poisoning even root-poisoning accidently
>  works I am glad I can prevent this with mirroring all important zones
>  on my resolver. I have seen banks and agencies do the same and exchange
>  zone files among them happyly.

	In other words, you haven't done any tests.  You found something 
that may or may not have worked in one specific instance, and you are 
blindly applying it to everything.

	There have been places in the code where data could be returned 
as part of a cached answer, and then turn around and hand that same 
bogus data back out as part of an authoritative response.  This is 
why you want to make sure that your caching-only servers are not 
authoritative for anything, beyond the standard 
"0.0.127.in-addr.arpa." and "localhost." zones.

>>  	Vixie's company?  You mean Nominum?  He may have helped to found
>>  the company, but everything I've heard from various people who've
>>  worked there indicate that he hasn't had any material involvement in
>>  it for a very long time.
>
>  For my small memory Bind is Vixie, not the money but the brain.

	Paul Mockapetris created the DNS.  He drafted Paul Vixie into 
working on BIND.  Paul Vixie brought in a team of people to work with 
him on the code, and one of the things he insisted on was that BIND-9 
be a complete ground-up re-write without a single line of code from 
him.  Nominum was contracted to handle that work.

	Among other things, Paul Vixie helped found the company Nominum, 
but many other principals are also involved, with Paul Mockapetris at 
the top of the list.  If you're going to be in this business, it 
would be a good idea to check out the list of people at 
<http://www.nominum.com/company.php?subid=1>.

>  They did a good job with Bind9. They solved a lot of problems a had
>  with earlier versions. That is why I think of them as Vixies
>  company. Bind9 is his child.

	Nominum is one of the companies that Paul Vixie helped found, 
that's true.  And Paul has been the principal steward for BIND for 
many years.  But he has taken a completely hands-off attitude towards 
BIND-9.  He maintains his relationship with the Internet Systems 
Consortium (ISC), which is the home of BIND, INN, NTP, and a number 
of other good works.  You might want to take a look at 
<http://www.isc.org/sw/bind/bind-history.php> and 
<http://www.isc.org/about/history/>.

>  I guess it is worth the money - if it was not running on windows.

	The recommended hardware configurations for Nominum's ANS and CNS 
products do not include Windows.  See 
<http://www.nominum.com/products.php?id=2&faq=1#faq_33> and 
<http://www.nominum.com/products.php?id=1&faq=1#faq_20>.

>  Probably that is the reason why they had to split resolver and
>  authoritative nameserver. Windows is famous for caching used
>  horseshoes thrown at it besides NetBIOS and other non-DNS packets.

	Windows has nothing to do with it.  Nominum's products run only 
on Linux (Red Hat and SuSE), FreeBSD, and Solaris.  That's it.  No 
Windows.  At least, that's the story according to the datasheets at 
<http://www.nominum.com/content/documents/nominum_ds_cns.pdf> and 
<http://www.nominum.com/content/documents/ans_datasheet.pdf>.

	Perhaps you were thinking of the stuff from Men&Mice, and their 
Active Directory-enhanced products?  While their stuff will run on 
Windows (and the AD stuff obviously requires Windows networks), 
that's not the only platform they support.  Moreover, they can fully 
integrate their unique front-end management tools with a standard 
BIND-9 back end.  Of course, this is a totally different company, one 
that Cricket Liu had some involvement with a little while back.  He's 
now at InfoBlox, a company that sells high-performance Linux-based 
DNS/DHCP appliances.


	My understanding is that the caching/recursive versus 
authoritative split for Nominum ANS/CNS was done for both performance 
and security reasons, but to get the official word you'd have to talk 
to people who work there (or who have worked there), and who are more 
knowledgeable on that subject.

>  Did you ever read the '.' zone file and make it an /etc/hosts?

	I was using HOSTS.TXT back in 1990, and I got fed up with trying 
to keep that file up-to-date.  I set up the first caching/recursive 
nameserver within what was then the Defense Communications Agency. 
Yes, DCA owned Milnet, and the one-and-only NIC at the time (SRI-NIC, 
later nic.ddn.mil) was run under the auspices of DCA, but those were 
all outward facing services -- mine was the first on the internal 
network serving internal clients.

	I know how /etc/hosts works, and I'm not particularly interested 
in ever going back that way.

>  I used check_soa from the O'Reilly book 'DNS and Bind' and was
>  shocked how many errors I got on so many toplevel domains.

	I am the maintainer for "doc" (which I inherited from Paul 
Mockapetris), and a contributor to "dnswalk".

	I did some more extensive testing a while back on the root zone 
and all the TLDs.  See 
<http://www.shub-internet.org/brad/papers/dnscomparison/>.  I am in 
the process of updating this testing, and the results so far do not 
look good.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list