cTLD and DNS upgrade
Brad Knowles
brad at stop.mail-abuse.org
Tue Jul 5 11:56:41 UTC 2005
At 12:15 PM +0200 2005-07-05, Peter Dambier wrote:
> Seeing in practice how cache-poisoning even root-poisoning accidently
> works I am glad I can prevent this with mirroring all important zones
> on my resolver. I have seen banks and agencies do the same and exchange
> zone files among them happyly.
In other words, you haven't done any tests. You found something
that may or may not have worked in one specific instance, and you are
blindly applying it to everything.
There have been places in the code where data could be returned
as part of a cached answer, and then turn around and hand that same
bogus data back out as part of an authoritative response. This is
why you want to make sure that your caching-only servers are not
authoritative for anything, beyond the standard
"0.0.127.in-addr.arpa." and "localhost." zones.
>> Vixie's company? You mean Nominum? He may have helped to found
>> the company, but everything I've heard from various people who've
>> worked there indicate that he hasn't had any material involvement in
>> it for a very long time.
>
> For my small memory Bind is Vixie, not the money but the brain.
Paul Mockapetris created the DNS. He drafted Paul Vixie into
working on BIND. Paul Vixie brought in a team of people to work with
him on the code, and one of the things he insisted on was that BIND-9
be a complete ground-up re-write without a single line of code from
him. Nominum was contracted to handle that work.
Among other things, Paul Vixie helped found the company Nominum,
but many other principals are also involved, with Paul Mockapetris at
the top of the list. If you're going to be in this business, it
would be a good idea to check out the list of people at
<http://www.nominum.com/company.php?subid=1>.
> They did a good job with Bind9. They solved a lot of problems a had
> with earlier versions. That is why I think of them as Vixies
> company. Bind9 is his child.
Nominum is one of the companies that Paul Vixie helped found,
that's true. And Paul has been the principal steward for BIND for
many years. But he has taken a completely hands-off attitude towards
BIND-9. He maintains his relationship with the Internet Systems
Consortium (ISC), which is the home of BIND, INN, NTP, and a number
of other good works. You might want to take a look at
<http://www.isc.org/sw/bind/bind-history.php> and
<http://www.isc.org/about/history/>.
> I guess it is worth the money - if it was not running on windows.
The recommended hardware configurations for Nominum's ANS and CNS
products do not include Windows. See
<http://www.nominum.com/products.php?id=2&faq=1#faq_33> and
<http://www.nominum.com/products.php?id=1&faq=1#faq_20>.
> Probably that is the reason why they had to split resolver and
> authoritative nameserver. Windows is famous for caching used
> horseshoes thrown at it besides NetBIOS and other non-DNS packets.
Windows has nothing to do with it. Nominum's products run only
on Linux (Red Hat and SuSE), FreeBSD, and Solaris. That's it. No
Windows. At least, that's the story according to the datasheets at
<http://www.nominum.com/content/documents/nominum_ds_cns.pdf> and
<http://www.nominum.com/content/documents/ans_datasheet.pdf>.
Perhaps you were thinking of the stuff from Men&Mice, and their
Active Directory-enhanced products? While their stuff will run on
Windows (and the AD stuff obviously requires Windows networks),
that's not the only platform they support. Moreover, they can fully
integrate their unique front-end management tools with a standard
BIND-9 back end. Of course, this is a totally different company, one
that Cricket Liu had some involvement with a little while back. He's
now at InfoBlox, a company that sells high-performance Linux-based
DNS/DHCP appliances.
My understanding is that the caching/recursive versus
authoritative split for Nominum ANS/CNS was done for both performance
and security reasons, but to get the official word you'd have to talk
to people who work there (or who have worked there), and who are more
knowledgeable on that subject.
> Did you ever read the '.' zone file and make it an /etc/hosts?
I was using HOSTS.TXT back in 1990, and I got fed up with trying
to keep that file up-to-date. I set up the first caching/recursive
nameserver within what was then the Defense Communications Agency.
Yes, DCA owned Milnet, and the one-and-only NIC at the time (SRI-NIC,
later nic.ddn.mil) was run under the auspices of DCA, but those were
all outward facing services -- mine was the first on the internal
network serving internal clients.
I know how /etc/hosts works, and I'm not particularly interested
in ever going back that way.
> I used check_soa from the O'Reilly book 'DNS and Bind' and was
> shocked how many errors I got on so many toplevel domains.
I am the maintainer for "doc" (which I inherited from Paul
Mockapetris), and a contributor to "dnswalk".
I did some more extensive testing a while back on the root zone
and all the TLDs. See
<http://www.shub-internet.org/brad/papers/dnscomparison/>. I am in
the process of updating this testing, and the results so far do not
look good.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list