[dns-operations] practical alternatives?

Mark Andrews Mark_Andrews at isc.org
Tue Mar 7 03:36:39 UTC 2006 

> 
>    Forgive my  ignorance about what is actualy possible
> or practical to do at this time... But if we were to assume
> that there is a real need for people to use remote name servers
> to do recursive lookups for them. Then we also assume it's not
> practicle to have people run name servers on their local machines
> that in turn would use TSIG.  (because it take significant amounts
> of user configuration that your typical internet user isn't ready
> for)...

	It's not that hard.

key "recursion" {
        algorithm "hmac-md5";
        secret "xxxxxxxx";
};

server 1.2.3.4 {
	key recursion;
}

options {
	forwarders { 1.2.3.4; }
	forward only;
};

	Long term it should end up something like.

/etc/resolv.conf
nameserver 1.2.3.4
tsig hmac-md5 recursion "xxxxxxxx"

	This has all the servers using the same TSIG which should be ok.
	res_sendsigned() is written with this model in mind.

>    Is there a way to configure a name server to only allow recursive
> querys to be initiated by using only TCP? and/or would this help
> with the issue of DDOS?
> 
>    Or, would it be possible to allow recursive querys to be done only
> after some minimal amount of acknowlegment from the requester?
> 
>    I can see the value to the continued ablity to use remote name
> servers that are 'trusted' rather then merely trusting those that
> are given to us by DHCP. It would be nice if there was some options
> for this short of running your own name server and/or TSIG.
> 
>    Maybe if someone had a painless way to configure localhost name
> server that was able to do TSIG with some other name server this
> would be accpeptable, but at this point runing BIND doesn't seem
> like a practical option.
> 
> Glenn Wiltse
> 
> On Fri, 3 Mar 2006, Paul Vixie wrote:
> 
> > # Other than that there is a trust issue. No matter where I go or at what
> > # point I get on the internet my computer always uses my dns servers becaus
> e I
> > # control them. He who controls the dns server you use controls you, so you
> > # better trust them.
> >
> > isn't this why we developed TSIG?  did you know that your laptop (even if
> > it runs windows) can run BIND9 as a forwarder, and that the forwarded queri
> es
> > can be protected with TSIG on their way back to your home recursive caching
> > name server?  you can learn more about this at:
> >
> > 	http://www.ietf.org/rfc/rfc2845.txt
> > 	http://www.isc.org/sw/bind/
> >
> > note that this isn't for everybody.  only someone smart enough to know they
> 'd
> > prefer to talk to their own nameserver, and someone smart enough to know ho
> w
> > to keep DHCP from overriding their choice of nameserver, could (or would) d
> o
> > this.
> >
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list