[dns-operations] Best Practices in DNS security
Matt Ghali
matt at snark.net
Fri Mar 17 17:33:15 UTC 2006
On Fri, 17 Mar 2006, Peter Dambier wrote:
> Best source I can imgine:
>
> http://cr.yp.to/djbdns.html
>
> I dont want to propose you install djbdns but then you would split
> authority and resolver on different ip addresses fafourably on different
> machines. I does make sense to use virtual machines. Seen from an
> intruder they are still separate machines.
as much as I resent seeing djb-ware in a message with the phrase
'Best Practices' in the subject line, I am open to reasons why this
is a better idea than simply having two different correctly
configured BIND 9 instances listening on two different interfaces of
the same machine.
if there actually is value in figuring out the twisty path of
djb-ware's myriad of random third party patches, bizzare filesystem
paths, and microcosm of itty bitty codelets, i'm all ears.
otherwise, i'd be inclined to suggest that its much easier (based on
available documentation and howtos) to simply have BIND 9 do the
same thing.
matto
--matt at snark.net------------------------------------------<darwin><
The only thing necessary for the triumph
of evil is for good men to do nothing. - Edmund Burke
More information about the dns-operations
mailing list