[dns-operations] Best Practices in DNS security

Per Heldal heldal at eml.cc
Sat Mar 18 01:22:52 UTC 2006

On Fri, 17 Mar 2006 18:25:12 -0500, "Geo." <geoincidents at nls.net> said:
> > Apropos, we dont have enough different DNS-servers. Bind is close to a
> > monopoly. djbdns can do everything by fly or read the manual. I think
> > it is good for experimenting and for develloping your own nameserver but
> > it is not meant for production. Nevertheless there exist other
> > nameservers or do you think ".com" is running on Bind?
> There exist other mail servers than Exchange, but until MS fixed exchange
> so
> it installed with relay disabled it was a major problem. People didn't
> simply switch because there were other or even better mail servers did
> they?

Most people didn't switch because they didn't know or understand the

The ops community keeps failing to communicate the importance of BCPs
and reasonable functional requirements to a wider public. That's why
certain vendors (and not only MS) can keep dragging their feet wrt
fixing their software. The PR-side to such issues is mostly forgotten it
seems. Relatively minor issues like this one would find their rapid
resolution if the shit hits the fan in mainstream media (in the proper
way of course). Then, it would also be harder to get away using
sub-standard solutions when there's consensus in the industry on how
things should be.

Btw, the same applies to most of those routing-tweaks that make so many
drag their feet on implementing BCP38 (the main reason for this
discussion). Exploration of unintended properties in protocols may be
possible. That doesn't mean that every thinkable stunt has to be

> That's all I'm saying here, lots of people use MSdns and they are going
> to
> continue to use it regardless of what we do to solve this dns flooding
> attack vector. We need to stop saying "well bind9 can do it" and face the
> reality that people run other dns server software than bind. We need a
> solution that works for everyone not just bind users. Solutions that
> require
> running dual dns servers on the same physical machine don't meet that
> requirement.

The ops-community must communicate minimum requirements to vendors and
to customers. Products which don't qualify should be blocked from use
for publicly accessible services.

  Per Heldal

More information about the dns-operations mailing list