Comments on “DNS security improves as firms tool up to tackle spam” • The Register

Comments on: DNS security improves as firms tool up to tackle spam

Back to the article
Comments on this article are now closed

Bind #

By Anonymous Coward Posted Tuesday 20th November 2007 18:15 GMT

Hint: use 'djbdns' instead of BIND. Dan Bernstein, its author, actually *guarantees* its security:

http://cr.yp.to/djbdns/guarantee.html

It can do everything BIND can do (except where BIND violates various RFCs, in which case Dan has maintained compliance).

I have personally compiled and run it on Solaris, Gentoo and FreeBSD. Currently we are running it in production on a second-hand SUN Box running a port of FreeBSD.

Without ... #

By James Smith Posted Tuesday 20th November 2007 18:29 GMT

Without recursion, no one would be able to resolve anything.

surprise surprise - 123reg offer recursive lookups #

By Anonymous Coward Posted Tuesday 20th November 2007 19:01 GMT

It should come as no surprise that ns.123-reg.co.uk. and ns2.123-reg.co.uk currently advertise that they will do recursive lookups. In practice they don't (at least not from my IP) which is probably more luck than planning. However even indicating that they'll do this will generate a bunch of such requests their servers could surely do without and may expose vulnerabilities.

Well it is too complex and the tools aren't much better. #

By Anonymous Coward Posted Tuesday 20th November 2007 19:26 GMT

I've not touched DNSSEC for a while following a RIPE course where my overall impression of DNSSEC was unworkable and I haven't seen anything to make me jump into it since.

Regarding recusion, mapping networks and so on - doesn't DNSSEC have this as part of the proposal, ie: chained records (next, previous etc) ?

Not true #

By Anonymous Coward Posted Tuesday 20th November 2007 19:44 GMT

Internal servers should be recursive, external should not be recursive. If its the same dns server then it should only recurse for internal networks.

Thats how mine work and everything works just fine.

DNSSEC - done. now waiting #

By Anonymous Coward Posted Tuesday 20th November 2007 19:47 GMT

heck, configured SPFa long time ago. configured DNSSEC a long time

ago - now just waiting for all those sites that I peer from to actually catch up.

the problem with both of these technologies is that theres no major change

or improvement to the average end user...until probably the 95 percentile

at which point the last dregs of DNS-based scams and pharming will be done.

oh. the servers are also doing 1/3 of their lookups using IPv6

did this survey check IPv6?

guarantees security? #

By Chris Harden Posted Tuesday 20th November 2007 21:21 GMT

"Dan Bernstein, its author, actually *guarantees* its security:"

Then he dosn't know much about security then, does he?

Slight error #

By system Posted Tuesday 20th November 2007 22:49 GMT

"Should an organisation’s DNS systems fail, all internet functions including email, web access, e-commerce, and extranets become unavailable."

Not entirely accurate. Should DNS fail, only those transactions relying on domain names will fail. Most services can continue to work just as well with IPs instead.

It's certainly not the same as all internet functions becoming unavailable.