From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QtqpU-00063I-Vf for garchives@archives.gentoo.org; Thu, 18 Aug 2011 00:51:29 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8C32321C29A; Thu, 18 Aug 2011 00:51:18 +0000 (UTC) Received: from mail.ukfsn.org (unknown [77.75.108.3]) by pigeon.gentoo.org (Postfix) with ESMTP id E6D0E21C172 for ; Thu, 18 Aug 2011 00:50:21 +0000 (UTC) Received: from localhost (smtp-filter.ukfsn.org [192.168.54.205]) by mail.ukfsn.org (Postfix) with ESMTP id 2E11BDECFB for ; Thu, 18 Aug 2011 01:50:21 +0100 (BST) Received: from mail.ukfsn.org ([192.168.54.25]) by localhost (smtp-filter.ukfsn.org [192.168.54.205]) (amavisd-new, port 10024) with ESMTP id DKYB7FpirGAf for ; Thu, 18 Aug 2011 01:53:39 +0100 (BST) Received: from wstn.localnet (unknown [78.32.181.186]) by mail.ukfsn.org (Postfix) with ESMTP id E7884DECF8 for ; Thu, 18 Aug 2011 01:50:20 +0100 (BST) From: Peter Humphrey Organization: at home To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Running HTTP and DNS on same machine Date: Thu, 18 Aug 2011 01:50:19 +0100 User-Agent: KMail/1.13.7 (Linux/2.6.39-gentoo-r3; KDE/4.6.5; x86_64; ; ) References: <4E4C3BC9.7060105@badapple.net> <13018109.F5OV1tg5nm@nazgul> In-Reply-To: <13018109.F5OV1tg5nm@nazgul> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201108180150.19514.peter@humphrey.ukfsn.org> X-Archives-Salt: X-Archives-Hash: 64fdcfa2e1d63d049a06358af2f313c6 On Wednesday 17 August 2011 23:51:12 Alan McKinnon wrote: > Long long ago (in the 90s) when a current colleague started working > here, he wanted access to the hidden primary (like your ns00). > > He was given a bare machine (no OS) with these instructions: > > It's 10am, by 4pm I want a name server running on that hardware, > authoritative for domain xxx.yyy.zzz, live on the internet, with > firewall installed and all reasonable security precautions taken. You > do not have to register xxx.yyy.zzz with any registrar, we will test > it with "dig @". > > He passed :-) A better man than me! > The same fellow 3 years later found one day that the company zone had > not loaded after an update (the name servers are self-hosted in that > zone) and the support person that did it had done it twice before > recently. Ten minutes later an ACL was in place and only systems could > edit the zone. The entire company was told to propose sub-domains for > their own teams and systems would delegate them - the uproar was > fantastic but he stood his ground. He was 100% right of course and we > still benefit today. > > Lessons learned: > - do not ever mess with your DNS admin > - $DEITY says "sir" in hushed tones when addressing the dns admin I enjoyed that tale - thank you Alan. -- Rgds Peter Linux Counter 5290, 1994-04-23