Re: [gentoo-user] {OT} web/mail server as nameserver

Re: [gentoo-user] {OT} web/mail server as nameserver

[Crayon Shin Chan]

On Friday 11 May 2007 04:29, Grant wrote:
> Hello, I've been using everydns.net as my site's nameserver but they
> were down for a long time yesterday and are currently down again
> today.

I've used zoneedit.com for years and have never had a problem.

> If this remote machine is my only web and mail server, it might as well 
> be the nameserver too right?

May not be good for mail. If your server is down and someone tries to send 
you mail and the dns lookup fails would the sending mailserver mark it as 
a failure immediately? As opposed to, if your dns server was elsewhere, 
then since dns lookup succeeds the sending mailserver will requeue the 
mail until your mailserver is up again.

> Would you use djbdns for this?

It would be a more secure choice than bind :)

-- 
Crayon
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] {OT} web/mail server as nameserver

[jarry]

Crayon Shin Chan wrote:

> > Would you use djbdns for this?
> 
> It would be a more secure choice than bind :)

Well, I do not know djbdns well so I can not compare djbdns/bind,
but I think bind security is not so bad: it can run as non-root
user now, moreover bind supports chrooting "right out the box". 

Poor security of bind is imho similar superstition as it is
for sendmail: once in the past this software had some problem,
so now a lot of people think they should forever avoid using it...

Jarry
-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] {OT} web/mail server as nameserver

[Crayon Shin Chan]

On Friday 11 May 2007 18:48, jarry@gmx.net wrote:

> Poor security of bind is imho similar superstition as it is
> for sendmail: once in the past this software had some problem,
> so now a lot of people think they should forever avoid using it...

If the OP doesn't need any bind-specific feature then why not use djbdns 
which has a better security track record. djb software are built from the 
ground up to be secure (as is possible), he also splits the "program" 
into smaller executables, each having a specific job thus making each of 
them secure a simpler task. Whilst bind and sendmail have made 
substantial efforts to be more secure, they are still built on legacy and 
bloated monolithic code.

-- 
Crayon
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] {OT} web/mail server as nameserver

[Håkon Alstadheim]

Crayon Shin Chan wrote:
> On Friday 11 May 2007 18:48, jarry@gmx.net wrote:
>
>   
>> Poor security of bind is imho similar superstition as it is
>> for sendmail: once in the past this software had some problem,
>> so now a lot of people think they should forever avoid using it...
>>     
>
> If the OP doesn't need any bind-specific feature then why not use djbdns 
> which has a better security track record. djb software are built from the 
> ground up to be secure (as is possible), he also splits the "program" 
> into smaller executables, each having a specific job thus making each of 
> them secure a simpler task. Whilst bind and sendmail have made 
> substantial efforts to be more secure, they are still built on legacy and 
> bloated monolithic code.
>
>   
Just to fill in the picture a bit, the djb* software also has a long
"flip-the-bird-at-any-rfc-you-don't-like" track-record.

-- 
Håkon Alstadheim 
spamtrap: finnesikke@alstadheim.priv.no -- 1 hit & you are out

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] {OT} web/mail server as nameserver

[kashani]

Håkon Alstadheim wrote:
> Crayon Shin Chan wrote:
>> On Friday 11 May 2007 18:48, jarry@gmx.net wrote:
>> 
>>> Poor security of bind is imho similar superstition as it is
>>> for sendmail: once in the past this software had some problem,
>>> so now a lot of people think they should forever avoid using it...
>>>     
>> If the OP doesn't need any bind-specific feature then why not use djbdns 
>> which has a better security track record. djb software are built from the 
>> ground up to be secure (as is possible), he also splits the "program" 
>> into smaller executables, each having a specific job thus making each of 
>> them secure a simpler task. Whilst bind and sendmail have made 
>> substantial efforts to be more secure, they are still built on legacy and 
>> bloated monolithic code.
>>
>>   
> Just to fill in the picture a bit, the djb* software also has a long
> "flip-the-bird-at-any-rfc-you-don't-like" track-record.
> 

I generally agree with Håkon on this. :-).

The other issue is that djb likes to abandon his software after it's 
"done". Things like DNSSEC and dynamic updates don't exist in djbdns and 
aren't planned. They don't matter so much if you're just doing 
authoritative DNS, but if you're doing interesting thing on your network 
Bind is pretty much required.

kashani
-- 
gentoo-user@gentoo.org mailing list