[nycbug-talk] dns abuse
carton at Ivy.NET
Wed Jan 21 14:29:35 EST 2009
>>>>> "y" == Yarema <yds at coolrat.org> writes:
y> I can't say enough good things about djbdns.
I can say a few bad ones.
no support for ipv6, no standards-compliant secondary dns. no support
for dyndns and dnssec and thus no support for wide-area dns-sd.
dns-sd is the best example of DJB's wrong-headedness. It's a
well-liked protocol which is becoming important, and it gracefully
builds on standards the rest of us have been carefully laying, one
stone upon another, for future protocols we couldn't imagine yet
(dnssec, dynamic updates, IXFR), and now dns-sd comes along as such an
unimagined protocol using all the prior work.
y> my servers were not contributing to any DDoSing since they
y> returns nothing to the . NS query.
which may well violate some standard, or make something else harder to
And it provides no real security because I can still do a query for
something for which your server is authoritative and get it to amplify
an attack. That just happens to not be the case this time---it's
security through obscurity.
but as you said it's easier. Maybe this stripped-down
linksys-router-style simplified software is an effective, sort of,
civil-disobedience backpressure on bloated standards.
Also his separating the resolver from the server is proper. Though
you can see the crazed zealot's limitations again here in that he
didn't really deliver a full resolver because he didn't deliver the
library piece of it. libresolv comes with BIND and gets built into
libc's, then you use that with dnscache---but the idea of making a
resolver by having a library send recursive queries to a DNS server is
a BIND idea, of which DJB hijaacked half. Bigger, more complicated
libresolv's that do their own cachinig and deviate from the BIND model
are built into Solaris and Mac OS X.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 304 bytes
Desc: not available
More information about the talk