6.3. Selecting a DNS Software Package
The most popular and venerable DNS software
package is BIND. Originally a graduate-student project at UC
Berkeley, BIND is now relied on by thousands of sites worldwide. The
latest version of BIND, v9, was developed by Nominum Corporation
under contract to the Internet Software Consortium (ISC), its
official maintainers.BIND has historically been and continues to be the reference
implementation of the Internet Engineering Task
Force's (IETF's) DNS standards.
BIND Version 9, for example, provides the most complete
implementation thus far of the IETF's new DNSSEC
standards for DNS security. Due to BIND's importance
and popularity, the better part of this chapter will be about
securing BIND.But BIND has its detractors. Like Sendmail, BIND has had a number of
well-known security vulnerabilities over the years, some of which
have resulted in considerable mayhem. Also like Sendmail, BIND has
steadily grown in size and complexity: it is no longer as lean and
mean as it once was, nor as stable. Thus, some assert that BIND is
insecure and unreliable under load.Daniel J. Bernstein is one such BIND detractor, but one
who's actually done something about it:
he's the creator of djbdns, a complete (depending on
your viewpoint) DNS package.
djbdns has some important features: Modularity
Rather than using a single monolithic daemon like
BIND's named to do everything,
djbdns uses different processes to fill different roles. For example,
djbdns not only uses different processes for resolving names and
responding to queries from other resolvers; it goes so far as to
require that those processes listen on different IP addresses. This
modularity results in both better performance and better security.
Simplicity
djbdns's adherents claim it's
easier to configure than BIND, although this is subjective. At least
from a programming standpoint, though, djbdns's much
smaller code base implies a much simpler design.
Security
djbdns was designed with security as a primary goal. Furthermore, its
smaller code base and architectural simplicity make djbdns inherently
more auditable than BIND: less code to parse means fewer overlooked
bugs. To date, there have been no known security vulnerabilities in
any production release of djbdns.
Performance
D. J. Bernstein claims that djbdns has much better speed and
reliability, and a much smaller RAM footprint, than BIND. Several
acquaintances of mine who administer extremely busy DNS servers rely
on djbdns for this reason.
So, djbdns is superior to BIND in every way, and the vast majority of
DNS administrators who use BIND are dupes, right? Maybe, but I doubt
it. djbdns has compelling advantages, particularly its performance.
If you need a
caching-only nameserver but not an
actual DNS authority for your domain, djbdns is clearly a leaner
solution than BIND. But the IETF is moving DNS in two key directions
that Mr. Bernstein apparently thinks are misguided, and therefore
that he refuses to support in djbdns.The first is DNSSEC.
For secure zone transfers, djbdns must be used with rsync and
OpenSSH, since
djbdns does not support TSIGs or any other DNSSEC mechanism.
The second is IPv6, which djbdns does not support in the manner
recommended by the IETF (which is not to say that Mr. Bernstein is
completely against IPv6; he objects to the way the IETF recommends it
be used by DNS).So, which software package do you choose? If performance is your
primary concern, if you believe djbdns is inherently more secure than
BIND (even BIND configured the way I'm about to
describe), or if you want a smaller and more modular package than
BIND, I think djbdns is a good choice.If, on the other hand, you wish to use DNSSEC, are already familiar
with and competent at administering BIND, or need to interoperate
with other DNS servers running BIND (and feel you can mitigate
BIND's known and yet-to-be-discovered security
issues by configuring it carefully and keeping current with security
advisories and updates), then I don't think BIND is
that bad a choice.In other words, I think each has its own merits:
you'll have to decide for yourself which better
meets your needs. BIND is by far the most ubiquitous DNS software on
the Internet, and most of my experience securing DNS servers has been
with BIND. Therefore, a good portion of this chapter will focus on
DNS security as it pertains to BIND Versions 8 and 9. The second half
of the chapter covers the basic use of djbdns.If neither BIND nor djbdns appeals to you and you choose something
else altogether, you may wish to skip ahead to the section entitled
"Zone File Security." That section
applies to all DNS servers, regardless of what software they run. |
لطفا منتظر باشید ...
