Chandan,
Are you more interested in marking off bullet points on
some "security compliance checklist", or actual, practical, real-world
security?
Just wondering...
- Kevin
Chandan Laskar wrote:
Thanks Bill.
We have authoritative Name Server. Caching is not enable in the Name
Server.
Also based on website
(http://www.netwidget.net/books/apress/dns/info/dlv.html), DLV is not
an IETF standarized feature and BIND 9.3.2 (We have 9.6.0.-P1) is the
current recommended implementation Version.
So I am still not convince about the necessity of DLV incorporation in
our Setup.
Will grateful if you provide me more suggestion.
Thanks and regards,
Chandan Laskar
2nd Floor Data Center, ITC Center,
4, Russel Street, Kolkata - 700 016
Phone:(033)-22889900 Extn.: 3944
(0)-9830057396 (M)
*Bill Larson <wlla...@swcp.com>*
04/07/2009 09:30 PM
To
Chandan Laskar <chandan.las...@itc.in>
cc
bind-users@lists.isc.org
Subject
Re: Necessity of DNSSEC Lookaside Validation(DLV)
On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:
Hi,
We have deployed DNS on RHEL 5 Update 1. Below are feature of our DNS.
*
1. Implemented OS Security Best Practice ( e.g. Enable MD5 and shadow
passwords, Root Login Console Restricted, Configure SSH as an
alternative of Telnet e.t.c.).
2. Configured Openssl Version 0.9.8j.* *
3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not
running as root user.* *
4. IPTABLES has been configured to block all the irrelevant ports.
5. Allow Update Feature in named.conf is not changed. So, by default
it is 'NO'* *
After all the above mentioned protection do we really need to
incorporate DNSSEC Lookaside Validation(DLV) in our DNS?*
Suggestion Please.
Your implementation is protecting the DNS server itself - very good.
The purpose of DLV is to insure that the DNS data that your server
provides, and all DNSSEC data your server processes, is valid.
The DNSSEC/DLV configuration protects your DNS data from being
"spoofed" on another DNS server. It also insures that the DNS data
that your server may be handing out recursively from being
compromised. Protecting both sides of the DNS service for your users
is necessary (at least important).
Can you avoid printing this?
Think of the environment before printing the email.
-------------------------------------------------------------------------------
Please visit us at www.itcportal.com
******************************************************************************
This Communication is for the exclusive use of the intended recipient
(s) and shall
not attach any liability on the originator or ITC Ltd./its
Subsidiaries/its Group
Companies. If you are the addressee, the contents of this email are
intended for your
use only and it shall not be forwarded to any third party, without
first obtaining
written authorisation from the originator or ITC Ltd./its
Subsidiaries/its Group
Companies. It may contain information which is confidential and
legally privileged
and the same shall not be used or dealt with by any third party in any
manner
whatsoever without the specific consent of ITC Ltd./its
Subsidiaries/its Group
Companies.
------------------------------------------------------------------------
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users