Re: [gentoo-user] {OT} web/mail server as nameserver
On Friday 11 May 2007 04:29, Grant wrote: Hello, I've been using everydns.net as my site's nameserver but they were down for a long time yesterday and are currently down again today. I've used zoneedit.com for years and have never had a problem. If this remote machine is my only web and mail server, it might as well be the nameserver too right? May not be good for mail. If your server is down and someone tries to send you mail and the dns lookup fails would the sending mailserver mark it as a failure immediately? As opposed to, if your dns server was elsewhere, then since dns lookup succeeds the sending mailserver will requeue the mail until your mailserver is up again. Would you use djbdns for this? It would be a more secure choice than bind :) -- Crayon -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] {OT} web/mail server as nameserver
Crayon Shin Chan wrote: Would you use djbdns for this? It would be a more secure choice than bind :) Well, I do not know djbdns well so I can not compare djbdns/bind, but I think bind security is not so bad: it can run as non-root user now, moreover bind supports chrooting right out the box. Poor security of bind is imho similar superstition as it is for sendmail: once in the past this software had some problem, so now a lot of people think they should forever avoid using it... Jarry -- Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten Browser-Versionen downloaden: http://www.gmx.net/de/go/browser -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] {OT} web/mail server as nameserver
On Friday 11 May 2007 18:48, [EMAIL PROTECTED] wrote: Poor security of bind is imho similar superstition as it is for sendmail: once in the past this software had some problem, so now a lot of people think they should forever avoid using it... If the OP doesn't need any bind-specific feature then why not use djbdns which has a better security track record. djb software are built from the ground up to be secure (as is possible), he also splits the program into smaller executables, each having a specific job thus making each of them secure a simpler task. Whilst bind and sendmail have made substantial efforts to be more secure, they are still built on legacy and bloated monolithic code. -- Crayon -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] {OT} web/mail server as nameserver
Crayon Shin Chan wrote: On Friday 11 May 2007 18:48, [EMAIL PROTECTED] wrote: Poor security of bind is imho similar superstition as it is for sendmail: once in the past this software had some problem, so now a lot of people think they should forever avoid using it... If the OP doesn't need any bind-specific feature then why not use djbdns which has a better security track record. djb software are built from the ground up to be secure (as is possible), he also splits the program into smaller executables, each having a specific job thus making each of them secure a simpler task. Whilst bind and sendmail have made substantial efforts to be more secure, they are still built on legacy and bloated monolithic code. Just to fill in the picture a bit, the djb* software also has a long flip-the-bird-at-any-rfc-you-don't-like track-record. -- Håkon Alstadheim spamtrap: [EMAIL PROTECTED] -- 1 hit you are out -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] {OT} web/mail server as nameserver
Håkon Alstadheim wrote: Crayon Shin Chan wrote: On Friday 11 May 2007 18:48, [EMAIL PROTECTED] wrote: Poor security of bind is imho similar superstition as it is for sendmail: once in the past this software had some problem, so now a lot of people think they should forever avoid using it... If the OP doesn't need any bind-specific feature then why not use djbdns which has a better security track record. djb software are built from the ground up to be secure (as is possible), he also splits the program into smaller executables, each having a specific job thus making each of them secure a simpler task. Whilst bind and sendmail have made substantial efforts to be more secure, they are still built on legacy and bloated monolithic code. Just to fill in the picture a bit, the djb* software also has a long flip-the-bird-at-any-rfc-you-don't-like track-record. I generally agree with Håkon on this. :-). The other issue is that djb likes to abandon his software after it's done. Things like DNSSEC and dynamic updates don't exist in djbdns and aren't planned. They don't matter so much if you're just doing authoritative DNS, but if you're doing interesting thing on your network Bind is pretty much required. kashani -- [EMAIL PROTECTED] mailing list