Subject: Re: switching from bind8 to bind9
To: NetBSD Networking Technical Discussion List <tech-net@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-net
Date: 11/18/2002 15:12:41
[ On Monday, November 18, 2002 at 10:59:37 (-0500), Andrew Brown wrote: ]
> Subject: Re: switching from bind8 to bind9
>
> the queries i can't answer fall into two types: recursive queries, and
> non-recursive queries. these are the interesting ones. the recursive
> ones are mostly people who just need a boot in the head to make them
> see straight, or they get ignored if i have no idea who it is. this
> can also show evidence of an attack.
Well, OK, so you want to track recursive queries to your auth-only
non-recursive nameservers. Aren't there better ways than asking the
nameserver to log them?
> >(FYI I include full templates for all the RFC 1918 reverse zones too)
>
> like that's hard... 8-P
Hard enough, apparently, that neither ISC, nor to the best of my
knowledge any OS distribution using ISC BIND other than my own variant
of NetBSD, has done so to date.
> >.... and if you read the logs on startup you'll see something like:
> >
> >Nov 16 20:35:39 myhost named[7274]: /etc/named.conf:23: option 'host-statistics' is not implemented
>
> i see no such error message, but i also see that the data is missing.
> i wonder where the error went...
Either your named "logging" configuration is incomplete/incorrect, or
your syslogd is not recording some things.
> right, so i have to make my zonefiles conformant (as i always have)
> but i also get to forward the garbage that you send me, regardless of
> how bad it looks (well...to a degree). that sounds like the old tenet
> of "be liberal in what you accept, but conservative in what you send".
There are (lots of) times when forwarding garbage on to other resolvers
is exactly the wrong thing to do (witness this latest bug, for example).
BTW, the Robustness Principle is aimed at getting protocols to
interoperate, not at the data they carry. It's a very bad analogy, but
it's the first one that comes to mind: Never make that mistake lest you
end up with an intruder on the wrong side of your locked door.
> no, i've just worked with a lot of different code bases. i can tell
> bad code when i see it, and the bind code doesn't strike me as all
> that bad.
I think you need to (radically) adjust your definition of "bad C code"... :-)
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>