Discuss mailing list

["Niels Dettenbach (Syndicat IT&Internet)" <nd AT syndicat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



Alex <coyo AT darkdna.net> schrieb:

>> As a first starting point for security interested T1/T2 owners, we
>could
>> really try to have a "Secure OpenNIC Configuration" Wiki page where
>> detailed step-by-step instructions are given to secure your BIND
>> nameserver. What do you think?
>>
>Sounds like an excellent idea.

The main points of BIND security and setting up a widely secured (fully 
security is alwas a non real status) named is very well documented by 
different - more or less official - sources. From my view it makes sense to 
point at them by links.

There are just a very few config parameters who are especially fitting all 
T1/T2 operators which could be wikied, but the most important stuff comes 
from elswhere.

A major point of security is to have many different installations - differing 
by OS, distribution and network around. To work on just one security concept 
for all would be contraproductive.

I.e. most openNIC docs are related to Ubuntu or Cent OS and all Linuxes. If 
all or most operators use the same transparent documented  config on the same 
operating system this could be a very good source for potential attackers as 
they know the target systems. So difference is very important here as 
otherwhere in the DNS.

If you add a detailed, fixed emegency plan this would be a further source for 
attackers as these are by principle incomplete.


>> Alex #1 really has good points on what might happen. We could try to
>> work out a Emergency/Desaster Plan for server owners that they can
>read
>> through, if someone really does bad.

This is not really possible except for some minor tips especially for openNIC 
infrastructure. To run a halfway secure public DNS DNS and bind (or other dns 
service software) knowledge is a must. OpenNIC would destroy reliability if 
it targets low level, non skilled DNS operators as no DNS server often is 
just/still better then a wrong one ß)

The only thing you truely can tell someone with a corrupted or instable 
attacked DNS is to shut it down / take it away from openNIC as long as the 
situation is not solved clearly.


just my two cents here,


Niels.
- --
Niels Dettenbach
Syndicat IT&Internet
http://www.syndicat.com
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iIEEAREIAEEFAk+i6WM6HE5pZWxzIERldHRlbmJhY2ggKFN5bmRpY2F0IElUJklu
dGVybmV0KSA8bmRAc3luZGljYXQuY29tPgAKCRBU3ERlZRyiDVprAJ9LM6Jx09ed
8iISGvOCIgvJcCPIowCffWNolF7Oy5XsqB3J7lH9e0jvZZQ=
=Gtiv
-----END PGP SIGNATURE-----