Page 2 - DNS Newbie - Whats the best W2k DNS?

Why you think adding encryption support to djbdns is possible when it isn't the only DNS software on earth as encryption support depends on both ends.
It's not like http to https, the existing DNS design (since day 1) and implementation on earth make it impossible.

There are already standards that exist. The reason I think it should be implemented is what if some large private network has BIND servers that use encryption on their records. djb needs to be able to talk to them, so if a client in that network wants to use djb as his resolver, he needs to be able to configure it to use those encryption standards whether it be private or public key or whatever.

Does dnscache have this ability? I've just been assuming it doesn't based on your defense.

But djb doesn't add craps to his existing software unless it's really essential.
As far as make use of it on private networks, you might not acknowledge, dnscache already has its own authorization mechanism since day 1.

Alright. Well, it's just my opinion then. I think it would be to djb's benefit if they supported the RFC standards for DNS encryption so that different servers and clients that use encryption can interoperate.

Just because the majority of authoritative DNS server run BIND does not mean their self-invented standards are for everyone to implement.
According to djb, RFC standards in DNS have too many flaws, wasting unnecessary Internet resources or so. Who invented all these? The BIND developers.
The more craps you add to your software, the more security holes your software will have. One of these craps, OpenSSL for instance, has a poor security record since 2001. According to djbdns:BIND itself has too many design flaws to be improved/fixed, why add another buggy 3rd party crap to your existing software for such a low/no gain.

1) Just because BIND has flaws doesn't mean djb will if they implemented the RFC DNS security standards

2) RFC DNS Security standards was not invented by BIND

RFC 2065 - "Name System Protocol Security Extensions"

Authors and Contributors of the RFC:

Donald E. Eastlake 3rd, Charles W. Kaufman

Harald T. Alvestrand, Madelyn Badger, Scott Bradner, Matt Crawford, James M. Galvin, Olafur Gudmundsson, Edie Gunter, Sandy Murphy, Masataka Ohta, Michael A. Patton, Jeffrey I. Schiller

Authors of BIND

Mark Andrews, James Brister, Michael Graff, David Lawrence, Michael Sawyer, Brian Wellington, Andreas Gustafsson, Bob Halley, Damien Neil, Danny Mayer, Matt Nelson, Ben Cottrell

1) djb must have his own reasons for that. If it's essential then it's possible in the near future, but who knows.
I'd never deny the fact that djb tends to have a "wait and see" attitude (in purpose to invent his own software to fix the bugs of the existing ones out there) rather than on the bleeding edge. The other fact is that, djb has yet to have a single security exploit on any of his software. For people who are more concerned about security, djbware is always the no.1 choice. For lazy sysadmins who also care about security, they can install it and forget it.
2) I wasn't refer to that particular RFC but many others.

1) I stated it was my opinion that djb would benefit from implementing RFC standardized DNS security. I've stated my reasons. djb may have a differnet opinion. He has his reasons. Theres nothing to argue about. It's an opinion.

2) I spent a bit longer this time with my research. BIND still didn't invent its own standards for the reasons below:

RFC 2065 "Name System Protocol Security Extensions" written in Jan 1997 was the first RFC written for DNS security. As stated above, this RFC's authors were/are not associated with BIND. At the time, BIND 4.2.1 wasn't even owned by ISC, and "Paul Vixie" (BIND's caretaker at the time, and current member of the BIND board of directors) is also not included in the author/contributor list.

RFC 2535 "Domain Name System Security Extensions" written in Mar 1999 replaced that RFC and updated several other major RFC's (2181, 1035, 1034) and is now the backbone RFC of DNS security.

Author: Donald E. Eastlake 3rd (IBM)

Contributors:

James M. Galvin, John Gilmore, Olafur Gudmundsson, Charlie Kaufman, Edward Lewis, Thomas Narten, Radia J. Perlman, Jeffrey I. Schiller, Steven (Xunhua) Wang, Brian Wellington

In bold you have an ISC BIND author acting as a contributor to the DNS security RFC. His role was providing suggestions in improving on a system that was already in place. He's a programmer, and is actively involved in the development of DNS security, however, he is not included on the BIND board of directors.

So in conclusion. BIND did not create the DNS security techniques that are outlined in the RFC. I did however find one BIND programmer who did aid (but not dictate) its evolution.

It is this RFC that I'm talking about when I say djb should incorporate it. Yes, there are other RFC's that involve security (such as TSIG) but in my opinion djb does not have to incorporate them. BIND did not write the RFC standardized dns security standard as provided by RFC 2535 which I feel is the forerunner to a future of public key encryption in all dns transactions.

I'm looking at SimpleDNS for Windows, seems to be something that I can work with very easily as an alternate to BIND.

http://www.jhsoft.com/

Could you guys comment on this product based on what you know / what you've heard / their claims. Unfortunately, I haven't really been able to find any useful reviews on this product (sans biased "ra-ra" information from people who have a personal stake in the company....)

If you don't have personal experience, perhaps you can formulate some opinions based on the claims in their FAQs.

I'm especially interested in the "DNS Spoofing" security option they mention on this page --

http://www.jhsoft.com/features.asp

is there any value to this?

What do you think?

Incorporating TSIG for zone transferring is a good sign to the BIND folks. In reality, zone transfer was just another crap being used by BIND. There's no such thing as zone transfer in djbdns. The nature of zone transfer is to copy the DNS zone records from master to slaves, as simple as that. Why reinvent the wheel for something that can be easily done with a dozen alternatives. Read here and see what djb says about it.

I don't know anything about SimpleDNS estekguy, nor do I want to. I use BIND cause before I ever used DNS software I knew the RFC standards and therefor BIND incorporated what I already knew best. I also chose BIND cause it is free, and open source, and is the most popular server out there and therefor has a ton of support. You may want to use SimpleDNS cause it's supposed to be simple. Just know that I, and probably most of us, wouldn't know how to help you if you run into trouble since we don't use it.

Running ANY kind of server on M$ platforms is just asking for troubles yourself. I don't hate M$, I use Win98SE as my desktop OS all the time. I just don't use it for servers, that's all.

Fair enough, Silent -- I guess I need to just download the latest version of BIND, run it locally for a while, and see if the runaway process happens again to me. BIND is reasonably easy enough to configure and set up so no reason not to give it a try... Thanks!

Freebsd - that's a sentiment many folks have (especially folks using Linux...) Certainly plenty of ammo for the opinion, and especially running into it with alot of server type issues.

Guess I just gotta keep watching the 10PM news for the next big security breach warning and hope I can download the patch in time

Just use a router or firewall and don't use IIS and you have extremely little to worry about from remote exploits. Your security is as strong as your most vulnerable open port.