Slashdot Mirror

clickable

Why is it so hard to make links from the urls? Anyway, here goes:

upgrade can be found here

There is no need to create a com or net data file. Just the
entries to the named.conf file is enough
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

Ofcourse, if you use views, this needs to be provided within the relevant
view (the one performing recursive lookups).

quote from here

If you have a look here you'll see that the patch makes it possible to specify that certain zones (e.g. com. and net.) can only return NS records, and not A records, so (for example) A records in the com zone are ignored.

Here is the documentation for the patch. They don't hardcode an IP, they just have a way to say that wildcards records don't necessarily have to work everywhere. eg. you can say that "*.foobar.com => 1.2.3.4" but you can't say that "*.com => 64.94.110.11".

You can also have a look at this new page on the ISC site, which describes the feature (same paragraph as the one quoted in my previous message) and provides links to the patched versions and the corresponding announcements.

It also mentions that the new "delegation-only" option is meant to be used in the following way (in named.conf):

zone "foo" {
type delegation-only;
};

Obviously, you would replace "foo" by "com" and "net". Easy! Problem gone.

ISC has already released the patch. It's available at http://www.isc.org/products/BIND/delegation-only.h tml. What it does is let you specify any zone (ie. domain) whereby the server will filter out any wildcards from the authoratitive server.

Although the news are not on the BIND page yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).

You can get the details from the bind-announce list archives:

• 9.2.2-P1
• 9.1.3-P1
• 9.2.3rc2

All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:

In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared "delegation-only" will be effectively limited to containing NS RRs for subdomains, but no actual data outside its apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

Have fun downloading and installing!

Isn't it this one ?
I'm asking because the wording is quite hard to understand as my main language isn't english ;)

Grab it while it's hot

Sorry if this is already in the replies somewhere, but with the amount of response I figured I'd toss this up so people starting at the end looking forward for BIND 9 solutions/patches to this since I haven't really found anything solid yet.

For those who don't recognize the name.

I'm not an expert on the subject, but wouldn't that already be a problem with servers that do negative response caching? Granted, filling the negative cache with crap is less troublesome than the presumably more utilized positive cache, but I can't see how this would cause DNS servers to drop left and right.

While we're on the topic of religious software wars, you might want to try Links instead of Lynx.

While logging may not be too cool, controling what goes on may be. The gui does alot sure but you can do SO much more with rule based stuff. Like this machine can talk this way while that one can not...

How about a bind caching server ? How about a blackhole ad removal server? How about a time server? How about pushing the logs to another machine? While it may be slow these things do not have to be lightning fast, just fast enough. It is afterall just a simple router. Its not meant for 300 machines all trying to get the interenet. Its meant for like 4-5 computers. Also a 125mhz mips processor will do alot more than an equiv x86 machine. The mips processor is AWSOME in pumping data. The limiting factor here will be the 16mb of memory... I used to work on a 25mhz 4 way mips machine. It wasnt till i got to a 766 x86 that I found a computer that was AS good.

Also some logging may not be a bad idea. As it is wireless do you REALLY trust it? What if your leet 12yr old neighbor decides your wireless is cool. Do you really trust him? Sure he may be exploring but do you want him in your network? No you want to know what is going on. And I dont know about you but the logging on this router, as it currently is, SUCKS. It just shows who and what. But does not show when and does not resolve the name. IP A.B.C.D means nothing to me, but www.yahoo.com DOES. I for one will be playing with it...

Time and time again, we've seen M$ offer special deals to large organisations that "decide" to use OSS by decree -- governments, universities, companies. (Could this be the motivation for issuing these decrees on the basis of price alone in the first place?)

We've also seen M$ or their proxies (e.g. SCO) take steps to punish organisations that stick with their OSS decisions. The threat implicit in the "ISC"'s choice (and shame on them for appropriating the good name of the real ISC) is that the first hint of any problem with OSS, and they'll raise a ruckus in the media and try to discredit the public officials who did not choose " the best " software for the job, but made an "ideological" choice.

The only argument that can stand up to this onslaught is that data formats need to be open, so that the owners of the data can maintain their ownership. This argument has been made brilliantly in other contributions to this discussion. We might add to that: the owners of the data need to be able to see the source code of the programmes and operating systems (particularly the network components) which manipulate and communicate those data in order to avoid theft, misuse and misappropriation of those data.

Australia and New Zealand have exceptionally strong privacy laws -- and these laws are enforced. People, government bodies, and even large corporations with deep pockets take these laws very seriously, even though Echelon seems to be exempt ( NB: This is a different discussion.). One way that South Australia could help itself stick by its decision to use OSS in the face of these lobbyists would be to refer to its own privacy legislation as the prime driver for OSS, rather than price alone.

Poster is missing the point. Fvwm is not a minimalist WM! There are several minimalist WMs out there, and many of them are fairly nice, if that's your cup of tea. I think larswm is a pretty nice one, and the grandaddy of them all is 9wm. And there are a bunch of others, including, apparently, EvilWM. But Fvwm is not a minimalist WM! It's a full-featured WM that happens to use an amazingly small amount of memory. It does this by being highly modular, so that only the features you actually use get loaded. It's also amazingly configurable, considering how little memory it uses. (Another amazingly-powerful-considering-how-little-memory-i t-uses WM is Window Maker -- I'm always amazed at how little memory this feature-filled WM uses.)

And looking at evilwm's web page, I have to say, there is no way I'd consider switching from fvwm. Their choice of hard-coded defaults do not match what I want. If someone wrote a minimalist WM that did have all the defaults set to what I want, then I might consider switching, but these guys aren't even close. (And even then, I'd have to find third-party equivalents for the fvwm modules I use, like the buttonbar.)

Depending on what you mean when you say "networking code" it could be argued that Linux does not use the BSD networking code. I believe the TCP/IP stack was written from scratch many years ago and does not include BSD code.

As for named, doesn't the ISC recommend that you use Version 9.x of BIND rather than the patched 4.x version shipped with a stock OpenBSD install?

I do know there are cases of accidental "mutation" in older .EXE/.COM infectors. This was believed due to inaccurate transmission over a modem line, flipping a bit or some such. Of course, most such viruses once damaged in this way don't work, but a few continued to do so with little change in their behaviour.

I would say the problem with applying real Darwin-like evolution in computer worms is simply that there aren't enough hosts. Therefore, I think it's probable that there's not enough room for random changes to be useful often enough for the evolution of new "species". My guess would be that computers compare well to cells in being attacked by virii/worms. Even a computer worm capable of infecting everything attached to the internet would only have a paltry 171 million victims to experiment with. In comparison, a single human has 6*10^13 cells potentially susceptable to living viruses!

Of course, the day when IPv6 & Bluetooth enabled nanobots are embedded in my deodorant may get us to a number of hosts sufficient for such experiments...

Why would you use Cygnus to run Lynx on a win box when there are plenty of ports already?

Dynamic update between DHCP and DNS has been around for a short while now. Check out dhcp v3.x I'm setting it up at work right now with Bind 9... But I agree... Everything is in no way as integrated as the windows stuff. It's a trade off between ease of administration and security and stability though.

The ISC provides a port of BIND to Windows, too. See this link.

Yup, they're rolling out anycast now. See this article on the Asia-Pacific rollout and this article on the rollout of a new replica of f.root-servers.net in Madrid.

Yup, they're rolling out anycast now. See this article on the Asia-Pacific rollout and this article on the rollout of a new replica of f.root-servers.net in Madrid.

That behind me, my thonghts on DNSSEC. The main problem with DNSSEC is that DNS itself has no concept of security; any attempt to add signatures has the issue of having to graft on signatures to a system not designed to have signatures. For example:

• A DNS packet can only be 512 bytes long; that really is not enough room to fit a signature.

• How do you sign the statement "this host name does not exist"? All of the solutions have a problem. We either have to put a private key on an internet connected computer, or we have to reveal all of the host names that exist in our network.

• Digital signatures add a good deal of workload to already overloaded recursive DNS servers.

- Sam

There are basically two kinds of attacks...prevent the system from working (such as with a DDoS attack), or corrupt the data they serve by inserting replacing or making unauthorized changes. The former is a pretty well understood networking problem for all kinds of protocols, although DNS by its design of being heavily distributed and mirrored has some natural immunity.

However the protection of the data that the TLD (or subdomain) servers hold is perhaps the most important. That data is after all what our beloved TLS/SSL web browsers use to verify the sites that we visit. All TLDs run with the DNSSEC extensions which includes all the crypto stuff which signs and protects the zone data, along with many other standard computer security techniques. There are even minimal requirements that all TLD servers must adhere to RFC2870, which contains some very interesting clues as to what they do. Also the Internet Software Consortium which runs the F root server sometimes provides information about their operations on their site; especially when they were bidding to take over the .org domain a while back. Diversity is the other protection, different TLD servers use different hardware and software as well as being locating in different geopolitical regions.

Most of the predictions were "more of the same". I seriously doubt we'll be seeing "a major Cyberterrorism event" though -- I usually expect to hear this from sensationalists, not legitimate security experts. Think Steve Gibson. In fact, the theorized cause of these massive DDoS attacks is supposed to be windows systems, and the Raw Sockets are Evil thread is brought back to mind.

One big unforgivable mistake in the article: there was no bug in DNS -- there was a bug with BIND. Anyone using nameservers or libraries that were not part of BIND were unaffected. The fact that he assumes BIND is the only DNS server in the world is a big mistake, and one of the reasons DJBDNS doesn't get enough airtime.

Overall, I didn't see anything in the article that I didn't already see a hundred other places.

Personally, I'd like to hear what the authors of Hacking Linux Exposed have to say. Their book has a lot more grit and less soft-shoeing over the topics. Real World Linux Security has always been too full of stories and not enough answers for me. (Of course I bought the 2nd edition anyway.)

OH... SO SORRY NineNine, did I let the world know about your small penis too? Just to enlighten you a little more; I have nothing to do with Sublime Directory other than being a happy customer. I tried your site, but you have a completely crappy selection that failed to get me off. most of the sites had annoying ads that really got on my nerves. Sublime is much more varied than your site AND it works with Gnaughty!

You're the kind of trash that gives all of us bad named.

What's that you say? You're having DNS problems too? Go here and read up on BIND, it might help you out. Of course you're probably too stupid to even catch that joke. Fucking idiot fucknut. I will continue to troll you until you die...

There are a lot of sites out there that look great in the latest Microsoft-issued browser, but decompose badly in alternative browsers such as Opera, and are completely unusable in a text-based browser such as Lynx. Sadly, the formatting that breaks down so badly is often completely unrelated to the content.

Can you give some examples of sites that have excellent content, but are rendered useless for people with disablities by presentation-level bells and whistles?

Does MS fix their vulnerabilities that fast?

Considering that according to the BIND history page BIND4 has been out since the 80s and BIND8 since 1997, I'd say this isn't exactly a glowing example of OSS's "quick fixes".

It's funny that they recommend this, yet F.root-servers.net (which is run by the ISC) runs bind 8.3.3.

F is a virtual server made up of multiple systems and runs ISC BIND 8.3.3 as its DNS server.

BIND 8.3.3 is the latest version of ISC BIND 8. We strongly recommend that you upgrade to BIND 9.2.1 or, if that is not immediately possible, to BIND 8.3.2 due to certain security vulnerabilities in previous versions. 8.3.3 contains a security fix in libbind. If you have BIND 8.x you need to upgrade.

How is this [named.root/db.cache] kept up to date? As the network administrator [of your local network], that's your responsibility. Some old versions of BIND did update this file periodically. That feature was disabled, though; apparently it didn't work as well as the authors had hoped. Sometimes the db.cache file is mailed to the bind-users or namedroppers list mailing list. If you are on one of those lists, you are likely to hear about changes. (pg 68)

Bottom line: If you run a nameserver it is your responsibility to keep it up to date. That includes knowing how changes are announced. BIND has also had several well known security problems. If you are running a version < 8.2.5 you should upgrade that as well.

How is this [named.root/db.cache] kept up to date? As the network administrator [of your local network], that's your responsibility. Some old versions of BIND did update this file periodically. That feature was disabled, though; apparently it didn't work as well as the authors had hoped. Sometimes the db.cache file is mailed to the bind-users or namedroppers list mailing list. If you are on one of those lists, you are likely to hear about changes. (pg 68)

Bottom line: If you run a nameserver it is your responsibility to keep it up to date. That includes knowing how changes are announced. BIND has also had several well known security problems. If you are running a version < 8.2.5 you should upgrade that as well.

4) the best way you can take action is probably by taking one of the toy applications that are currently available for the 'free' os's and turn it into something real, it's a level playingfield out there.

I wanted to spend some quality time with Open Source by running Mozilla, but my need for a stable browser overrode my desire to contribute to the Greater Good.

So I run Opera -- the free version, with the annoying banner ad -- about 75% of the time. About 10% of my surfing is on He That Shall Not Be Named for sites that don't support Opera properly (like Citibank), and the other 15% is spent with Lynx. The Lynx time rises to near 100% at work, where it's a Good Thing to be able to surf without using a graphical browser.

the opendarwin project is not hosted by apple (would that make sense?) but rather by the internet software consortium. the problems were network bound not hardware bound and thus we may or may not have used an excessive amount of bandwidth shortly after the article was posted on slashdot. the files that were generating a majority of said traffic, have been mirrored elsewhere to alleviate the opendarwin's local resource consumption. oops.

Either Linux or Windows 2000 Pro (i.e., not Server) will do a software RAID-5

Windows 2000 Pro WILL NOT do software RAID 5. Hell it won't even do RAID 1, RAID 0 is it. The Server versions will do software RAID 1 & 5.

If you like, you can run BIND on Windows 2000. I use it on Windows 2000 Server rather than Microsoft's offering.

Clam Antivirus is a virus scanner, a command-line tool used to scan files for virus signatures. It will report whether it finds a virus or not. AmaVis is used as a filtering daemon for email. It unpacks MIME messages into multiple files, decompressing them if necessary, and runs the virus scanner over each file. If it finds a virus with its tools, it reports the results to the following (configurable, of course): the admin, the sender (I shut this off because of spoofing), and the receiver (you can shut off alerts sent to recipients that are off-site). The entire email is saved in a quarantine directory; it is not deleted.

The virus definitions file is updated by the members of the Open Antivirus project. Subscribe to their email list to get bleeding-edge, just found definitions. Otherwise, just let the clam antivirus updater fetch the definitions when the project updates them (1-2 day delay after a new virus is identified -- or at least it seems that way). Talk to the OpenAV guys for legit frequency info.

The only reason why we don't go with a commercial product is because most of these products charge by the number of recipients or users on the system, often requiring client licenses for each user as well. McAffee wanted WAY too much money for what we wanted to do, especially considering that we already have Nortan Antivirus installed on the Windows and Mac machines (University site license). Why pay for something we already have?

To date, I haven't seen a virus come through amavis+clamav yet, but that is my own personal experience and that of our users.

Spamassassin is a different beast entirely. I use procmail scripts to intercept messages bound for email lists (served from ecartis) and filter them for spam. I also filter out VIRUS warnings sent by AmaVis. These filtered items get saved to a "spam" and a "virus" folder, and I wrote a cron job to report how many emails it finds in these folders twice per day. It's valuable to send these to individual recipients on the system, but not to a list.

Procmail is an important piece of the spam filtering process. Postfix can do content filtering, so I think it's certainly possible for me to have spamassassin tag EVERYTHING coming into the system, just like AmaVis does now. I just haven't pieced together how to do it yet. It would eliminate the need for users to run procmail recipes and drop the number of processes run on the server.

If you want to disinfect files, go commercially funded/grown software... that is, at least until the Open Antivirus people or another group come up with virus definition files that include instructions for disinfecting files.

INN == InterNetNews, think Usenet server. That is a true definition of high volume serving.

Not when you're using a browser that doesn't come with flash...

It was probably posted on comp.sources.unix or some such place back in the mid-80s.

Sc is not a product of National Semiconductor. It is supplied as is with
no warranty, express or implied, as a service to Usenet readers.

LOL! There's a difference between the original poster and I. You see, I have no qualms about my alias linking with my real identity. Riskable happens to be my 'public' alias. Also, I'm male and well over the 'age of consent' (which the original poster is not) so I don't think meeting strangers 'over the net' or 'seeing sexually explicit material online' would be too much of a problem.

Where do you get off that I'm a poor shell scripter?!? The only publicly available script that I've written that I could find is here

It was very simple and to the point. Besides, that was TWO YEARS ago. hehe, I've done a lot more scripting/improved since then.

My info is MUCH easier to find than the original poster (just do a whois query on my domain name).

wizzy writes "Irelands toplevel domain registry [ http://www.domainregistry.ie/] has a notice on Microsoft and Apple DHCP [http://www.isc.org/products/DHCP/] clients sending dynamic DNS updates per RFC2136 [http://www.ietf.org/rfc/rfc2136.txt]. The problem is they are not sufficiently careful about where they send it if they are in ...

wizzy writes "Irelands toplevel domain registry ( *) has a notice on Microsoft and Apple DHCP (*) clients sending dynamic DNS updates per RFC2136 (*). The problem is they are not sufficiently careful about where they send it if they are in ...

I guess we should be happy that they don't link to Apple and Microsoft as well ;-)

wizzy writes "Irelands toplevel domain registry [ http://www.domainregistry.ie/] has a notice on Microsoft and Apple DHCP [http://www.isc.org/products/DHCP/] clients sending dynamic DNS updates per RFC2136 [http://www.ietf.org/rfc/rfc2136.txt]. The problem is they are not sufficiently careful about where they send it if they are in ...

wizzy writes "Irelands toplevel domain registry ( *) has a notice on Microsoft and Apple DHCP (*) clients sending dynamic DNS updates per RFC2136 (*). The problem is they are not sufficiently careful about where they send it if they are in ...

I guess we should be happy that they don't link to Apple and Microsoft as well ;-)

No idea about the Mac, but instructions for Windows can be found at http://www.isc.org/ml-archives/bind-users/2000/11/ msg00109.html

It's pretty funny that the "Win2K is as good as Unix because you don't need to reboot it to change settings" mantra that I hear from MCSE's doesn't apply to this :o)

If there's one thing I hate, it's Faq-o-Matic. I have never been able to get decent information out of such a mega-hyperlinked irritatingly-coloured monstrosity as Faq-o-Matic. That includes OpenLDAP's FAQ-o-Matic, Amanda's FAQ-o-Matic, Lynx's FAQ-o-Matic and FAQ-o-Matic's own FAQ-o-matic. Clicking a hundred links to get to a single paragraph that almost, but not entirely completely fails to answer the question is more annoying than not having an entry at all. And why does every FAQ-o-Matic seem to be hell-bent on experimenting in shades of puke for the colour scheme? Lynx's FOM doesn't follow this trend but damn near every single FOM on the planet is butt-ugly in addition to being terrible to navigate.

Provide FAQs in plain, easy to read HTML or text. Screw FAQ-o-Matic.

Their top 100 host names from January 2002 can be found here. Care to wager what the top host name is? WWW of course...
A list of all their January 2002 surveys can be found here.

- [grunby]

Their top 100 host names from January 2002 can be found here. Care to wager what the top host name is? WWW of course...
A list of all their January 2002 surveys can be found here.

- [grunby]

Kerberos has been around since '88, opensource (MIT license). It is not developed at the breakneck pace of the more modern SSH and to my knowlege has had fewer exploit bugs in 14 years than the assembled flavors of (commercial *&* open) SSH have exhibited in the last 2 years.

Krb5 is not slick as SSH, you can't use it for a poor-man's VPN; it uses a more expensive cypher (3DES) for both auth and fully encyphered network connections. Rsh, rlogin rcp all available with strong encryption. It's not as easy to setup, nor well suited to very small networks but for my money where applicable it's a far more solid solution.

And yeah OpenSSH's seriously checkered security record has done very little to make me think of applying OpenBSD .. thoughts?

Dilo if you don't mind imperfect rendering (doesn't do frames yet).

If you don't mind having a text only interface, Lynx and Links are both good and surprisingly functional.

Of course fast does not necessarily imply best but it's a welcome addition.

As far as mirrors of other sites are concerned, that's what class-based queueing is for. If we are saturated (which we rarely are) traffic gets prioritized, with outbound mirrors getting high priority and our mirrors of other sites getting low priority.