From strenholme.usenet at gmail.com Fri May 13 14:24:52 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 13 May 2011 13:24:52 -0500 Subject: [MaraDNS list] MaraDNS update Message-ID: In today's snapshot of MaraDNS, I have reinstated the "PayPal donate" button. I have upgraded employers and no longer have a conflict of interest with receiving donations for the work I have done with MaraDNS. Note that donations are on a strictly "tip jar" basis: If MaraDNS is useful for you, please leave a tip. That said, I currently am not selling technical support nor any other services. It can be downloaded here: http://www.maradns.org/download/2.0/snap/ I have also uploaded a Windows binary of the most current Deadwood snapshot: http://www.maradns.org/deadwood/snap/ The next day I have planned to work on MaraDNS is two weeks from today: May 27, 2011. I will probably not update MaraDNS unless someone reports a bug here on the MaraDNS mailing list. - Sam From wayne.kroncke at tiscali.co.uk Sat May 14 00:35:30 2011 From: wayne.kroncke at tiscali.co.uk (wayne at tiscali) Date: Sat, 14 May 2011 05:35:30 +0100 Subject: [MaraDNS list] MaraDNS update In-Reply-To: References: Message-ID: <4DCE0692.5080403@tiscali.co.uk> Thanks, Sam. Great work as always... Best Regards, Wayne Kroncke On 13 May 2011 19:24, Sam Trenholme wrote: > ... > > I have also uploaded a Windows binary of the most current Deadwood snapshot: > > http://www.maradns.org/deadwood/snap/ > > ... > - Sam From MSands at EPLUS.com Thu May 19 11:28:48 2011 From: MSands at EPLUS.com (Mike Sands) Date: Thu, 19 May 2011 11:28:48 -0400 Subject: [MaraDNS list] syntax and wildcards In-Reply-To: <7.0.1.0.2.20110501033631.0623a8a0@jefsey.com> References: <4DBB3F81.8030800@NorthTech.US> <20110429230635.GZ16041@linuxmafia.com> <7.0.1.0.2.20110501033631.0623a8a0@jefsey.com> Message-ID: <2688766582E16041AFB400DD06CDCB7919608F28D2@EPEXMB02.epgpdom.com> I'm having a bit of trouble with finding the right syntax to set up a default record for a zone. I've been able to get it partially working I want to respond to requests for 'example.com' with the address for 'www.example.com' Using the wildcard record I've been able to get it to respond for requests that don't exist in the db file like 'no-record.example.com' but not when a user requests just 'example.com' Is there a better way to do this or is my syntax just wrong? This is an example of what I have in my db file. www.% +86400 A 10.1.10.10 ~ *.% +86400 A 10.1.10.10 ~ From MSands at EPLUS.com Thu May 19 11:41:52 2011 From: MSands at EPLUS.com (Mike Sands) Date: Thu, 19 May 2011 11:41:52 -0400 Subject: [MaraDNS list] syntax and wildcards In-Reply-To: <2688766582E16041AFB400DD06CDCB7919608F28D2@EPEXMB02.epgpdom.com> References: <4DBB3F81.8030800@NorthTech.US> <20110429230635.GZ16041@linuxmafia.com> <7.0.1.0.2.20110501033631.0623a8a0@jefsey.com> <2688766582E16041AFB400DD06CDCB7919608F28D2@EPEXMB02.epgpdom.com> Message-ID: <2688766582E16041AFB400DD06CDCB7919608F28DE@EPEXMB02.epgpdom.com> Disregard figured out its just a standard A record. -----Original Message----- From: list-bounces at maradns.org [mailto:list-bounces at maradns.org] On Behalf Of Mike Sands Sent: Thursday, May 19, 2011 11:29 AM To: MaraDNS support mailing list Subject: [MaraDNS list] syntax and wildcards I'm having a bit of trouble with finding the right syntax to set up a default record for a zone. I've been able to get it partially working I want to respond to requests for 'example.com' with the address for 'www.example.com' Using the wildcard record I've been able to get it to respond for requests that don't exist in the db file like 'no-record.example.com' but not when a user requests just 'example.com' Is there a better way to do this or is my syntax just wrong? This is an example of what I have in my db file. www.% +86400 A 10.1.10.10 ~ *.% +86400 A 10.1.10.10 ~ From remco at webconquest.com Thu May 19 12:21:46 2011 From: remco at webconquest.com (Remco Rijnders) Date: Thu, 19 May 2011 18:21:46 +0200 Subject: [MaraDNS list] syntax and wildcards In-Reply-To: <2688766582E16041AFB400DD06CDCB7919608F28D2@EPEXMB02.epgpdom.com> References: <4DBB3F81.8030800@NorthTech.US> <20110429230635.GZ16041@linuxmafia.com> <7.0.1.0.2.20110501033631.0623a8a0@jefsey.com> <2688766582E16041AFB400DD06CDCB7919608F28D2@EPEXMB02.epgpdom.com> Message-ID: <8Y.HIF@r78.nl> On Thu, May 19, 2011 at 11:28:48AM -0400, Mike Sands wrote: > >I'm having a bit of trouble with finding the right syntax to set up a default record for a zone. I've been able to get it partially working > >I want to respond to requests for 'example.com' with the address for 'www.example.com' > >Using the wildcard record I've been able to get it to respond for requests that don't exist in the db file like >'no-record.example.com' but not when a user requests just 'example.com' > >Is there a better way to do this or is my syntax just wrong? > >This is an example of what I have in my db file. > >www.% +86400 A 10.1.10.10 ~ >*.% +86400 A 10.1.10.10 ~ Hi Mike, Adding a record like % +86400 A 10.1.10.10 ~ to your zone file should do the trick. Cheers, Remco From strenholme.usenet at gmail.com Fri May 27 10:09:30 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Fri, 27 May 2011 09:09:30 -0500 Subject: [MaraDNS list] MaraDNS update Message-ID: I didn't update MaraDNS today because no one has reported any bugs in the last two weeks: http://set.tj/+ke98 - Sam From Bradley at NorthTech.US Fri May 27 15:50:05 2011 From: Bradley at NorthTech.US (Bradley D. Thornton) Date: Fri, 27 May 2011 12:50:05 -0700 Subject: [MaraDNS list] MaraDNS update In-Reply-To: References: Message-ID: <4DE0006D.2020509@NorthTech.US> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 That's a good thing Sam ;) On 05/27/2011 07:09 AM, Sam Trenholme wrote: > I didn't update MaraDNS today because no one has reported any bugs in > the last two weeks: http://set.tj/+ke98 > > - Sam - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.760.666.2703 (US) TEL: +44.203.318.2755 (UK) http://NorthTech.US -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Find this cert at x-hkp://pool.sks-keyservers.net iQEcBAEBAwAGBQJN4ABtAAoJEE1wgkIhr9j3scMIAKG5li/oWrXcZ6w87wzlF0JZ 1ZSSYg4yb/CIWTdD7JScNzCp1dLaS40DgaBmDtwP7fxk80KJsrrhN+zzE8SLBfS3 fLevIGefxm8QbpjovlYWWZgJOA2Tii3yRRaKc9N5gMLAzycv9MgMncwUeW/fdkCB JBiQI1Ex2UafVjKDkMXEZCZFYdqvq7e1JMxi25fx/JEt/Hc+uKLNccnKovH14Zp6 7nxL1g8hKBs5RVV3ZvcrZqKQprOlHN7u1WqCeFPw3FIvh/D+Iiumg3p+F9dXRxoD xvhMLZt0z7pJ3Geu0fGnWTJl4TZIrRppqtBmo07XHUTl6S+g/31e+MW5UrJN0q0= =Cm0P -----END PGP SIGNATURE----- From dkowis at shlrm.org Fri May 27 16:56:06 2011 From: dkowis at shlrm.org (David Kowis) Date: Fri, 27 May 2011 15:56:06 -0500 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host Message-ID: <4DE00FE6.5060708@shlrm.org> I'm unable to run both the authoritative nameserver and the recursive nameserver on the same box on separate interfaces. Here's a paste of all the dig requests that I've tested with, then my configuration follows. (vorador is a different host on my network) Also, during my setup of this stuff, I found I had to specify the root servers if I wanted to specify an authoritative server for a different domain, which is different behaviour than I had before with maradns 1.4. Not a show stopper, just was difficult to figure out. Thanks in advance for your help. ======================================================================= Ask the recursive DNS where google is... works [root at vorador ~]# dig @10.10.220.235 www.google.com ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> @10.10.220.235 www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5020 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 47 IN CNAME www.l.google.com. www.l.google.com. 47 IN A 74.125.227.18 www.l.google.com. 47 IN A 74.125.227.19 www.l.google.com. 47 IN A 74.125.227.17 www.l.google.com. 47 IN A 74.125.227.20 www.l.google.com. 47 IN A 74.125.227.16 ;; Query time: 0 msec ;; SERVER: 10.10.220.235#53(10.10.220.235) ;; WHEN: Fri May 27 15:44:52 2011 ;; MSG SIZE rcvd: 132 # ask recursive dns where my webserver is, should return a CNAME and eventual ip of 10.10.220.205, instead it does nothing. [root at vorador ~]# dig @10.10.220.235 www.shlrm.org ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> @10.10.220.235 www.shlrm.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36173 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.shlrm.org. IN A ;; AUTHORITY SECTION: shlrm.org. 86400 IN SOA shlrm.org. dkowis.shlrm.org. 169287225 7200 3600 604800 1800 ;; Query time: 0 msec ;; SERVER: 10.10.220.235#53(10.10.220.235) ;; WHEN: Fri May 27 15:44:55 2011 ;; MSG SIZE rcvd: 74 # Ask the authoritative DNS server where www.shlrm.org is, works. [root at vorador ~]# dig @10.10.220.232 www.shlrm.org ; <<>> DiG 9.7.3-RedHat-9.7.3-1.fc14 <<>> @10.10.220.232 www.shlrm.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44322 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.shlrm.org. IN A ;; ANSWER SECTION: www.shlrm.org. 86400 IN CNAME shlrm.org. shlrm.org. 86400 IN A 10.10.220.205 ;; AUTHORITY SECTION: shlrm.org. 86400 IN NS turel-a.shlrm.org. ;; ADDITIONAL SECTION: turel-a.shlrm.org. 86400 IN A 10.10.220.232 ;; Query time: 2 msec ;; SERVER: 10.10.220.232#53(10.10.220.232) ;; WHEN: Fri May 27 15:52:49 2011 ;; MSG SIZE rcvd: 99 CONFIGURATIONS: ======================================================================= I've got two interfaces on the host, configured with different IP addresses, just to get that out of the way. root at turel:/etc# ifconfig eth0 Link encap:Ethernet HWaddr 00:16:3E:3A:6E:C7 inet addr:10.10.220.235 Bcast:10.10.220.255 Mask:255.255.255.0 inet6 addr: 2001:1938:140:2:216:3eff:fe3a:6ec7/64 Scope:Global eth1 Link encap:Ethernet HWaddr 00:16:3E:DE:AD:00 inet addr:10.10.220.232 Bcast:10.10.220.255 Mask:255.255.255.0 inet6 addr: 2001:1938:140:2:216:3eff:fede:ad00/64 Scope:Global I've deadwood configured to be a recursive nameserver, also to route requests for my domain internally to the authoritative maradns. the mararc is configured as follows: ======================================================================= hide_disclaimer = "YES" verbose_level = 10 csv2 = {} csv2["shlrm.org."] = "db.shlrm.org" ipv4_bind_addresses = "10.10.220.232" chroot_dir = "/etc/maradns" ======================================================================= dwood3rc is: ======================================================================= ipv4_bind_addresses = "10.10.220.235" chroot_dir = "/etc/maradns" recursive_acl = "10.10.220.0/24" verbose_level = 200 root_servers = {} root_servers["shlrm.org."] = "10.10.220.232" root_servers["220.10.10.in-addr.arpa."] = "10.10.220.232" root_servers["."] = "198.41.0.4," root_servers["."] += "2001:503:BA3E::2:30," root_servers["."] += "192.228.79.201," root_servers["."] += "192.33.4.12," root_servers["."] += "128.8.10.90," root_servers["."] += "192.203.230.10," root_servers["."] += "192.5.5.241," root_servers["."] += "2001:500:2F::F," root_servers["."] += "192.112.36.4," root_servers["."] += "128.63.2.53," root_servers["."] += "2001:500:1::803F:235," root_servers["."] += "192.36.148.17," root_servers["."] += "2001:7FE::53," root_servers["."] += "192.58.128.30," root_servers["."] += "2001:503:C27::2:30," root_servers["."] += "193.0.14.129," root_servers["."] += "2001:7FD::1," root_servers["."] += "199.7.83.42," root_servers["."] += "2001:500:3::42," root_servers["."] += "202.12.27.33," root_servers["."] += "2001:DC3::35" ======================================================================= From sebastiano at datafaber.net Fri May 27 17:50:54 2011 From: sebastiano at datafaber.net (Sebastiano Pilla) Date: Fri, 27 May 2011 23:50:54 +0200 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host In-Reply-To: <4DE00FE6.5060708@shlrm.org> References: <4DE00FE6.5060708@shlrm.org> Message-ID: <4DE01CBE.4020101@datafaber.net> David Kowis wrote: > I'm unable to run both the authoritative nameserver and the recursive > nameserver on the same box on separate interfaces. David, I have almost the same setup on my CentOS box at home, the only difference being that Deadwood listens on an aliased interface. I'm pasting my configuration files in the hope that they may help, while probably not perfect they work for me. They are quite similar to yours, the only things that looks different is that you're missing the filter_rfc1918=0 line, which I suppose is the source of your issue. mararc: ============================== ipv4_bind_addresses = "192.168.88.4" chroot_dir = "/etc/maradns" csv2 = {} csv2["home.lan."] = "db.home.lan.conf" verbose_level = 1 dwood3rc: ============================== bind_address="127.0.0.1, 192.168.88.3" chroot_dir="/var/run/deadwood" dns_port=53 filter_rfc1918=0 maximum_cache_elements=1024 recursive_acl="127.0.0.1/8, 192.168.88.1/16" reject_mx=0 root_servers={} root_servers["home.lan."]="192.168.88.4" root_servers["."]="198.41.0.4," root_servers["."]+="192.228.79.201," root_servers["."]+="192.33.4.12," root_servers["."]+="128.8.10.90," root_servers["."]+="192.203.230.10," root_servers["."]+="192.5.5.241," root_servers["."]+="192.112.36.4," root_servers["."]+="128.63.2.53," root_servers["."]+="192.36.148.17," root_servers["."]+="192.58.128.30," root_servers["."]+="193.0.14.129," root_servers["."]+="199.7.83.42," root_servers["."]+="202.12.27.33" tcp_listen=1 timeout_seconds=30 timeout_seconds_tcp=30 upstream_servers={} verbose_level=3 Best regards Sebastiano Pilla From dkowis at shlrm.org Fri May 27 18:04:10 2011 From: dkowis at shlrm.org (David Kowis) Date: Fri, 27 May 2011 17:04:10 -0500 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host In-Reply-To: <4DE01CBE.4020101@datafaber.net> References: <4DE00FE6.5060708@shlrm.org> <4DE01CBE.4020101@datafaber.net> Message-ID: <4DE01FDA.2030002@shlrm.org> On 05/27/2011 04:50 PM, Sebastiano Pilla wrote: > David Kowis wrote: >> I'm unable to run both the authoritative nameserver and the recursive >> nameserver on the same box on separate interfaces. > > David, > > I have almost the same setup on my CentOS box at home, the only > difference being that Deadwood listens on an aliased interface. I'm > pasting my configuration files in the hope that they may help, while > probably not perfect they work for me. They are quite similar to yours, > the only things that looks different is that you're missing the > filter_rfc1918=0 line, which I suppose is the source of your issue. That was indeed the source of my issue. It was filtering out authoritative responses for my local IPs. Everything works wonderfully with that option in my dwood3rc file. I couldn't find anything about that command option in the documentation online. Could you add a question to your FAQ? Thanks, David From dkowis at shlrm.org Fri May 27 18:09:11 2011 From: dkowis at shlrm.org (David Kowis) Date: Fri, 27 May 2011 17:09:11 -0500 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host In-Reply-To: <4DE01FDA.2030002@shlrm.org> References: <4DE00FE6.5060708@shlrm.org> <4DE01CBE.4020101@datafaber.net> <4DE01FDA.2030002@shlrm.org> Message-ID: <4DE02107.4070000@shlrm.org> On 05/27/2011 05:04 PM, David Kowis wrote: > On 05/27/2011 04:50 PM, Sebastiano Pilla wrote: >> David Kowis wrote: >>> I'm unable to run both the authoritative nameserver and the recursive >>> nameserver on the same box on separate interfaces. >> >> David, >> >> I have almost the same setup on my CentOS box at home, the only >> difference being that Deadwood listens on an aliased interface. I'm >> pasting my configuration files in the hope that they may help, while >> probably not perfect they work for me. They are quite similar to yours, >> the only things that looks different is that you're missing the >> filter_rfc1918=0 line, which I suppose is the source of your issue. > > That was indeed the source of my issue. It was filtering out > authoritative responses for my local IPs. Everything works wonderfully > with that option in my dwood3rc file. > > I couldn't find anything about that command option in the documentation > online. Could you add a question to your FAQ? http://www.maradns.org/deadwood/doc/Deadwood.txt Ah, I did finally find it after searching for "filter_rfc1918" I don't think I found that file when I was browsing the normal documentation page. Thanks for making a handy DNS server, and for your help finding the issue. David From sebastiano at datafaber.net Fri May 27 18:18:24 2011 From: sebastiano at datafaber.net (Sebastiano Pilla) Date: Sat, 28 May 2011 00:18:24 +0200 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host In-Reply-To: <4DE02107.4070000@shlrm.org> References: <4DE00FE6.5060708@shlrm.org> <4DE01CBE.4020101@datafaber.net> <4DE01FDA.2030002@shlrm.org> <4DE02107.4070000@shlrm.org> Message-ID: <4DE02330.2050500@datafaber.net> David Kowis wrote: >> I couldn't find anything about that command option in the documentation >> online. Could you add a question to your FAQ? > > http://www.maradns.org/deadwood/doc/Deadwood.txt > > Ah, I did finally find it after searching for "filter_rfc1918" I don't > think I found that file when I was browsing the normal documentation page. > > Thanks for making a handy DNS server, and for your help finding the issue. Ah, I wish I was able to make such good software as Deadwood and MaraDNS... Anyways, I think that a mention in the recursive server tutorial page [1] would be a good idea, what do you think Sam ? [1]: http://www.maradns.org/tutorial/recursive.html Best Regards Sebastiano Pilla From strenholme.usenet at gmail.com Sat May 28 08:51:46 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Sat, 28 May 2011 07:51:46 -0500 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host In-Reply-To: <4DE02330.2050500@datafaber.net> References: <4DE00FE6.5060708@shlrm.org> <4DE01CBE.4020101@datafaber.net> <4DE01FDA.2030002@shlrm.org> <4DE02107.4070000@shlrm.org> <4DE02330.2050500@datafaber.net> Message-ID: I will update the FAQs (MaraDNS FAQ and Deadwood FAQ; recursive tutorial) to point out Deadwood's default built-in DNSwall functionality. [1] [2] The next day I plan to work on MaraDNS/Deadwood is on June 10, 2011. [3] - Sam [1] This information is included in the CHANGELOG for Windows users, but that doesn't help UNIX-clone users. [2] The reason for this is because Deadwood was designed as a DNS server for web surfing, either running on localhost or in a router. It may not be the best DNS server for mail hubs, since MTAs need to make two queries to find out where to deliver mail (the MX query, then an A or AAAA query), and because no one has used Deadwood as a DNS server for mail hubs and let me know how well it works for them. I would also like to know how well Deadwood works as a name server on an IPv6 network. [3] I hope to have time to release Deadwood 3.0.03 because the bug of stopping resolution of a name if we get a REFUSED reply upstream for non-AAAA queries [4] which I fixed in the daily snapshots [5] is fairly significant. [4] Some brain-dead DNS servers give a REFUSED reply when asked for an AAAA query. See http://maradns.blogspot.com/2010/09/new-deadwood-snapshot-better-handling.html [5] http://maradns.org/deadwood/snap 2011/5/27 Sebastiano Pilla : > David Kowis wrote: >>> >>> I couldn't find anything about that command option in the documentation >>> online. Could you add a question to your FAQ? >> >> http://www.maradns.org/deadwood/doc/Deadwood.txt >> >> Ah, I did finally find it after searching for "filter_rfc1918" I don't >> think I found that file when I was browsing the normal documentation page. >> >> Thanks for making a handy DNS server, and for your help finding the issue. > > Ah, I wish I was able to make such good software as Deadwood and MaraDNS... > Anyways, I think that a mention in the recursive server tutorial page [1] > would be a good idea, what do you think Sam ? > > [1]: http://www.maradns.org/tutorial/recursive.html > > Best Regards > Sebastiano Pilla > From Bradley at NorthTech.US Sat May 28 15:13:04 2011 From: Bradley at NorthTech.US (Bradley D. Thornton) Date: Sat, 28 May 2011 12:13:04 -0700 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host In-Reply-To: References: <4DE00FE6.5060708@shlrm.org> <4DE01CBE.4020101@datafaber.net> <4DE01FDA.2030002@shlrm.org> <4DE02107.4070000@shlrm.org> <4DE02330.2050500@datafaber.net> Message-ID: <4DE14940.5090109@NorthTech.US> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 While you're at it Sam, Can't you give us some things like this too? [slackware-security] bind (SSA:2011-147-01) It gets lonely over here because you won't introduce any kewl bugs in MaraDNS ;) On 05/28/2011 05:51 AM, Sam Trenholme wrote: > I will update the FAQs (MaraDNS FAQ and Deadwood FAQ; recursive > tutorial) to point out Deadwood's default built-in DNSwall > functionality. [1] [2] The next day I plan to work on > MaraDNS/Deadwood is on June 10, 2011. [3] > > - Sam Kindest regards, - -- Bradley D. Thornton Manager Network Services NorthTech Computer TEL: +1.760.666.2703 (US) TEL: +44.203.318.2755 (UK) http://NorthTech.US -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Find this cert at x-hkp://pool.sks-keyservers.net iQEcBAEBAwAGBQJN4UlAAAoJEE1wgkIhr9j3iBYH/2N8e1PbvyGOvLJVK/T38bMw 9wkwloY1d0EzDZpqA6Jbjjk62NN9W4XKjnwhTlnwOlH6N3rvjlruVEUrEH179/4H Wy+ZqeAqU6RMhB2ERo2Y19UtZYu3U2gBf2VnZja9VtPB0jOAwTQCb6+TZ/Ul9Vw+ ogcGY4uGgMBydx9lfGkLWJdRXeCFrHQ+m/KQDmhpPVm4+eXGjOtx/JDtuNMePzxK rW/kRkqO3PjSm5NrXyh/PR8e8BT03ZV7gKw0CiGh3KyESoz1YwVt+/83NS5jMXhl JzPhpx0hXht0gOPKBNbGl2hMaYHjROFk1/9nEEFI4GGNZGzEKkpWZ/HQS59Rlb0= =ffsn -----END PGP SIGNATURE----- From strenholme.usenet at gmail.com Sun May 29 08:50:52 2011 From: strenholme.usenet at gmail.com (Sam Trenholme) Date: Sun, 29 May 2011 07:50:52 -0500 Subject: [MaraDNS list] Having trouble running maradns and deadwood on the same host In-Reply-To: <4DE14940.5090109@NorthTech.US> References: <4DE00FE6.5060708@shlrm.org> <4DE01CBE.4020101@datafaber.net> <4DE01FDA.2030002@shlrm.org> <4DE02107.4070000@shlrm.org> <4DE02330.2050500@datafaber.net> <4DE14940.5090109@NorthTech.US> Message-ID: > It gets lonely over here because you won't introduce any kewl bugs in > MaraDNS ;) Well, there was CVE-2011-0520, which was really embarrassing. Yes, it was a buffer overflow (MaraDNS' first, last, and hopefully only one). No, it could not be exploited to escalate privileges because the overflowed buffer's content was controlled by MaraDNS. Yes, when I rewrote that code back in 2009 for Deadwood, I didn't make the same mistake again (CVE-2011-0520 was a 2002 programming error) I think the best way to honestly compare the security of FOSS DNS servers is by looking at their Debian security record: http://security-tracker.debian.org/tracker/source-package/djbdns (1 open, 1 resolved) http://security-tracker.debian.org/tracker/source-package/maradns (1 open, 7 resolved) [1] http://security-tracker.debian.org/tracker/source-package/bind9 (2 open, about 30 resolved) http://security-tracker.debian.org/tracker/source-package/pdns (8 resolved) http://security-tracker.debian.org/tracker/source-package/unbound (1 open, 3 resolved) The "open" issue in MaraDNS is one I fixed over a year ago, but since the powers that be at Debian don't feel it's an important enough issue to backport a fix to the lenny branch, it is still an open issue in their database. Sigh. The djbdns security issue has been around since 2008 and never been resolved (there is also another remote denial of service security issue I discuss on my blog [2]); all the other nameservers are pretty good about fixing bugs as they pop up. - Sam [1] 13 resolved security issues are listed at http://maradns.org/security.html [2] http://samiam.org/blog/20110103.html Summary: If you still think djbdns-1.05 is perfectly secure and doesn't need to be updated [3], I hope you aren't deploying software on live servers. [3] Some idiot on Slashdot claims this about once every year. For example: http://tech.slashdot.org/comments.pl?sid=2008894&cid=35291062