On Apr 7, 2009, at 9:43 AM, Chandan Laskar wrote:
Hi,
We have deployed DNS on RHEL 5 Update 1. Below are feature of our
DNS.
1. Implemented OS Security Best Practice ( e.g. Enable MD5 and
shadow passwords, Root Login Console Restricted, Configure SSH as an
alternative of Telnet e.t.c.).
2. Configured Openssl Version 0.9.8j.
3. Configured BIND 9.6.0-P1 with CHROOT Environment. So BIND is not
running as root user.
4. IPTABLES has been configured to block all the irrelevant ports.
5. Allow Update Feature in named.conf is not changed. So, by default
it is 'NO'
After all the above mentioned protection do we really need to
incorporate DNSSEC Lookaside Validation(DLV) in our DNS?
Suggestion Please.
Your implementation is protecting the DNS server itself - very good.
The purpose of DLV is to insure that the DNS data that your server
provides, and all DNSSEC data your server processes, is valid.
The DNSSEC/DLV configuration protects your DNS data from being
"spoofed" on another DNS server. It also insures that the DNS data
that your server may be handing out recursively from being
compromised. Protecting both sides of the DNS service for your users
is necessary (at least important)._______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
