cTLD and DNS upgrade
Kevin Darcy
kcd at daimlerchrysler.com
Fri Jul 8 02:45:28 UTC 2005
Stephane Bortzmeyer wrote:
>On Wed, Jul 06, 2005 at 10:24:04AM +1000,
> Mark Andrews <Mark_Andrews at isc.org> wrote
> a message of 55 lines which said:
>
>
>
>> That doesn't require a configure option. I just requires a
>> little reading.
>>
>>
>
>I know these options and I'm fairly certain that the other
>participants in that discussion know them too. I may not be able to
>rewrite BIND from scratch but I can read the ARM.
>
>The issue is security: as long as the code is there, in the running
>instance of BIND, a cracker may find a way to exploit it. If the code
>is not even there, it cannot be exploited. That's why a run-time
>option is not a substitute for a compile-time option. That's why
>authoritative-only name servers like nsd are nice, security-speaking:
>they have much less code.
>
Stephane,
Think through what you're saying here. You say you want the ability to
compile BIND with some sort of "authoritative-only" flag. Fine. But
you're still going to want something to resolve Internet DNS names
right? After you've built your "authoritative-only" executable, are you
then going to compile BIND *again* with some sort of "resolver-only"
flag? So now you have two different executables that you need to manage
(probably with the same name, which could be very confusing). Now, let's
say a CERT warning comes out for a vulnerability in one of the common
routines that is linked into *both* of your executables. Now you have
two rounds of patching to do instead of just one, and if you happen to
miss one of those executables on one of those machines, you could be
open to attack. Twice as many chances to fail, twice as many chances to
get hacked. How is this better, from a security standpoint, than having
a single executable in the first place?
I agree, if you *only* serve authoritative zones, or if that's your
primary line of business, then it might make sense to have a specialized
program to do that. But for most of us, BIND is a general-purpose tool,
something we use more or less equally to *resolve* DNS names as to
*serve* them to outside clients. When used that way, it makes little
sense to have different compile-time options for different "flavors" of
named that you intend to run simultaneously in your infrastructure. That
just complicates the job of building, installing and maintaining BIND.
- Kevin
More information about the bind-users
mailing list