Blog entries for "BIND"

Recently, at a BIND 10 Face to face meeting, we scheduled a short slot of time to discuss the features of a DNS forwarder. As part of the development process of the BIND 10 recursive resolver, we initially implemented a basic forwarder. As we added actual recursive resolver features, the original 'forwarding' mode was left in, and got some of the features that were added for the 'resolving' mode, mostly on an ad-hoc basis.

While many of you know ISC as the maintainer of the BIND DNS server software, we have always had our hand in the DNS operations field, including operating one of the 13 DNS root servers (F.ROOT-SERVERS.NET), as well as secondaring many ccTLD and non-commercial zones for over a decade. ISC has also been at the forefront of designing and implementing DNS Security Extensions (DNSSEC) which is a mechanism to cryptographically verify that the response given to a DNS request is correct.

ISC has recently become aware of a security advisory, CVE-2010-3762 filed against BIND 9 on October 5th 2010. ISC did not request this CVE, nor was it contacted by the submitter prior to its submission.

We believe the reported severity assessment of this CVE to be higher than is realistic. Specifically, because a recursive operator needs to have configured a specific zone to be trusted via adding a trust-anchor statement for it, we believe the impact of this vulnerability to be low.

I seem to read all the time that open source projects must be less secure, since the bad guys can look through the source code to find vulnerabilities. I was pleased to see an article today that takes the point of view that security through obscurity is not the right direction and that open source projects can be more secure than competing proprietary software.