NT vs. Unix DNS

[David R. Conrad]

Hi,

> The ISC released a new version that had the problems
> fixed, and before most people even knew the problem existed. 

True.  Unfortunately, people do not upgrade as rapidly as one might hope and
thus, when exploits were created for the bug introduced with (ironically
enough) the contributed DNSSEC code, sites running 8.2, 8.2-p1, and 8.2.1 were
vulnerable.  I have often thought Microsoft's "Windows Update" goop has much
to say for it in providing encouragement for people to upgrade, at least
conceptually... 

> The only problem with open source is that you need to be a bit cluey to use
> it. 

Yes, but one disadvantage of open source is that people who have enough clues
to figure out the code can more easily develop exploits for that code.  This
was the case with the NXT bug.  I believe it is unlikely that an exploit would
have been developed for the NXT bug as quickly as it was if we did not
practice full disclosure -- the particular bit of code was highly unlikely to
be excercised unless you knew where to look.  Unfortunately, we could not be
sure when the problem would be found, thus we stuck with our policy of
providing full disclosure after a remedy existed for some time.

> That, and the fact that most big companies want a support contract to go
> along with everything, and a company to sue if it all goes horribly wrong.

ISC provides referrals to organizations which will provide commercial support,
training, consulting, and other services for ISC supported packages.

Rgds,
-drc
Executive Director, ISC
VP Engineering, Nominum, Inc.