NS record question

Brad Knowles brad.knowles at skynet.be
Tue Mar 27 09:52:55 UTC 2001 

At 9:27 PM -0800 3/26/01, Doug Barton wrote:

>         First off, while there have been security issues in the past with
>  bind 8 code (and may be again in the future) for the most part the code is
>  in fairly good shape. Yes, it's ugly in places, but it's got collectively
>  millions of hours of operational experience, and has had lots of eyes on
>  it, black hats and white.

	Indeed, it has had a lot of people looking at it, and all of the 
ones I know of that have looked at it have found it extremely 
unpleasant.  There's dreckage and bletchery in there going back to 
the original undergraduate work done on BIND, long before Paul Vixie 
got involved, etc....

	I would not be at all surprised to find that there were another 
half dozen root compromises floating around in the BIND 8.2.3-REL 
code, the only thing is that they haven't been as widely distributed.

	Indeed, with the newer features added to BIND 8 (e.g., DNSSEC, 
etc...), those would seem to be far less secure, less fully 
implemented, and overall just less fully "cooked" than their 
implementations in BINDv9 -- even in 9.1.0, much less the latest 
release candidate for 9.1.1.


	Yes, there may be some remaining issues that BINDv9 has with 
regards to scaling and suitability for use in the largest possible 
environments (e.g., as a root nameserver), but for anything short of 
that kind of environment, the new "programming by contract" model, 
etc... should make the code more inherently secure, and overall much, 
much more robust.

	No, it's about time that people start making the upgrade, and 
cutting off all further development on BIND 8 (save bug fixes) is 
obviously going to be the only way to encourage them to do exactly 
that.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list