NS record question
Brad Knowles
brad.knowles at skynet.be
Tue Mar 27 09:52:55 UTC 2001
At 9:27 PM -0800 3/26/01, Doug Barton wrote:
> First off, while there have been security issues in the past with
> bind 8 code (and may be again in the future) for the most part the code is
> in fairly good shape. Yes, it's ugly in places, but it's got collectively
> millions of hours of operational experience, and has had lots of eyes on
> it, black hats and white.
Indeed, it has had a lot of people looking at it, and all of the
ones I know of that have looked at it have found it extremely
unpleasant. There's dreckage and bletchery in there going back to
the original undergraduate work done on BIND, long before Paul Vixie
got involved, etc....
I would not be at all surprised to find that there were another
half dozen root compromises floating around in the BIND 8.2.3-REL
code, the only thing is that they haven't been as widely distributed.
Indeed, with the newer features added to BIND 8 (e.g., DNSSEC,
etc...), those would seem to be far less secure, less fully
implemented, and overall just less fully "cooked" than their
implementations in BINDv9 -- even in 9.1.0, much less the latest
release candidate for 9.1.1.
Yes, there may be some remaining issues that BINDv9 has with
regards to scaling and suitability for use in the largest possible
environments (e.g., as a root nameserver), but for anything short of
that kind of environment, the new "programming by contract" model,
etc... should make the code more inherently secure, and overall much,
much more robust.
No, it's about time that people start making the upgrade, and
cutting off all further development on BIND 8 (save bug fixes) is
obviously going to be the only way to encourage them to do exactly
that.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list