NS record question

[Roy Arends]

On Tue, 27 Mar 2001, Brad Knowles wrote:

> 
> At 9:27 PM -0800 3/26/01, Doug Barton wrote:
> 
> >         First off, while there have been security issues in the past with
> >  bind 8 code (and may be again in the future) for the most part the code is
> >  in fairly good shape. Yes, it's ugly in places, but it's got collectively
> >  millions of hours of operational experience, and has had lots of eyes on
> >  it, black hats and white.
> 
> 	Indeed, it has had a lot of people looking at it, and all of the 
> ones I know of that have looked at it have found it extremely 
> unpleasant.  There's dreckage and bletchery in there going back to 
> the original undergraduate work done on BIND, long before Paul Vixie 
> got involved, etc....
> 
> 	I would not be at all surprised to find that there were another 
> half dozen root compromises floating around in the BIND 8.2.3-REL 
> code, the only thing is that they haven't been as widely distributed.
> 
> 	Indeed, with the newer features added to BIND 8 (e.g., DNSSEC, 
> etc...), those would seem to be far less secure, less fully 
> implemented, and overall just less fully "cooked" than their 
> implementations in BINDv9 -- even in 9.1.0, much less the latest 
> release candidate for 9.1.1.
> 
> 
> 	Yes, there may be some remaining issues that BINDv9 has with 
> regards to scaling and suitability for use in the largest possible 
> environments (e.g., as a root nameserver), but for anything short of 
> that kind of environment, the new "programming by contract" model, 
> etc... should make the code more inherently secure, and overall much, 
> much more robust.
> 
> 	No, it's about time that people start making the upgrade, and 
> cutting off all further development on BIND 8 (save bug fixes) is 
> obviously going to be the only way to encourage them to do exactly 
> that.

I agree. Nothing to add.  

Roy Arends
Nominum