NS record question
Roy Arends
Roy.Arends at nominum.com
Tue Mar 27 12:11:47 UTC 2001
On Tue, 27 Mar 2001, Brad Knowles wrote:
>
> At 9:27 PM -0800 3/26/01, Doug Barton wrote:
>
> > First off, while there have been security issues in the past with
> > bind 8 code (and may be again in the future) for the most part the code is
> > in fairly good shape. Yes, it's ugly in places, but it's got collectively
> > millions of hours of operational experience, and has had lots of eyes on
> > it, black hats and white.
>
> Indeed, it has had a lot of people looking at it, and all of the
> ones I know of that have looked at it have found it extremely
> unpleasant. There's dreckage and bletchery in there going back to
> the original undergraduate work done on BIND, long before Paul Vixie
> got involved, etc....
>
> I would not be at all surprised to find that there were another
> half dozen root compromises floating around in the BIND 8.2.3-REL
> code, the only thing is that they haven't been as widely distributed.
>
> Indeed, with the newer features added to BIND 8 (e.g., DNSSEC,
> etc...), those would seem to be far less secure, less fully
> implemented, and overall just less fully "cooked" than their
> implementations in BINDv9 -- even in 9.1.0, much less the latest
> release candidate for 9.1.1.
>
>
> Yes, there may be some remaining issues that BINDv9 has with
> regards to scaling and suitability for use in the largest possible
> environments (e.g., as a root nameserver), but for anything short of
> that kind of environment, the new "programming by contract" model,
> etc... should make the code more inherently secure, and overall much,
> much more robust.
>
> No, it's about time that people start making the upgrade, and
> cutting off all further development on BIND 8 (save bug fixes) is
> obviously going to be the only way to encourage them to do exactly
> that.
I agree. Nothing to add.
Roy Arends
Nominum
More information about the bind-users
mailing list