Is Bind still broken?

[Doug Barton]

Please forgive a little troll-feeding, I hope it will have a relatively
useful purpose.


On Tue, 19 Nov 2002, dns wrote:

> ... when was the 'last' time you saw a security warning about djbdns,

Apparently, last tuesday?  http://www.kb.cert.org/vuls/id/IAFY-5FTQNB

Although there is a much more important reason you don't hear as much
about security problems with djbdns, fewer people are looking at djbdns
for security problems. From the bad guy's perspective, since bind is
installed in a lot more places, you get more bang for the buck if you can
attack bind. From the perspective of a company like ISS, who wants people
to buy things, you get better publicity if you find vulnerabilities in
bind, since more people will care. It's simple economics.

> in my book, a "Remote ROOT conpromise" 'feature' in ANY package,
> translates to 'broken'.  memory being what it is, i've forgotten what
> versions of bind "aren't" vulnerable.

All software has bugs. Even Dan's. Whether those bugs are discovered, or
significant, is another question entirely. Of course, there is also the
isssue of selective implementation of the protocol(s). Of course, if you
don't include TSIG in your product, you won't have TSIG bugs. But those of
us who want TSIG, and DNSSEC, need to put up with the bugs on the way to
that goal.

>     it would seem the initial 'reaction' to the question, thoughtless.

English your is, very bad.

> a more reasoned approach understands bind's strengths, and weaknesses,
> accepting that it might be a legitimate question.

Ah ha! A rational point at last! The only problem is, you're in the wrong
forum. If this were a "discuss which name-server-like-thing is the best
forum, your point would be well made. However, it's not. This is the BIND
forum. We all like BIND (ok, some of us more than others), and most of us
actually USE it. Your preference is obvious, and I say more power to you.

Doug