Is Bind still broken?

Danny Mayer mayer at gis.net
Wed Nov 20 03:40:05 UTC 2002 

At 08:18 PM 11/19/02, dns wrote:

>on "11-17-2002" "Danny Mayer" writ:
>
>: >     broken , it seems , taken in its most static meaning.  the argument
>:
>: That's as clear as mud. The major differences are what protocols they
>: support and and how they handle zone transfers, AXFR or rsync,
>: dynamic update, TSIG, etc. What do YOU mean by broken?
>
>... when was the 'last' time you saw a security warning about djbdns, and
>bind.  in my book, a "Remote ROOT conpromise" 'feature' in ANY package,
>translates to 'broken'.  memory being what it is, i've forgotten what
>versions of bind "aren't" vulnerable.

There are two answers to the reason for not seeing djbdns security
issues:
1) There are almost no servers running djbdns, so you're not going to
know about exploits; and
2) With almost every DNS running BIND that's the software to hack
since you have so many more chances of finding a broken server and
succeeding in your hack. I used this analogy once when comparing
attacks against Windows as opposed to Macs. With so many Windows
systems out there compared with Macs, why bother with Macs? Are there
problems and security holes in Macs? Of course. The same with djbdns.

>     it would seem the initial 'reaction' to the question, thoughtless.  a
>more reasoned approach understands bind's strengths, and weaknesses,
>accepting that it might be a legitimate question.

Which question? A question like "is Bind still broken?" is like asking
"when did you stop beating your wife?" It's a loaded question with lots
of unspoken assumptions built into it. Furthermore since the question
is generic, it could any number of things. If you think that any piece of
software can be perfect, your living in another world. All software has
bugs. Fixing the found ones can be a very arduous and expensive
task. Are you expecting the ones that haven't been found to be fixed?


>: When only a few people know, you at least reduce the chances of it
>: being used. Hackers are very good and know what they're doing.
>
>... by extension then, a "good" cracker would want to get on the short
>list of them in the know.  you might recall, that the latest problems
>require 'command' of dns in the first place.

The people on that short list are known and identifiable which is not
exactly the profile of a hacker. In any case you need to pay to get
on the advance list and hackers are not going to be paying for the
privilege. Almost everyone on the list are working for companies that
develop or distribute their own DNS based on BIND and need the
advanced warning and time to develop their own fixes and announcements
regarding the problem.

Most of the good hackers are very good at it and understand programming
very well so it's not hard for them the have a command of dns in the
first place.



>: You don't think that Microsoft or any of the other vendors would do things
>: any differently do you?
>
>... my point exactly.  unlike you, i did not know isc and M$ had that
>much in 'commom'.  i do not find that comforting ...

ISC works as quickly as possible to develop and test a fix and announces
it as soon as it is ready. For an non-commercial organization it does a much
better job of this than almost any business.

Danny

More information about the bind-users mailing list