Is Bind still broken?
Joseph S D Yao
jsdy at center.osis.gov
Wed Nov 20 23:09:44 UTC 2002
On Tue, Nov 19, 2002 at 05:18:39PM -0800, dns wrote:
...
> ... when was the 'last' time you saw a security warning about djbdns, and
> bind. in my book, a "Remote ROOT conpromise" 'feature' in ANY package,
> translates to 'broken'. memory being what it is, i've forgotten what
> versions of bind "aren't" vulnerable.
...
If you cut out the following code and run it as a daemon, I will
guarantee you that you will never see any DNS compromises from it.
=======================================================================
main()
{
for (;;) {
sleep(60*60*24);
}
}
=======================================================================
Neither will you ever see any DNS functionality from it. djbdns is
fundamentally "broken" because it does not implement about half of the
DNS functionality from the RFCs. It is easier to avoid risky parts if
you get to choose to avoid the risky parts. BIND, on the other hand,
is commissioned to be the reference implementation for ALL of DNS. Not
just the easy-to-get-right parts.
--
Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support EMT-B
-----------------------------------------------------------------------
This message is not an official statement of OSIS Center policies.
More information about the bind-users
mailing list