[SunRescue] Dont feel like running BIND for 10 systems

Greg A. Woods rescue at sunhelp.org
Mon Apr 2 14:15:51 CDT 2001 

[ On Monday, April 2, 2001 at 10:22:56 (-0400), Kurt Mosiejczuk wrote: ]
> Subject: Re: [SunRescue] Dont feel like running BIND for 10 systems
>
> I would imagine that depends.  OpenBSD still uses BIND 4...

Wow.  I wouldn't have believed it if you hadn't said so and made me goo
peek at their source tree!  Talk about an anachronism, and literally
quite stupid too!

> but it's
> been audited and they keep it up to date with patches.

There's only been one major patch to BIND-4 since 4.9.7, and they called
it 4.9.8-REL just to make it look good.  The OpenBSD repository does
show that they merged 4.9.8 about two months ago.

As for "auditing", well the BIND-4 code is so twisted inside out that
it's literally impossible to audit.  That's why there are so many ways
to cause it to blow up or do other unexpected nasty things.  That thing
is like a bunch of un-commented assembly code on the inside.  BIND-8 is
much better, though still borrows much from its predecessor.  Only
BIND-9 is a complete and total re-write (unfortunately done by some of
the same people who have deep experience with the old code, but you
can't still have your cake and have eaten it too).

There are probably only two or three people on the planet any more who
*together* might understand how BIND-4 works at a deep enough level to
be able to spot questionable things in a code audit, and both of those
people have been staring at that code for nearly a decade or more and
still it has major problems!

Neither of those two people have ever made any commits to the OpenBSD
repository, though the primary committer there has had a good deal of
experience with BIND-4 internals (I first saw him posting on the
bind-workers list in 1996 or so).

I was once one of the bind-4 developers and I once knew the code well
enough to follow a packet through the flow and figure out why a
specifically formed packet might cause some weird behaviour.  I don't
think any of my proposed fixes of any significance were ever correct
enough to make it into a release though....

In fact according to the OpenBSD repository most of the fixes they've
made were done two years or more ago yet they missed the bug which
was serious enough to cause Vixie to release 4.9.8.

The "stupid" part is that BIND-8 provides a large number of almost
infinitely valuable new features that make it both more managable and
far more capable of running very large configurations too.  Even the new
configuration file format alone is worth the upgrade, not to mention new
features in the zone file format like $GENERATE.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>      <robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list