[SunRescue] djbdns, BIND, and DNS Security

Loomis, Rip rescue at sunhelp.org
Fri May 25 13:55:44 CDT 2001 

Greg--
I've stated my opinions about djb, qmail, djbdns,
and related topics on this and other mailing lists
in the past IIRC.  To summarize, while I
respect djb's programming skills, his mode is "it's
my way or the highway".  Specifically, for DNS,
djbdns doesn't implement the standards, but rather
variants of some standards and a subset of the rest.

Same thing for qmail, which is why I use postfix-tls
instead.  (djb's software is much more interoperable
than Microsoft's, but some of the same "we know
better" philosophy/hubris seems to be involved in the
coding.  djb *may* in fact know that much better than
I do, but he hasn't convinced me yet.)

The customer paying for me to work on DNS has been
funding the BIND development (particularly BIND 9
and DNSSEC) for several years...plus I personally
prefer BIND to djbdns.

To each his own--I'm sure that some folks on this list
are using djbdns and others can benefit from it.  I
can't say anything negative about it's security from
a code-writing/bug squashing standpoint--but I
personally only use it for interoperability testing
since it lacks certain features.

Yeah, I looked for a license for djbdns as well and
couldn't find it at cr.yp.to or in the tarball.  AFAIK
its license is similar to qmail, in that it is free
for any use but modified versions may not be distributed.
While I respect his right to prevent buggy derivative
works, it also means that if someone *does* find a bug
they can only distribute a patch and not a binary that
includes that patch.  When supporting customers who
don't have compilers on all their systems, that's another
non-starter (almost as bad as having no license at all.)

As for BIND 8/9--the root servers have started to shift
over to 8.2.4, but none are consistently running BIND 9
yet.  8.2.[34] *should* be reasonably secure for most
folks and it's what our major customers are still running.
However, we've been testing BIND 9 long enough that we're
now running it on low-volume production nameservers and
we're happy with it.  YMMV.

--
Rip Loomis
Brainbench MVP for Internet Security
http://www.brainbench.com (Transcript 1923411)

> -----Original Message-----
> From: Gregory Leblanc [mailto:gleblanc at cu-portland.edu]
> Sent: Friday, May 25, 2001 1:37 PM
> To: rescue at sunhelp.org
> Subject: DNS Security (was: RE: [SunRescue] hosts file And 
> DNS files??)
> 
> 
> On 25 May 2001 09:54:10 -0400, Loomis, Rip wrote:
> [snip]
> > I'll be more than happy to help with the slave's config.
> > Anyone who needs basic (or advanced) DNS help please
> > feel free to contact me off-list--my more-or-less full
> > time job right now is DNS security and administration.
> > Needless to say, until we get everybody over to BIND 9,
> > the security part alone is keeping me busy...
> 
> Do you have any expierence with djbdns?  Some people love it, 
> and others
> hate it, but it comes with a security garuntee. :)  
>     Greg
> 
> P.S.  Anybody found a license for that package?  I've looked, but
> haven't been able to figure it out.
> 
> -- 
> Troll, troll, troll your post
> Gently down the feed
> Merrily, merrily troll along
> A life is what you need...
> 
> _______________________________________________
> rescue maillist  -  rescue at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/rescue
>

More information about the rescue mailing list