DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

Greg A. Woods rescue at sunhelp.org
Fri May 25 14:59:48 CDT 2001


[ On Friday, May 25, 2001 at 13:20:27 (-0500), Dan Debertin wrote: ]
> Subject: Re: DNS Security (was: RE: [SunRescue] hosts file And DNS files??)
>
> Put me in the "love" group. BIND is a flaming turd, in so many ways. It
> has been compromised countless times in the past, and it will be many
> times more in the future. Funny ... so has vixie-cron ... hmmmm .... I
> sense a trend here.
> 
> The developer of djbdns (Dan Bernstein) is a _total_ fruitcake. But he
> writes robust, secure software.

Just to put some sanity in this thread to go along with that last
paragraph:

	1. BIND-4 ("bsd-bind") flamed out long ago.  If anyone is still
           running it then they too deserve to go down in flames.

	2. as of BIND-8 ("vixie-bind") there have been relatively few
           vulnerabilities of any kind

	3. since BIND-8 there's been no excuse for running named as root
           and therefore all system compromises as a result of BIND are
           in fact the likely responsibility of the vendor and/or the
           local and ignorant administrator

	4. BIND-9 doesn't have a line of Vixie's code in it (well that
           may be a slight exaggeration, but it's not far from the truth)

	5. BIND-9 is not, IMHO, yet ready for production use

	6. my arm's length analysis suggests that no version of djbdns
           is yet suitable for production use either

	7. vixie cron has been compromised more often by third-party
           changes than by any faults in the original code

	8. vixie cron was written long long before BIND-8

	9. I don't personally like Vixie's code any better than djb's.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>



More information about the rescue mailing list