DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

[Greg A. Woods]

[ On Friday, May 25, 2001 at 14:00:49 (-0700), James Lockwood wrote: ]
> Subject: Re: DNS Security (was: RE: [SunRescue] hosts file And DNS files??)
>
> On Fri, 25 May 2001, Greg A. Woods wrote:
> 
> > Just to put some sanity in this thread to go along with that last
> > paragraph:
> >
> > 	1. BIND-4 ("bsd-bind") flamed out long ago.  If anyone is still
> >            running it then they too deserve to go down in flames.
> 
> I'm sure the OpenBSD dev team and their users value your opinion.

The "BIND-4" still used on OpenBSD is neither a verbatim BIND-4, nor is
it really secure either, though if I'm not mistaken they don't run it as
root any more so it's not a major vulnerability either.   By default
the real BIND-4 must always run as root, and as such it's a major
vulnerability for no good reason....
 
(Of course even BIND-9 still has one major un-acknowledged flaw that
opens up the possibility of remote root exploit -- it's just a little
trickier to exploit and won't work on all system since it requires
several things to hang together in the right order.)

> That said, BIND 4 is still useful to work around certain bizarre SunOS 4
> quirks.  This would not be in an Internet-serving capacity, though.

Huh?  How do you figure that?  BIND-8 runs just fine on SunOS-4.
(provided of course that you've got an ANSI-C compiler ;-).

Yes, you might want to use my BIND-4 tools to integrate the BIND-4
resolver into libc on SunOS-4, but that doesn't mean you can't run
BIND-8's named (or that you have to run the BIND-4 named either, of
course).  It wouldn't take a decent systems programmer very long to
integrate even most of BIND-8's resolver into libc on SunOS-4 either.  I
had it mostly done but not packaged before I ditched supporting SunOS-4.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>