[SunRescue] Dont feel like running BIND for 10 systems

Greg A. Woods rescue at sunhelp.org
Sat Mar 31 16:52:39 CST 2001 

[ On Saturday, March 31, 2001 at 21:43:59 (+0200), Sebastian Marius Kirsch wrote: ]
> Subject: Re: [SunRescue] Dont feel like running BIND for 10 systems
>
> I might add that at the moment we're still running bind4, and because of
> 
> ---
> ISC has discovered or has been notified of several bugs which can result
> in vulnerabilities of varying levels of severity in BIND as distributed
> by ISC. Upgrading to BIND version 9.1 is strongly recommended. If that
> is not possible for your site, upgrading at least to BIND version 8.2.3
> is imperative.
> ---

If you're still running BIND-4 on a publicly accessible system then
you're so vulnerable it's just not funny (though most script kiddies
will only have canned exploits for common systems).

Any BIND-8 before 8.2.3 is also vulnerable to a remote exploit, though
as yet rumour has it that "in the wild" exploits only exist for some
Linux-based systems.

If you're running any BIND version as root then you're really not paying
attention and deserve to be hacked, cracked, and otherwise abused!  :-)

(BTW, of course ISC recommends BIND-9 -- they're paid to say as much!  I
won't run it in production yet though as there are just too many things
missing and there's a major, unfixed, vulnerability in its PID-file
handling that in combination with any other remote vulnerability might
possibly result in remote root exploits on some systems even when it's
running chroot'ed.)

> and numerous other security problems with bind, I thought it might be
> reasonable to look for alternatives. djbdns is one, doesn't have any
> know vulnerabilities (as far as I know), works very well (as far as I
> can tell), so I though I'd rather use that.

BIND-8.2.3 has no known vulnerabilities (yet) either!  ;-)

Well, I don't like djb's designs that much (his code is usually pretty
solid) and so I still run BIND.  I'd like to run BIND-9 but it's just
not ready for prime time even though by name it's beyond the .0 phase.
Neither do I have time nor money to make it do what BIND-8 already does
for me....

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>      <robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list