Re: [suse-security] CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND (fwd)
DNSSEC.
Vapour. Doesn't exist at this time. (for use on the Internet) Will be implemented in djbdns when the infrastructure to support it is set up.
That's odd... since .mil is rolling it out, and I know other people using it.
Plus DJB's license sucks ass, it's almost impossible for vendors to ship his software, and for developers to work on it,
This is something I can understand. For distributors, it *is* nearly impossible to ship, and modifying and redistributing isn't allowed. Distributing patches however, is. This means you'll (as a sysadmin) will have to download and install djb-ware yourself. I don't have a problem with that, personally.
That's real useful for end users :P. Wietse (postfix guy) was smart, 100% compatible sendmail replacement, both in functionality and license. Qmail is NOT. Neither is djbdns a drop in replacement for Bind. Hence only a minor percentage of people will make the effort to use it.
qmail might indeed be getting a bit old, but there are many improvements available. (but I thought we were discussing BIND here :-) )
The same thing will happen to djbdns ultimatwly, since the only person that really does any work on DJB's software is DJB. -Kurt
Not to mention, can you really trust "Joe Blows" patch for DJBsoftware when Joe Blow may not know the first thing about security? This means you're back to auditing all your code for yourself and you lose the "security" that DJB's software supposedly comes with. Seems kind of pointless in the end to me, not only do you end up with software that's not secure, you end up with a lack of features. -miah On Mon, Jan 29, 2001 at 04:00:48PM -0700, Kurt Seifried wrote:
The same thing will happen to djbdns ultimatwly, since the only person that really does any work on DJB's software is DJB.
On Mon, 29 Jan 2001 16:00:48 -0700, "Kurt Seifried" <listuser@seifried.org> wrote:
DNSSEC. Will be implemented in djbdns when the infrastructure to support it is set up. That's odd... since .mil is rolling it out, and I know other people using it.
Okay, I didn't know that.
This means you'll (as a sysadmin) will have to download and install djb-ware yourself. I don't have a problem with that, personally. That's real useful for end users :P. Wietse (postfix guy) was smart, 100% compatible sendmail replacement, both in functionality and license. Qmail is NOT. Neither is djbdns a drop in replacement for Bind. Hence only a minor percentage of people will make the effort to use it.
Why is "drop-in-replacement"==GOOD and "no drop-in-replacement"==BAD? I don't agree there. It's not that the programs are hard to install or something. On the contrary, IMHO.
The same thing will happen to djbdns ultimatwly, since the only person that really does any work on DJB's software is DJB.
Again, I don't agree. There are boatloads of enhancements and modifications for qmail (and less so for djbdns, but that doesn't exist as long). If you want a specific feature that isn't in standard qmail/djbdns, there most probably is a patch that you can apply in seconds. Again, very easy. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-
If anyone is thinking of replacing BIND (not a good idea in some circumstances. I for one you the Dynamic DNS update features and DNSSEC functionality at some sites...) You may want to take a look at http://www.dents.org/ for a VERY nice new DNS server. It is very much in development at the moment, but it can do VERY cool things like having different algorithms for each zone. This allows you to hand out load balanced IP addresses differently for different sites! If you use it in conjunction with SuperSparrow http://www.supersparrow.org/ you can do DNS responses based on BGP location. (ie. Global Load Balancing) Test it out for yourself. Punch in http://www.au.supersparrow.org/ or http://www.supersparrow.org/ and all of you from the US should automatically get the IP for http://www.us.supersparrow.org/ It automatically picks the closest server to you and hands you that IP address. BIND (or DJBDNS) does not have the flexibility to do this sort of thing. Throw http://www.ultramonkey.org/ into the mix and we now have enterprise class scalability of networks. (http://www.vergenet.net/ is another one that you can play with. See what happens when you bounce through proxies in other countries!!!) I guess, the whole idea of Unix (tm) is that you can use whatever program you want, but the whole idea of Linux is that you can change the source of any program you want AND redistribute. I can see reasons why djbdns is useful (a small installation with not advanced requirements) but I'd highly recommend everyone else to either help make BIND more secure or help Dents grow up quicker. IMHO there is a place for non-free licenses, and that is the history books... Here endith my rant for the week... Cheers Nix At 05:49 PM 30/01/2001, you wrote:
On Mon, 29 Jan 2001 16:00:48 -0700, "Kurt Seifried" <listuser@seifried.org> wrote:
DNSSEC. Will be implemented in djbdns when the infrastructure to support it is set up. That's odd... since .mil is rolling it out, and I know other people using it.
Okay, I didn't know that.
This means you'll (as a sysadmin) will have to download and install djb-ware yourself. I don't have a problem with that, personally. That's real useful for end users :P. Wietse (postfix guy) was smart, 100% compatible sendmail replacement, both in functionality and license. Qmail is NOT. Neither is djbdns a drop in replacement for Bind. Hence only a minor percentage of people will make the effort to use it.
Why is "drop-in-replacement"==GOOD and "no drop-in-replacement"==BAD? I don't agree there. It's not that the programs are hard to install or something. On the contrary, IMHO.
The same thing will happen to djbdns ultimatwly, since the only person that really does any work on DJB's software is DJB.
Again, I don't agree. There are boatloads of enhancements and modifications for qmail (and less so for djbdns, but that doesn't exist as long). If you want a specific feature that isn't in standard qmail/djbdns, there most probably is a patch that you can apply in seconds. Again, very easy.
--- Nix - nix@susesecurity.com http://www.susesecurity.com
participants (4)
-
Jeremiah Johnson -
Jurjen Oskam -
Kurt Seifried -
Nix