[ reformatted for readability, fullquotes snipped -- sigh! ] On Mon, Jan 29, 2001 at 10:17 -0800, Jeremiah Johnson wrote:

On Mon, Jan 29, 2001 at 06:55:29PM +0100, Jurjen Oskam wrote:

...

You might want to take a look at http://cr.yp.to/djbdns.html

And run a dns server incapable of doing any real features most people use in bind? I will admit, that dan bernstein does write really nice code. But the one reason its 'secure' is its complete lack of features.

Not to spread FUD but to add facts to these "accusation": What exactly is it that you need from bind that's worth constantly opening up holes? I have yet to encounter a situation with DNS administration that makes me wish I had bind running. Serving zones, doing transfers, caching -- all's fine, fast and runs on low resources. What do I miss? Is it compression? I have it in scp if I like -- builtin. Is it IPv6? I don't need it here in mid Europe (yet). Is it DNSsec? I wouldn't know whom to talk to with this method. And I'm not sure whom to believe anything when looking around ... BTW is not believing in non authoritative servers one of the reasons why I use djbdns. "poisoning" my cache is a little harder. Maybe it's complicated syntax or resource hogs? I can live very well without them. :) So what's exactly "any real feature most people use in bind" that lacks in djbdns? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.

On Tue, Jan 30, 2001 at 08:04 +0100, Stefan Nauber wrote:

...

administration that makes me wish I had bind running. Serving zones, doing transfers, caching -- all's fine, fast and runs on low resources. What do I miss?

[ ... ]

...

Maybe it's complicated syntax or resource hogs? Complicated syntax with djbdns? Don't know what you are talking about :-)

When somebody wants to get it wrong, he can -- no matter how much I will effort in wording things. :> The above still was one of the "things I should miss?" items. And as I stated: running djbdns neither do I miss bind's insane syntax nor its resource consumption. While both programs would serve my basic needs, it's just that one of them is more complex and continuously causes problems I don't need in the first place. So I decided to use the light weight and easy one. And on top I got a secure and fast one. I guess that bind users might have reasons for using this software, be it simply being used to use it or real need in special cases. But speaking for the plain vanilla scenario of simply serving zones you own while doing transfers from and to other sites and caching for your LAN / customers I cannot see *any* valid reason why djbdns should miss something. It does all the average admin needs and does so _very_ well. For those readers interested in making up an opinion of their own instead of repeating what others say about "lacks, doesn't suffice" or "it's great, you just don't see" I only can repeat the suggestion of looking over http://cr.yp.to/ and setting up a test scenario. Since this is a security list I expect people to not believe everything others tell them but to check themselves to make sure ... :) Although chances are quite good that people will be horrified what they missed all the time and decide to move to djbdns ASAP, too. :> Triggered by the thread I went to the above site today and found the "ad" section with the "ease of use" document quite amusing. It absolutely covers personal experience. Take this and visit the http://www.isc.org/ site to see the list of security problems in the recent past only. I don't want to work hard to secure my machines and then walk in and open them up to the world by installing a bloated program for an essential service. The "not implemented functionality cannot be done wrong" approach is really convincing. And anything more than enough is just too much with regards to security. When in the need of setting up a DNS server, I'll always take the more secure one, please! And I've yet to see what should push me to using bind. And BTW have I looked at the dist.html file stating what distributors are allowed to do. I fail to see *any* point why any reasonable distribution should be disallowed. The foremost concern DJB states - cited from an ancient local doc - is "It is not acceptable to have DNScache working differently on different machines; any variation is a bug." If that's too hard a constraint (not satisfied with the fs layout? want to have nonfunctional software? want to have software not working as designed and advertised? want to search for and get mad about deviations between distros / platforms?), you seem to have other problems. But I haven't seen SuSE stating "we're not allowed to", it was just a "personal opinion" (I'm sure Kurt will correct me in case I'm wrong). Maybe somebody of the SuSE stuff will have a second look and draw his own conclusions? The "I'm interested in hearing about any CDs that include the package" reads like DJB can very well imagine to have his software in a distro ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.

On Mon, 29 Jan 2001 10:17:29 -0800, Jeremiah Johnson <jjohnson@penguincomputing.com> wrote:

And run a dns server incapable of doing any real features most people use in bind? I will admit, that dan bernstein does write really nice code. But the one reason its 'secure' is its complete lack of features.

Okay, I'll bite. (Just this once, though. :-) ) Please name the (some) features you use in BIND that aren't available in the djbdns suite. Also, please explain what you mean with "real" features. And a remark: just saying things like "complete lack of features" without ANY justification at all doesn't look very convincing. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-

On Mon, 29 Jan 2001 15:34:03 -0700, "Kurt Seifried" <listuser@seifried.org> wrote:

DNSSEC.

Vapour. Doesn't exist at this time. (for use on the Internet) Will be implemented in djbdns when the infrastructure to support it is set up.

views.

Look at djbdns 1.04.

basically anything new in bind 9 and alot of the stuff in bind 8.

I'm not familiar with bind 9: what are new features that aren't in bind 8 or djbdns?

Plus DJB's license sucks ass, it's almost impossible for vendors to ship his software, and for developers to work on it,

This is something I can understand. For distributors, it *is* nearly impossible to ship, and modifying and redistributing isn't allowed. Distributing patches however, is. This means you'll (as a sysadmin) will have to download and install djb-ware yourself. I don't have a problem with that, personally.

I haven't seen to many major improvements in qmail recently, stuff sendmail/postfix have, etc.

qmail might indeed be getting a bit old, but there are many improvements available. (but I thought we were discussing BIND here :-) ) end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-

And run a dns server incapable of doing any real features most people use in bind? I will admit, that dan bernstein does write really nice code. But

totally with you Jurjen, I might guest that Jeremiah is referring to the fact that is you do a common "nslookup" it would give you timeout from the nameserver. There's a way to set up nslookup to work with dbjdns but anyway dbjdns comes with programs to do all that kind of queries, so I was just wondering what where those features of BIND. Franco Galian ----- Original Message ----- From: "Jurjen Oskam" <jurjen@quadpro.stupendous.org> To: <suse-security@suse.com> Sent: Monday, January 29, 2001 7:31 PM Subject: Re: [suse-security] CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND (fwd) On Mon, 29 Jan 2001 10:17:29 -0800, Jeremiah Johnson <jjohnson@penguincomputing.com> wrote: the one reason its 'secure' is its complete lack of features. Okay, I'll bite. (Just this once, though. :-) ) Please name the (some) features you use in BIND that aren't available in the djbdns suite. Also, please explain what you mean with "real" features. And a remark: just saying things like "complete lack of features" without ANY justification at all doesn't look very convincing. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*- --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Yeah that's what I've been doing all morning. I was just wondering when the updates are going to be available. Im running SuSE 6.4.

Various vendors were made aware of this last Thursday. The new release was uploaded and made available Friday morning. Paul Vixie made a post on NANOG shortly after. Debian already has patches available and send out an advisory first thing this morning. I think it will be fun to see how long SuSE takes. SuSE has a long history of dragging their feet when it comes to releasing security updates. Why? I still have yet to figure that out. M