Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] Is bind 9.1.0 secure?
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Mon, 21 Jan 2002 20:06:35 +0100
  • Message-id: <20020121200635.P1494@xxxxxxxxxxxxxxxxxxxxxxx>
[ Let's see how long this thread will continue and if this time
some new points are made or simply all the well known(?) facts
are repeated. I mostly participate with this message since I
feel many "spectators" / lurkers simply don't _know_ much else
but BIND -- if at all they know any alternative. That's why I
urge everyone with serious interest in the topic to actually
have a look at them before repeating the ubiquitous "all the
world is BIND" and "if others _say_ it's good it must be, I
don't need to check myself" mumble. ]

On Mon, Jan 21, 2002 at 04:14 -0700, Kurt Seifried wrote:
>
> This is a lot like Sendmail, older versions sucked, so they did a
> rewrite/audit and secured it reasonably well. Things change.
>
> http://www.isc.org/products/BIND/bind-security.html
>
> So far (knock on wood) Bind 9.x hasn't had any serious security bugs.

Well, I'm not positive if there haven't been such bugs or if
they simply haven't been discussed in public. I remember the
recent bugtraq mini thread which started with the MaraDNS
announcement (see <20020109123631.A24072@xxxxxxxxxxxxxxxxxxx>
and <20020110040505.24874.qmail@xxxxxxxx>).

Especially the message by DJB which wasn't accepted by the moderator
(http://cr.yp.to/djbdns/bugtraq/20010201072942-22539-qmail@cr-yp-to)
and the links therein caught my interest: As much as some of us
might dislike his wording or doggedness(id?) in some respects, he
often (always?) has a valid point to make. As long as those
urging questions are still left unanswered (are the new BIND
developers really different from those drunken monkeys who
wrote previous versions? is the code really a new rewrite or
just added bloat on top of previous acked crap? has none of the
many severe acked bugs been security relevant? who else besides
DJB actually *guarantees* the software's functionality and
robustness? etc) I somewhat doubt ISC's announcements and put
them into the same drawer where I put Bill Gates' latest "we're
heading for secure products and put features behind" blurb. Once
I can see that things improve, I might change my mind. But until
then I'm sceptic when looking at the recent history.

In contrast I have yet to see djbdns die on me when it's pushed by
the outside world with all the [snip] in it. And frankly speaking
setting up djbdns I never had to watch its logs too closely. It
simply runs. Reliably and without hogging resources. Plus once
you get the concept it's way much easier to handle than "the
standard" in any day-to-day scenario, see the "ease of use"
comparison on the cr.yp.to site. Admittedly I don't need
any of the "missing" features (SecDNS, dynamic updates). But I
assume neither do most of the people still running BIND. I can
only explain people use BIND because they're too lazy to change
or just don't know there's something else out there. Very few
will be prevented from changing since the alternative lacks
features. And it's still left to further discussion if missing
features are better handled by a separate tool (and to return to
the most asked for: djbdns *does* support AXFR -- as a server
as well as a client, it's just not done in the process which
holds the authoritative data and serves record requests).

Regarding the license which keeps distributors from providing
packages I don't have any problems here. Most people only
understand "I don't get a binary, so I stick with what comes
with the CD". They don't see the point behind where DJB actually
states "employ the software in the way it was designed by me and
I will guarantee that it *will* work as designed and announced".
To repeat the above point: Who else does this? Plus I'm always
free to get the source and modify (patch) it should I wish for a
different behaviour. What else could I want?


To conclude: djbdns _definitely_ is worth a look. And if it
only was to see that things can be done differently. :) But
those who don't _need_ BIND probably will stick with djbdns once
they get over the "being different" (BTW: what's the point in
running any kind of UNIX on a PC when they always come with
Windows preinstalled? If "what's usually preinstalled MUST
be good for me" is not a valid excuse then why should be "most
others run BIND, so do I"?).


virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >