Re: Announcing a new DNS server implementation

From: D. J. Bernstein (djb@cr.yp.to)
Date: 01/10/02 

Date: 10 Jan 2002 04:05:05 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
To: bugtraq@securityfocus.com

bugtraq@artemas.reachin.com writes:
> First of all, BIND 9 is a complete rewrite of BIND, which, so far, has
> not had one security problem reported with it.

I have two questions. First, why has ISC reported all the crash-BIND-8
bugs on its ``BIND security'' page and in CERT advisories, but none of
the crash-BIND-9 bugs?

(The primary ``security'' mechanism in BIND 9 is a fragility mechanism:
BIND 9 commits suicide if it gets confused, or if you poke it sharply,
or if you simply think bad thoughts in its general direction. The BIND 9
change log is full of reports of easily triggered crashes.)

Second, how much money do I get from ISC if I look at the BIND 9 code
and find, for example, a bug letting attackers take over the server?

> This release has gone under months of testing by a volunteer crew, and
> I belive that we have most of the bugs ironed out.

I have three questions. First, what exactly do you mean by ``found some
security problems'' in your change log for 0.8.99? Why doesn't the
change log explain exactly what the problem is and what its impact is?

Second, how much money do I get from you if I look at your code and
find, for example, a bug letting attackers take over the server?

Third, bottom line: How serious are you about security? I don't just
mean chroot and stralloc. I don't just mean ``strive to be secure.'' And
I certainly don't mean Microsoft's ``we'll try but we guarantee you that
we'll fail.'' _Will_ your software be secure?

---Dan

P.S. I also have a question for the bugtraq moderators. You regularly
accept BIND 9 advertisements from the BIND authors, and you've accepted
this MaraDNS advertisement from the MaraDNS author. Why did you reject
http://cr.yp.to/djbdns/bugtraq/20010201072942-22539-qmail@cr-yp-to,
specifically the final paragraph about djbdns, as ``marketing''?

Relevant Pages

  • Re: OpenVMS Security
    ... >> nicely with the contents and the frequency of CERT reports involving ... "A denial-of-service vulnerability exists in version 9 of the Internet ... Software Consortium's Berkeley Internet Name Domain (BIND) server. ... what happened when TCP/IP services moved to bind V9? ...
    (comp.os.vms)
  • Re: Reporting
    ... They are able to bind to IList's I believe. ... You see you have to artificially take "real" objects/collections and put ... I hate Crystal Reports, fyi. ... but you'd do very well to take a look at ActiveReports by DataDynamics ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Dynamic SQL based Crystal Reports
    ... or can I use one coded by hand to bind to? ... referenced by Crystal Reports. ... loading the reports off the disk, I am dynamically invoking a new ... Instantiating a report via it's class name is good if you wish to embed ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: inspection reports
    ... Robo wrote: ... Computer crashed last week and got everything back I thought until went to do some reports and now in a bind. ...
    (alt.security.alarms)
  • Re: how can I test the security of my Linux box ?
    ... Very few ppl are interested in going to jail for helping someone ... Just as BIND - use djbDNS instead of BIND. ... > SATAN is also another program to try on to test your security. ... Satan is quite old - Nessus will be much better nowadays. ...
    (comp.os.linux.security)
Loading