Re: Announcing a new DNS server implementation

From: D. J. Bernstein (djb@cr.yp.to)
Date: 01/10/02


Date: 10 Jan 2002 04:05:05 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
To: bugtraq@securityfocus.com

bugtraq@artemas.reachin.com writes:
> First of all, BIND 9 is a complete rewrite of BIND, which, so far, has
> not had one security problem reported with it.

I have two questions. First, why has ISC reported all the crash-BIND-8
bugs on its ``BIND security'' page and in CERT advisories, but none of
the crash-BIND-9 bugs?

(The primary ``security'' mechanism in BIND 9 is a fragility mechanism:
BIND 9 commits suicide if it gets confused, or if you poke it sharply,
or if you simply think bad thoughts in its general direction. The BIND 9
change log is full of reports of easily triggered crashes.)

Second, how much money do I get from ISC if I look at the BIND 9 code
and find, for example, a bug letting attackers take over the server?

> This release has gone under months of testing by a volunteer crew, and
> I belive that we have most of the bugs ironed out.

I have three questions. First, what exactly do you mean by ``found some
security problems'' in your change log for 0.8.99? Why doesn't the
change log explain exactly what the problem is and what its impact is?

Second, how much money do I get from you if I look at your code and
find, for example, a bug letting attackers take over the server?

Third, bottom line: How serious are you about security? I don't just
mean chroot and stralloc. I don't just mean ``strive to be secure.'' And
I certainly don't mean Microsoft's ``we'll try but we guarantee you that
we'll fail.'' _Will_ your software be secure?

---Dan

P.S. I also have a question for the bugtraq moderators. You regularly
accept BIND 9 advertisements from the BIND authors, and you've accepted
this MaraDNS advertisement from the MaraDNS author. Why did you reject
http://cr.yp.to/djbdns/bugtraq/20010201072942-22539-qmail@cr-yp-to,
specifically the final paragraph about djbdns, as ``marketing''?