Re: Bind 8 bug experience

From: Paul Theodoropoulos (paul@anastrophe.com)
Date: 11/15/02

  • Next message: Nicholas Weaver: "Re: When scrubbing secrets in memory doesn't work"
    Date: Fri, 15 Nov 2002 09:37:43 -0800
    To: bugtraq@securityfocus.com
    From: Paul Theodoropoulos <paul@anastrophe.com>
    
    

    There is an alternative to this insanity. It's called djbdns, and it is
    proven secure, and proven reliable. I've been using it in production for a
    year now, and performance has been flawless. Thousands of other
    administrators will offer the same assessment. BIND is a security mess -
    that's an empirical fact that can't be denied by anyone who has been on
    the net any appreciable amount of time.

    Why worry about timelines for advisories or patches or updates concerning
    this core service of the internet? Far easier to use software that has been
    proven to be secure and reliable from concept to execution (pun intended).

    http://cr.yp.to/djbdns.html

    MODERATORS: considering the 100% 'meta' quality of the post i'm replying
    to, i certainly hope that you'll post this 'advisory'. People need to be
    aware that there are alternatives to BIND. It's a disservice to the
    community to *not* allow through a pointer to software that could save tens
    of thousands of administrators this endlessly repeating headache of systems
    being vulnerable to exploit via one of the single most crucial parts of th
    internet infrastructure - DNS. all you need to do is look at the history of
    exploits for bind, and compare it to djbdns - even if you throw out all the
    years of data for BIND from before djbdns's release.

    At 06:41 AM 11/14/2002, Olaf Kirch wrote:
    >The whole thing was a mess. Timelines for the publication of _anything_,
    >from advisories to patches to updates, were either non-existing or
    >shifting all the time.

    Paul Theodoropoulos
    http://www.anastrophe.com
    http://folding.stanford.edu
    The Nicest Misanthrope on the Net



    Relevant Pages

    • Re: BIND
      ... Subject: BIND ... > Sort of in this vein, is anyone here using djbdns in a large ISP ... Haven't worked at a large ISP environment, ... to pull via AXFR from your BIND nameservers. ...
      (Focus-SUN)
    • Re: DNS for machines in office?
      ... > I'm going to designate one machine running fedora as a name server. ... Nameservers are generally not that difficult ... ... BIND: this is the standard. ... wish I had heard of it when I originally set up djbdns! ...
      (comp.os.linux.networking)
    • Re: djbdns
      ... Note that even the BIND developers admitted that it is recommended to ... DJBDNS just forces you to do this:) ... > the caches have to be notified of any dns servers for domains that you host - ...
      (freebsd-isp)
    • Re: DNS Security (2)
      ... > however, by its design, djbdns looks much more robust from a security ... > future earnings, and while bind has a *much* larger installed base, ... > djbdns has had a *much* better record than any of the flavors of bind. ... it's a pain in the neck to encourage it to install ...
      (comp.os.linux.security)
    • Re: djbdns
      ... My experience with bind has been less than fun - a pain to maintain with all ... of these security fixes and also the file format is terrible. ... running djbdns for well over a year, more like over two years and I have not ... the caches have to be notified of any dns servers for domains that you host - ...
      (freebsd-isp)