[KLUG Members] DNS question

Jamie McCarthy members@kalamazoolinux.org
Sun, 20 Jan 2002 13:22:44 -0500

Previous message: [KLUG Members] DNS question
Next message: [KLUG Members] DNS question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

stevemax@vbisd.org (Steve Spear) writes:

> We are getting ready to build a new machine with linux and a
> newer version of dns. We are currently using 4.9.7 I believe and
> we want to go to 8.x or 9.x.
> 
> Which version do you think is the best and has most of the
> security bugs worked out.

4.x is known to be riddled with security holes and denial of service
holes.  8.x's reputation is not much better.

9.x's reputation is great, no known problems.  This is because they
do not release its source code except to a high-paying cabal, so
whatever security holes it has, only the black-hats know about them.
If you prefer the danger you don't know to the one you do, then 9.x
is for you.

On the other hand, there's djbdns, a completely open-source DNS
server which offers a cash reward for anyone who can find a security
hole in it.  Nobody's claimed it.  I've been running it on OpenBSD
for the last year and it works great.

I can't personally vouch for how well it scales, since I just use it
for everyday use on my home LAN.  But the author claims it handles
huge loads comparable to BIND 8.x or 9.x without exhibiting the same
lockups and crashes, and I haven't seen anyone refute that claim.

http://www.djbdns.org/

or http://cr.yp.to/djbdns/ which ironically does not seem to be
resolving at the moment.  I wonder if there's trouble in the .to
TLD.

Here's a recent excerpt from Dan J. Bernstein, the "djb" in "djbdns",
to Bugtraq:

====== Forwarded Message ======
Date: 1/9/02 12:36 PM
Received: 1/9/02 4:02 PM
From: bugtraq@artemas.reachin.com
To: Bugtraq@securityfocus.com

About a year ago, there was a thread on Bugtraq, the result of which was 
people asking for a new implementation of a DNS server, since people felt 
that BIND was insecure, and because people felt that DjbDNS had a license 
which was too restrictive.

First of all, BIND 9 is a complete rewrite of BIND, which, so far, has not
had one security problem reported with it.  When people say that "BIND is
insecure", they really ought to say "BIND before BIND 9 is insecure".

[...]

- Sam

====== End Forwarded Message ======

====== Forwarded Message ======
Date: 1/10/02 4:05 AM
Received: 1/10/02 12:03 AM
From: djb@cr.yp.to (D. J. Bernstein)
To: bugtraq@securityfocus.com

bugtraq@artemas.reachin.com writes:
> First of all, BIND 9 is a complete rewrite of BIND, which, so far, has
> not had one security problem reported with it.

I have two questions. First, why has ISC reported all the crash-BIND-8
bugs on its ``BIND security'' page and in CERT advisories, but none of
the crash-BIND-9 bugs?

(The primary ``security'' mechanism in BIND 9 is a fragility mechanism:
BIND 9 commits suicide if it gets confused, or if you poke it sharply,
or if you simply think bad thoughts in its general direction. The BIND 9
change log is full of reports of easily triggered crashes.)

Second, how much money do I get from ISC if I look at the BIND 9 code
and find, for example, a bug letting attackers take over the server?

[...]

---Dan

====== End Forwarded Message ======

--
 Jamie McCarthy
 jamie@mccarthy.vg

Previous message: [KLUG Members] DNS question
Next message: [KLUG Members] DNS question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]