To paraphrase a posting on comp.protocols.dns.bind; BIND is the reference implimentation of ALL aspects of the DNS standards, not just the bits that are easy to get right (a la djbdns).

Fair enough people are finding vunerabilities in BIND. But what do you expect in a piece of mission critical software that is as widely deployed as BIND?

And as regards Mr. Lasser's comments on being stuck with old versions of BIND: if you are running publicly recursive nameservers (or any public nameserver) you are a fool to be running BIND4 or an early version of BIND8. Running them internally - fair enough. Public DNS servers are going to be attacked and are going to require patches.

It's a bit like saying "we're stuck with an old version of IIS because our vendor doesn't support any more secure versions on NT4". If you can't see the obvious answer to that statement then you shouldn't be administering systems! "But we can't upgrade, it's too much work/this issue is stopping us/it hasn't been tested". I say bullshit. What's too much work? Doing a migration to BIND9 for your recursive nameservers? Or loosing your nameservers all-together to some script-kiddie and having to explain that to the Board?

What I am trying to say is that we should see some proactivity. Lobby vendors for updated versions of BIND. Patch your systems.

If BIND is good enough for the root nameservers that make this whole internet thing work then I'm sure it's good enough for corporation x. All you need to do is expend some effort rather than expecting a magic solution by changing to a different OS. "ohh, Windows is insecure, lets switch to Linux and all or our troubles will be gone". Wrong - as the growing popularity of Linux has shown us, when something becomes more ubiquitius then more people research it and hack it; you just end up dealing with a different type/subset of problems

Lets say everyone switched to djbdns tommorow, roots 'n' all. Do you really expect that djbdns advisories will not start popping up on Bugtraq?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/125/17205#17205