, 2002-11-20
How did one of the Internet's most ubiquitous software packages grow up to be chronically insecure? History offers a lesson.
Expand all |
Post comment
|
Caught in a BIND
, 2002-11-20 How did one of the Internet's most ubiquitous software packages grow up to be chronically insecure? History offers a lesson.
Expand all |
Post comment
|
|
|
Privacy Statement |
The upgrade BIND 8 to BIND 9 is not challenging or
difficult, it largely requires making the zone files
standard conforming, and mastering rndc configuration.
There are many short cuts for
doing this, including just AXFR zones from BIND 8. Systematic faults in zones files are easily corrected automatically with tools like "sed". The documentation is good.
BIND 9 has an excellent security record, although it has a habit of stopping when assertions are violated, leading to a number of potential DoS on servers with very large numbers of zones.
Those who select DJBDNS may be wise, but the DJBDNS security offer of $500 excludes DoS and problems with underlying libraries, and so is more marketing than practical security.
I don't buy DJB's ease of use claims either, setting up DJBDNS as a replacement for existing BIND installs is time consuming, and the approach to binary releases makes it even more so. The admin will have much to learn, as pragmatically you need to use DJB's own service tools. The documentation is spartan, and the approach of a thousand seperate configuration files is at best unwieldy.
Still DJBDNS may be the sensible choice where very large numbers of zones are configured.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/125/17224#17224