8.2.3 on sunspar(solaris7)

Kevin Darcy kcd at daimlerchrysler.com
Fri Mar 23 22:08:36 UTC 2001

Jim Reid wrote:

> >>>>> "HAG" == HAG Keijzer <HAG.Keijzer at mindef.nl> writes:
>     HAG> Considering the fact that about every week a new release of 9
>     HAG> is available, and changes are a PITA, we prolly will go for 8.2.3
> An important correction: it's release candidates for 9.1.1 that are
> coming out fairly frequently, not the release itself.
>     HAG> Security is a must after all.
> Hmm. Most people who look at the code would agree that BIND9 should be
> more secure than BIND8: consistent coding style, rigorous adherence to
> the protocol specs, careful avoidance of extra data, checking for
> buffer overflows, etc. As a complete rewrite BIND9 is not encumbered
> by the legacy baggage in the BIND8 code base. Some of that can be
> traced back to Kevin Dunlap's grad school project at Berkeley in the
> late 80s: the origin of BIND, the Berkeley Internet Name Daemon (or
> Domain or Distribution).

I would concur. If security is the *overriding* concern, BIND 9 is probably a
better choice, because its code structure is far less likely to produce
buffer-overrun types of vulnerabilities. But one has to balance security with
stability. Or, to look at it another way, a BIND 9 crash or hang could be
viewed as a self-inflicted DoS, so there are security concerns either way...

- Kevin

More information about the bind-users mailing list