NS record question

Doug Barton DougB at DougBarton.net
Tue Mar 27 18:28:42 UTC 2001

Brad Knowles wrote:
> At 9:27 PM -0800 3/26/01, Doug Barton wrote:
> >         First off, while there have been security issues in the past with
> >  bind 8 code (and may be again in the future) for the most part the code is
> >  in fairly good shape. Yes, it's ugly in places, but it's got collectively
> >  millions of hours of operational experience, and has had lots of eyes on
> >  it, black hats and white.
>         Indeed, it has had a lot of people looking at it, and all of the
> ones I know of that have looked at it have found it extremely
> unpleasant.  There's dreckage and bletchery in there going back to
> the original undergraduate work done on BIND, long before Paul Vixie
> got involved, etc....

	Blah blah blah. I'm actually pretty tired of this argument. I realize that
bind 8 has some ugly spots, but it's still the bugs we know, vs. the bugs
we don't know in bind 9. I'm also a little suspicious of all the people who
claim that there is this or that present in the bind 8 source, but haven't
actually submitted any fixes. 

>         Indeed, with the newer features added to BIND 8 (e.g., DNSSEC,
> etc...), those would seem to be far less secure, less fully
> implemented, and overall just less fully "cooked" than their
> implementations in BINDv9 -- even in 9.1.0, much less the latest
> release candidate for 9.1.1.

	Ummm... how do you make the leap of logic that says that new features
added to a new code base are better or more stable than new features added
to an established code base? My point earlier was that both code bases have
their own unique problems. 

>         Yes, there may be some remaining issues that BINDv9 has with
> regards to scaling and suitability for use in the largest possible
> environments (e.g., as a root nameserver), but for anything short of
> that kind of environment, the new "programming by contract" model,
> etc... should make the code more inherently secure, and overall much,
> much more robust.

	Once again, I have nothing but respect for the people at nominum, and the
herculean task that faces them. However, as I pointed out previously the
migration path still has too many hurdles (and unseen pitfalls) for most
people, IMO. I would feel a lot better about it if someone at nominum was
willing to be a little more flexible in terms of listening to the concerns
already voiced in this area, but c'est la vie. Also, the mere fact that
most of the code in bind 9 is produced "by contract," doesn't really enter
into this discussion. I am a proffesional programmer and I know the
problems associated with this kind of project. Thus my concerns. 
>         No, it's about time that people start making the upgrade, and
> cutting off all further development on BIND 8 (save bug fixes) is
> obviously going to be the only way to encourage them to do exactly
> that.

	On this point I agree with you. However I don't see any point in
encouraging people to upgrade exclusively for the purpose of getting them
to use bind 9. Since this entire e-mail basically restated points made
previously, I think I'll leave it at that. 

    Perhaps the greatest damage the American system of education has done
    to its children is to teach them that their opinions are relevant
    simply because they are their opinions.

	Do YOU Yahoo!?

More information about the bind-users mailing list