NS record question
Bob Vance
bobvance at alumni.caltech.edu
Tue Mar 27 19:11:02 UTC 2001
>I agree. Nothing to add.
Maybe so.
But I agree with Doug.
One of the first reasons I didn't go with BIND9 was that $GENERATE wasn't
supported (or so I was led to believe). Give me a break. I don't want to
go backwards when upgrading. I thought, "What else is missing? I don't
have to time to investigate it and make work-arounds."
Now, I *have* gone to rc7 on my home Linux box, but am confronted with some
DDNS and nsupdate issues that I must take time to investigate and iron out.
That's OK at home, and I'm doing it just to see what will be encountered in
prep for the final move, but I cannot imagine going to 9 in a large
production environment right now.
Of course, I hope that everyone doing so has a good experience.
-----------------------------------------------
Tks | BVance at sbm.com
BV | BobVance at alumni.caltech.edu
Sr. Tech. Consultant, SBM
Vox 770-623-3430 11455 Lakefield Dr.
Fax 770-623-3429 Duluth, GA 30097-1511
===============================================
-----Original Message-----
From: roy at node10c4d.a2000.nl [mailto:roy at node10c4d.a2000.nl]On Behalf Of
Roy Arends
Sent: Tuesday, March 27, 2001 7:12 AM
To: Brad Knowles
Cc: Doug Barton; Bob Vance; bind-users at isc.org
Subject: Re: NS record question
On Tue, 27 Mar 2001, Brad Knowles wrote:
>
> At 9:27 PM -0800 3/26/01, Doug Barton wrote:
>
> > First off, while there have been security issues in the past
with
> > bind 8 code (and may be again in the future) for the most part the code
is
> > in fairly good shape. Yes, it's ugly in places, but it's got
collectively
> > millions of hours of operational experience, and has had lots of eyes
on
> > it, black hats and white.
>
> Indeed, it has had a lot of people looking at it, and all of the
> ones I know of that have looked at it have found it extremely
> unpleasant. There's dreckage and bletchery in there going back to
> the original undergraduate work done on BIND, long before Paul Vixie
> got involved, etc....
>
> I would not be at all surprised to find that there were another
> half dozen root compromises floating around in the BIND 8.2.3-REL
> code, the only thing is that they haven't been as widely distributed.
>
> Indeed, with the newer features added to BIND 8 (e.g., DNSSEC,
> etc...), those would seem to be far less secure, less fully
> implemented, and overall just less fully "cooked" than their
> implementations in BINDv9 -- even in 9.1.0, much less the latest
> release candidate for 9.1.1.
>
>
> Yes, there may be some remaining issues that BINDv9 has with
> regards to scaling and suitability for use in the largest possible
> environments (e.g., as a root nameserver), but for anything short of
> that kind of environment, the new "programming by contract" model,
> etc... should make the code more inherently secure, and overall much,
> much more robust.
>
> No, it's about time that people start making the upgrade, and
> cutting off all further development on BIND 8 (save bug fixes) is
> obviously going to be the only way to encourage them to do exactly
> that.
I agree. Nothing to add.
Roy Arends
Nominum
More information about the bind-users
mailing list