NS record question

Bob Vance bobvance at alumni.caltech.edu
Tue Mar 27 19:11:02 UTC 2001 

>I agree. Nothing to add.

Maybe so.
But I agree with Doug.
One of the first reasons I didn't go with BIND9 was that $GENERATE wasn't
supported (or so I was led to believe).  Give me a break.  I don't want to
go backwards when upgrading.  I thought, "What else is missing?  I don't
have to time to investigate it and make work-arounds."

Now, I *have* gone to rc7 on my home Linux box, but am confronted with some
DDNS and nsupdate issues that I must take time to investigate and iron out.

That's OK at home, and I'm doing it just to see what will be encountered in
prep for the final move, but I cannot imagine going to 9 in a large
production environment right now.
Of course, I hope that everyone doing so has a good experience.

-----------------------------------------------
Tks          |  BVance at sbm.com
BV           |  BobVance at alumni.caltech.edu
Sr. Tech. Consultant,    SBM
Vox 770-623-3430         11455 Lakefield Dr.
Fax 770-623-3429         Duluth, GA 30097-1511
===============================================

-----Original Message-----
From: roy at node10c4d.a2000.nl [mailto:roy at node10c4d.a2000.nl]On Behalf Of
Roy Arends
Sent: Tuesday, March 27, 2001 7:12 AM
To: Brad Knowles
Cc: Doug Barton; Bob Vance; bind-users at isc.org
Subject: Re: NS record question


On Tue, 27 Mar 2001, Brad Knowles wrote:

>
> At 9:27 PM -0800 3/26/01, Doug Barton wrote:
>
> >         First off, while there have been security issues in the past
with
> >  bind 8 code (and may be again in the future) for the most part the code
is
> >  in fairly good shape. Yes, it's ugly in places, but it's got
collectively
> >  millions of hours of operational experience, and has had lots of eyes
on
> >  it, black hats and white.
>
> 	Indeed, it has had a lot of people looking at it, and all of the
> ones I know of that have looked at it have found it extremely
> unpleasant.  There's dreckage and bletchery in there going back to
> the original undergraduate work done on BIND, long before Paul Vixie
> got involved, etc....
>
> 	I would not be at all surprised to find that there were another
> half dozen root compromises floating around in the BIND 8.2.3-REL
> code, the only thing is that they haven't been as widely distributed.
>
> 	Indeed, with the newer features added to BIND 8 (e.g., DNSSEC,
> etc...), those would seem to be far less secure, less fully
> implemented, and overall just less fully "cooked" than their
> implementations in BINDv9 -- even in 9.1.0, much less the latest
> release candidate for 9.1.1.
>
>
> 	Yes, there may be some remaining issues that BINDv9 has with
> regards to scaling and suitability for use in the largest possible
> environments (e.g., as a root nameserver), but for anything short of
> that kind of environment, the new "programming by contract" model,
> etc... should make the code more inherently secure, and overall much,
> much more robust.
>
> 	No, it's about time that people start making the upgrade, and
> cutting off all further development on BIND 8 (save bug fixes) is
> obviously going to be the only way to encourage them to do exactly
> that.

I agree. Nothing to add.

Roy Arends
Nominum

More information about the bind-users mailing list