NS record question

Bill Manning bmanning at ISI.EDU
Tue Mar 27 23:01:34 UTC 2001

% At 2:19 PM -0800 3/27/01, Bill Manning wrote:
% >  	There is this little bit of wisdom from the security community.
% >  	small, simple bits of code that have had lots of public scrutiny
% >  	tend to be more secure (not to mention faster) than large
% >  	chunks of new code, with new features and unknown/untested
% >  	interactions.
% 	I understand the "many eyes" theory, but the problem is that with 
% two million lines of code, it's impossible to mathematically prove 
% the code secure, and just because you have a lot of people *looking* 
% at the code, doesn't mean that you have a lot of people that are 
% *telling* you about the security holes that they're finding.

	v8 is nowhere near 2million lines of code. v9 on the other hand...
	otherwise, your statements are valid.

% 	Moreover, sticking with the old code prevents you from making use 
% of the new "programming by contract" security features of BINDv9, 
% where now each routine and function call applies near-paranoid levels 
% of checking to all of its inputs, to do everything possible to ensure 
% that a security compromise simply cannot occur.

	still, the v9 "failure" mode will make a dandy DOS vector

% >                  even when they were created in "ancient labs"
% >  	by undergrads (kind of like IP.. no? :) and much respect to
% >  	Paul, but there were/are many professionals who made v8 work
% >  	in an open, sharing environment.
% 	And there are many professionals making BINDv9 work in an open, 
% sharing environment.  All the code is there to see, and if anyone 
% wants to suggest any new code to add any new functionality, they're 
% more than welcome to submit that -- just like they always could.

	True. But the programing model is different enough that 
	many are still on the fence wrt jumping into the v9 paradigm 

% >  	When we get a release of v9 that lasts more than 4 weeks,
% >  	we can talk about stability.
% 	That's a very good point.  Myself, I'd like to see it being used 
% by all or many of the root nameservers.  When it can be trusted to do 
% that, it'll probably be good enough for me to run in production 
% environments.

	Not this week... :)


More information about the bind-users mailing list