NS record question

Brad Knowles brad.knowles at skynet.be
Tue Mar 27 23:49:39 UTC 2001 

At 3:01 PM -0800 3/27/01, Bill Manning wrote:

>  	v8 is nowhere near 2million lines of code. v9 on the other hand...

	Marcus Ranum used to tell a story in his talks about security 
regarding his work with the Firewall Toolkit.  The first version came 
out right at six hundred lines of code, and he believed it to be 
trivially small enough to be provable to be secure.  He showed it to 
Bill Cheswick, and Ches found something like five bugs on visual 
inspection alone.

	Even with a trivially small program, it's "non-trivial" to prove 
the program to be correct.  With larger programs, it's simply 
impossible.  If you care about writing programs securely, you have to 
use other methods -- such as having programs applying semi-paranoid 
checking to all their inputs, and if anything looks the slightest bit 
amiss, then log everything possible and exit.

>  	still, the v9 "failure" mode will make a dandy DOS vector
>  	someday.

	Yeah, there's a lot of possibility of serious DOS problems, 
that's for sure.  This is why I'd like to see it being used by the 
root nameservers -- if they feel that it is sufficiently robust for 
use in this kind of environment, then it's probably robust enough for 
me.

>  	True. But the programing model is different enough that
>  	many are still on the fence wrt jumping into the v9 paradigm

	The programming model is the least of the things that anyone 
should be concerned about.

	IMO, this is not the real problem keeping people on the fence -- 
the real issue is that so many people have trouble upgrading to 
BINDv9 as a result from their own ignorance of properly formatted 
zone files, configuration files, etc....  If they followed the 
directions and fixed these problems before they upgraded their 
production nameservers, this wouldn't be a problem.

-- 
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'

More information about the bind-users mailing list