NS record question

Bob Vance bobvance at alumni.caltech.edu
Tue Mar 27 23:59:58 UTC 2001


> If they followed the
>directions and fixed these problems before they upgraded their
>production nameservers, this wouldn't be a problem.

But, this *does* present a learning curve -- and not just because of
"errors".  I have no errors in my files, but still there is much to read and
understand before I'll be satisfied with a BIND9 installation.


>the real issue is that so many people have trouble upgrading to
>BINDv9 as a result from their own ignorance of properly formatted
>zone files, configuration files, etc...

In my case it's not ignorance of "properly formatted ... files" but
ignorance of the new features and procedures of BIND9.  A simple case in
point is 'ndc' vs 'rndc' .

No matter how you slice it, there is still going to be an upgrade issue.
For people who have already done so, it may seem trivial.  But finding time
(to find and learn the issues) is never trivial (although I've spent a lot
of time typing e-mails, lately :)




-----------------------------------------------
Tks          |  BVance at sbm.com
BV           |  BobVance at alumni.caltech.edu
Sr. Tech. Consultant,    SBM
Vox 770-623-3430         11455 Lakefield Dr.
Fax 770-623-3429         Duluth, GA 30097-1511
===============================================

-----Original Message-----
From: Brad Knowles [mailto:brad.knowles at skynet.be]
Sent: Tuesday, March 27, 2001 6:50 PM
To: Bill Manning
Cc: Bill Manning; Roy Arends; Doug Barton; Bob Vance; bind-users at isc.org
Subject: Re: NS record question


At 3:01 PM -0800 3/27/01, Bill Manning wrote:

>  	v8 is nowhere near 2million lines of code. v9 on the other hand...

	Marcus Ranum used to tell a story in his talks about security
regarding his work with the Firewall Toolkit.  The first version came
out right at six hundred lines of code, and he believed it to be
trivially small enough to be provable to be secure.  He showed it to
Bill Cheswick, and Ches found something like five bugs on visual
inspection alone.

	Even with a trivially small program, it's "non-trivial" to prove
the program to be correct.  With larger programs, it's simply
impossible.  If you care about writing programs securely, you have to
use other methods -- such as having programs applying semi-paranoid
checking to all their inputs, and if anything looks the slightest bit
amiss, then log everything possible and exit.

>  	still, the v9 "failure" mode will make a dandy DOS vector
>  	someday.

	Yeah, there's a lot of possibility of serious DOS problems,
that's for sure.  This is why I'd like to see it being used by the
root nameservers -- if they feel that it is sufficiently robust for
use in this kind of environment, then it's probably robust enough for
me.

>  	True. But the programing model is different enough that
>  	many are still on the fence wrt jumping into the v9 paradigm

	The programming model is the least of the things that anyone
should be concerned about.

	IMO, this is not the real problem keeping people on the fence --
the real issue is that so many people have trouble upgrading to
BINDv9 as a result from their own ignorance of properly formatted
zone files, configuration files, etc....  If they followed the
directions and fixed these problems before they upgraded their
production nameservers, this wouldn't be a problem.

--
Brad Knowles, <brad.knowles at skynet.be>

/*        efdtt.c  Author:  Charles M. Hannum <root at ihack.net>          */
/*       Represented as 1045 digit prime number by Phil Carmody         */
/*     Prime as DNS cname chain by Roy Arends and Walter Belgers        */
/*                                                                      */
/*     Usage is:  cat title-key scrambled.vob | efdtt >clear.vob        */
/*   where title-key = "153 2 8 105 225" or other similar 5-byte key    */

dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'



More information about the bind-users mailing list