New version of Bind8 for W2k?
Danny Mayer
mayer at gis.net
Sun Nov 17 14:20:44 UTC 2002
At 04:46 PM 11/16/02, Jeffery Jones wrote:
>On 16 Nov 2002 18:13:17 -0000, phn at icke-reklam.ipsec.nu wrote:
>
> >And what's your main objective with your nameservers: running
> >a ms OS or running a working nameserver ? The answer of that
> >question should steer your objectives.
>
> The answer steers toward converting from Bind to MS DNS on Win
> 2000. The last 2 major Bind exploits have not affected MS DNS. If DNS
> is the only service exposed to the internet, the question of OS
> reliability is removed.
No, it merely means that MS DNS has less functionality. MS DNS does not
support DNSSEC which is where the exploit comes from. There are a lot of
other issues with MS DNS. See the archives for details.
> Conclusion: For the most reliable and secure nameserver, switch to MS
> DNS on Win 2000.
That's an erroneous conclusion based on facts that have nothing to do with
either reliability or security, for example support of TSIG. GSS-TSIG is not
the same thing and doesn't interoperate with BIND. It also violates the TSIG
RFC as it now stands.
> (And in the meantime, while I am converting to MS DNS, I've patched the
> Win32 version of 8.33. If it proves as reliable as 8.33unpatched, and
> ISC hasn't released anything by next week, I'll make a patched version
> available).
The new version is there now.
Danny
More information about the bind-users
mailing list