Is Bind still broken?

Danny Mayer mayer at gis.net
Sun Nov 17 15:35:57 UTC 2002


At 08:30 PM 11/14/02, dns wrote:


>... first , let me say i run bind:
>
>     i've read the comments regarding this question.  most of the answers
>share a similar odor to m$ vs. linux debates.
>
>     broken , it seems , taken in its most static meaning.  the argument
>that the internet "couldn't work if it was" relies on it, AND would fail
>without that assumption.  to my mind , an evolving set of 'serious'
>security vulnerabilities does not sound all that 'fixed'.  if bind
>compared to , say , djbdns , then perhaps 'broken' takes on a more
>realistic, and workable meaning.

That's as clear as mud. The major differences are what protocols they
support and and how they handle zone transfers, AXFR or rsync,
dynamic update, TSIG, etc. What do YOU mean by broken?



>      all that aside , what troubles me more , is the reported way in
>which bind's creators have chosen to address this latest security
>problem.  as i recall, isc knew a week before the initial 'public'
>disclosure that a problem existed.  that in and of itself , not all that
>extraordinary.  what is, is isc's providing their 'paying' customers with
>fixes during that period.

Understanding the problem and developing a proper fix takes time and
can be very difficult to do right. It's better to get that done than to
announce to the hackers of the world of a way of exploiting BIND and
having them attack your system without you having a way of defending
yourself. When only a few people know, you at least reduce the chances
of it being used. Hackers are very good and know what they're doing.
If ISC were to announce the problem as soon as they get it, they would
not only be bombarded with calls and messages looking for a fix, taking
time away from getting a fix, but the hackers would have much more time
to exploit it.

>     if that state of affairs defines their attitude toward the 'great
>unwashed' , i think it something "ALL" users of 'bind' need to consider
>when choosing a dns solution ...

You don't think that Microsoft or any of the other vendors would do things
any differently do you?

Danny



More information about the bind-users mailing list