cTLD and DNS upgrade

Kevin Darcy kcd at daimlerchrysler.com
Fri Jul 8 02:45:28 UTC 2005


Stephane Bortzmeyer wrote:

>On Wed, Jul 06, 2005 at 10:24:04AM +1000,
> Mark Andrews <Mark_Andrews at isc.org> wrote 
> a message of 55 lines which said:
>
>  
>
>>	That doesn't require a configure option.  I just requires a
>>	little reading.
>>    
>>
>
>I know these options and I'm fairly certain that the other
>participants in that discussion know them too. I may not be able to
>rewrite BIND from scratch but I can read the ARM.
>
>The issue is security: as long as the code is there, in the running
>instance of BIND, a cracker may find a way to exploit it. If the code
>is not even there, it cannot be exploited. That's why a run-time
>option is not a substitute for a compile-time option. That's why
>authoritative-only name servers like nsd are nice, security-speaking:
>they have much less code.
>

Stephane,
Think through what you're saying here. You say you want the ability to 
compile BIND with some sort of "authoritative-only" flag. Fine. But 
you're still going to want something to resolve Internet DNS names 
right? After you've built your "authoritative-only" executable, are you 
then going to compile BIND *again* with some sort of "resolver-only" 
flag? So now you have two different executables that you need to manage 
(probably with the same name, which could be very confusing). Now, let's 
say a CERT warning comes out for a vulnerability in one of the common 
routines that is linked into *both* of your executables. Now you have 
two rounds of patching to do instead of just one, and if you happen to 
miss one of those executables on one of those machines, you could be 
open to attack. Twice as many chances to fail, twice as many chances to 
get hacked. How is this better, from a security standpoint, than having 
a single executable in the first place?

I agree, if you *only* serve authoritative zones, or if that's your 
primary line of business, then it might make sense to have a specialized 
program to do that. But for most of us, BIND is a general-purpose tool, 
something we use more or less equally to *resolve* DNS names as to 
*serve* them to outside clients. When used that way, it makes little 
sense to have different compile-time options for different "flavors" of 
named that you intend to run simultaneously in your infrastructure. That 
just complicates the job of building, installing and maintaining BIND.

- Kevin




More information about the bind-users mailing list