BIND8 entering end of life; changes to ftp.isc.org (affects mirrors)

Paul Vixie vixie at sa.vix.com
Fri Aug 10 17:05:33 UTC 2007


gagadget at free.fr writes:

> Sad news.

for me, too.  BIND8 was sort of my baby.  i've got no code in BIND9.

> Will it have no more patches on BIND8 ? Is that mean 8.4.7 will be the last
> release of BIND8 even in case of security alerts ?

BIND8 is already deprecated in the role of forwarder, since most of its
anti-poison features are disabled when an authority response is forwarded
back to an initiator without benefit of caching and regeneration.

BIND8's random number generator for query ID's has once again been
successfully cracked (see full-disclosure and CERT), such that in a very
small number of transactions it's possible to send a cache-poisoning
response that will be cached and reused.  ISC isn't sure whether to try
again on fixing randomness in a 16-bit field.  BIND9 does a much better job
and being unpredictable, and the only real fix for this is DNSSEC anyway.

ISC would release a new BIND8 if an exploitable rootshell kind of hole were
found, but honestly, the time for BIND8 is past, that's why we released
BIND9 in 2000.  we know that early versions of BIND9 weren't as fast as
BIND8 and that config file compatibility was a problem, but things are much
better now.  it's been 8 years.  please get with the programme!

> I am testing BIND9 ( 9.4.1 ) and I think it is still lacking on
> statistics availability. For instance, no way to have the figures
> "queries by type" I used to have with BIND8.

according to <http://public.oarci.net/dns-operations/workshop-2007/agenda/>,
BIND 9.5 will have everything you're looking for in that regard.  and if you
were a member of the BIND Forum (which is free or cheap for individuals) you
would have read-only CVS access to that unreleased code, for early testing.
(see http://www.isc.org/sw/guild/bf/ for more details about the BIND Forum.)
-- 
Paul Vixie



More information about the bind-users mailing list