[PLUG] Re: tinydns problems... help?
Rich Burroughs
rich at paranoid.org
Fri Feb 11 22:24:04 UTC 2005
Wil Cooley wrote:
>
> But BIND 9 was total rewrite by someone skilled in writing secure C, which Paul
> Vixie readily claims he is incapable of. Have there been any root exploits for
> BIND 9? I don't know; there have been a few non-root exploits, but not many.
Perhaps the BIND code is much better now, Wil, I'm not sure. I guess I
have a lot of bad memories from the old days. I remember one exploit
that was used to r00t what seemed like half the DNS servers on the Net
:) I'm pretty sure the last big one I can remember was BIND 4, though.
Still, it is hard for me to believe that even vresion 9 is just as
secure code wise as tinydns, which is more stripped-down and was written
with security as a big priority. I'm not saying I won't use BIND. I
think that when you run it as a non-root user and chrooted, that it's
not a huge risk. But I also encourage people to try other alternatives
if they want.
I would be very surprised if there hadn't been less security problems
with tinydns than even with BIND 9 in the same time perios, and I really
disagree with that characterization that was made that Dan's tools are
not ready for production. I'm not a DJB disciple - I would rather use
Postfix than Qmail any day. But I've seen tinydns run in production and
it worked great.
Rich
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
More information about the PLUG
mailing list