[PLUG] Re: tinydns problems... help?

Rich Burroughs rich at paranoid.org
Fri Feb 11 22:24:04 UTC 2005


Wil Cooley wrote:
> 
> But BIND 9 was total rewrite by someone skilled in writing secure C, which Paul
> Vixie readily claims he is incapable of.  Have there been any root exploits for
> BIND 9?  I don't know; there have been a few non-root exploits, but not many.

Perhaps the BIND code is much better now, Wil, I'm not sure. I guess I 
have a lot of bad memories from the old days. I remember one exploit 
that was used to r00t what seemed like half the DNS servers on the Net 
:) I'm pretty sure the last big one I can remember was BIND 4, though.

Still, it is hard for me to believe that even vresion 9 is just as 
secure code wise as tinydns, which is more stripped-down and was written 
with security as a big priority. I'm not saying I won't use BIND. I 
think that when you run it as a non-root user and chrooted, that it's 
not a huge risk. But I also encourage people to try other alternatives 
if they want.

I would be very surprised if there hadn't been less security problems 
with tinydns than even with BIND 9 in the same time perios, and I really 
disagree with that characterization that was made that Dan's tools are 
not ready for production. I'm not a DJB disciple - I would rather use 
Postfix than Qmail any day. But I've seen tinydns run in production and 
it worked great.


Rich




-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005




More information about the PLUG mailing list