[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Theo Zourzouvillys wrote:
exactly :p that leaves a whole 8 months for someone to find something! I'll bet you £20 publicly that bind will have at least one exploit or major bug before 1/1/03 ? ;)
I wouldn't bet on BIND8! I might be persuaded to back BIND9, in particular a remote exploit of a chrooted, non-root BIND 9 daemon, not through the command channel (Which I think should only listen on 127.0.0.1....).
prividing that is, we are told about it - last i heard, bind security stuff was going to be discussed in a closed area where only members who pay and sign a NDA would be allowed ot access, and only peopel who need to (liek the isc, etc) would get access [1]. Though maybe i'm seeing only the bad side because i hate bind ;)
The BIND members list is designed for those people building products on top of BIND as well a people operating substantial pieces of DNS infrastructure. Non-members will still hear, just others will hear sooner. Being free software it has a few derivative products, and with full disclosure lists like BUGTRAQ, it can put people like CheckPoint, in an uneviable position, of having a vulnerable fork of the code (MetaIP - pants as it is), when the information goes public. Of course this assumes that full disclosure is made first to the ISC ;) I think this problem can affect all security sensitive sofware, as libraries can be vulnerable - witness the zlib issue (Although I believe zlib was principally a vuln on Linux only), but where the source is available it is trivial for would-be attackers to diff the sources to find the full source of the patch. I wonder what arrangement IBM Websphere has for this with Apache?
There are things tinydns does not support, but never anyhting that i, or i think any of you need ot support - nor the dns root servers for that matter.
I kind of want the root servers to run DNSSEC, although I agree with DJB that it isn't the best thought out of systems, at the moment there is too little to protect us from problems in the DNS hierarchy (and you have little say in what those above you in the DNS hierarchy run!). -- "Don't get me started on intuitive. You know what's intuitive? Fear of heights. Everything else we call intuitive, such as walking or using a pencil took years of practice." - Don Norman -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.