Domain: djbdns.org
Stories and comments across the archive that link to djbdns.org.
Comments · 9
-
Interesting piece, but
...still needs work.
NitPick 1: a cvsup cron job every 3 hours? Cvsup traffic is always high at the top of the hour because everyone does this. Fix: Look at the second hand / second readout on your watch right now. Pick that value as the minute your cron job does its thing. It's a simple psuedo-randomizer that makes things a little easier on the cvsup.freebsd.org servers.
NitPick 2: a cvsup cron job every 3 hours? (Is there an echo?) freefall.freebsd.org is the authoritative cvsup source. Its only client is cvs-master.freebsd.org, which checks freefall every 6 minutes. Official mirrors are allowed access to cvs-master, and generally update between 1 hour and 4 hours. If you're updating more often than once a day via cron, maybe you need to think about becoming a mirror. Besides, the smart thing to do is do a cvsup on your src and ports trees and keep it back a day and watch the mail lists to see if anyone else's machine burnt their toast. If there aren't (m)any complaints, go for it.
Nit 3: An official warning and a gruff "who the heck are you" getty message aren't going to keep kids from nmapping you. Try Fooling Nmap for Whatever Reason. If you're worried your OS and your kernel version will give you away, maybe you aren't keeping as up-to-date on your security lists?
Nit 4: Sendmail. Sure. You could run sendmail, but why not look into qmail, written by djb. While you're there, check out djbdns if you need DNS services. -
Who will agree?
The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.
Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in
.com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.DJBDNS already has a patch available.
-
Re:Bug your ISPInteresting that BIND only runs 80% of DNS servers, what is the other 20% made up of?
Well, there's TinyDNS, djbdns and MaraDNS, just for starters. And whatever those Windows folks use on their server OS.
Interesting to note that djbdns has already been patched to workaround the Verisign nonsense
.... -
Re:Whoa, Nice shootin', TexLike all the Linux boxen running pretty much any version of wu-ftpd and vulnerable versions of BIND (and there are A LOT) are safe.
Then again, Linux boxes running VSftpd and any DNS server besides BIND 4/8 (like This one, or this rather shameless plug) are safe from remote root exploits.
- Sam
-
Re:Why still running on BIND?
"Or better question, why hasn't someone written a better alternative"
djbdns -
Re:Interesting
A choice today is djbdns.
-
Re:Why i'm still not switching...
What are you using, a 286? Jeez, my dns servers don't even resolve "slashdot.org" that quickly.
Try djbdns on your local box. The answer to the broken bloated security risk that is BIND. Install it and never think about your DNS again. If you are not a DNS box, install it anyway to resolve local queries only.
DJBDNS -
Re:Efficiency, Flames...
Even with ReiserFS, there is some overhead of space and time involved in managing files. Each file has a directory entry and an inode or two; while ReiserFS may unambiguously improve the time efficiency, that does not result in the space overhead falling to zero.
This is very true, although I was more concerned with time than space at the current price of a few hundred GB of disk space.
If he tried to find some places for agreement, his software would probably get used more.
This, and providing "--help" options to his programs I suggested as being helpful
... right before the deluge of hate-mail ...He thinks about the notion of proving correct behaviour
He never did reply to my philosophical statement that his famous statement, "profile, don't speculate" was incorrect since speculation is scientifically required for eventual proofs to happen.
Qmail and Dnscache are still personal favorite pieces of software for servers, although there are many things they could do much better than they do. Luckily, Dan seems to attract a large number of patch-writers and individuals who kindly host useful websites like qmail.org and djbdns.org.
-
I've had enough of BIND
I'm tired of dealing with the root exploit de jour. I'm switching our nameservers to djbdns. It's ightweight, fast, stripped-down, and (presumably) more secure than BIND. At least, I've yet to see an exploit for djbdns.