Posted by
ryuzaki0
on from the looks-up-good dept.
Eric Sun writes "After numerous release candidates and betas, the final stable release version of Bind 9 has been released. Looks like the homepage hasn't updated yet, but you can get a list of download servers from its page at Freshmeat."
There's a DNS Tutorial by Jim Reid of Nominum the copany responsible for the offical support of BIND. I assume he'll be mentioning the changes in BIND 9 at this event.
I know it's expensive these things normally are due to the following reasons:
1) The cost of a venue - London venues are expensive
2) The cost of the speaker
3) The cost of promotion / expenses
These events are the sort of thing that you get your company to pay for if you're working, the whole choice of venue is chosen to keep the bosses happy. If we had a cheap venue the average narrow minded boss would think this isn't going to be any good and is not going to shell out for it. These events are only designed to cater for small amounts of delegates so the chance to ask individual questions is there.
If this event was run by a commercial organisation rather than a non profit org (the UKUUG) then the prices would be even higher, we just aim to cover costs and believe me they're expensive.
Prices in London for a decent venue are a rip off compared to other places in the UK.
A gentle flame: I'm sure your tutorial (which is, I gather, britspeak for "seminar" or "class") is worth the cost of admission. However, an announcement for it is really not appropriate for Slashdot. Your news is only of importance to people who are able to travel to London just to attend a class. That probably doesn't describe more than a tiny fraction of the people who will see your post. I won't use the S-word, but some people would.
A less abusive way to publicize your class is to take some of the materials and put them on the web. This web page would be universally useful (and thus linkable) and is a legitimate place to advertise your product.
While we're on the subject, if every Slashdotter would please briefly visit www.nakedteenagebimbos.com, I'll be able to retire three years early. Thanks for your support.
This is not "news for nerds" nor "stuff that matters."
Can't we please only get updates on important software.
It's not bind holds the entire net together or anything.
--Shoeboy
As a matter of fact, it does, and I am thankful that bind was around ever since the net was made.
In my opinion, slashdot.org is easier to remember than its IP address, and that is thanks to bind.
But of course, maybe would you rather see 64.28.67.48 News for Nerds. Stuff that matters. Or write your email address as drhelpful@216.214.2.25?
Come on. Be thankful that bind is around, and respect your elders.
Shoeboy (currently?) is a troll. Apparently, as a protest to the 50 karma barrier, he is attempting to lose karma by posting trolls. (Actually, I guess his karma is currently ~125, so he's trying to get it down to "normal.") Taking a peek at his User Info I'd say he's failing right now. But I wish him luck - I'd like to be able to get karma above 50 like Signal 11 and FascDot Killed My Pr. The curse of the newbies.... never to get 3 digit karma...
Maybe I'll have to bid on FascDot Killed My Pr's account over at e-bay...
-- You are in a maze of twisty little relative jumps, all alike.
bind...
by
Anonymous Coward
·
· Score: 3
I gave up on bind a while ago. Certainly some folks need its features, but for most of us, DJB's dns package should be powerful enough, plus its faster and more secure.
According to the ISC Bind plans "Support for alternative back end database" is part of Bind 9. I hope that means I can add a MySQL database backend, and cgi the whole thing.
-- ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I'm hoping BIND9 is a complete, utter rewrite, with no code from BIND8 still remaining.
If it isn't, then it's way way too late - switch to Dan Bernstein's djbdns instead. Read the security guarantee and weep in relief. Notice the exceedingly small memory footprint. The lack of core dumps. That you can get rid of AXFR completely and just use rsync+ssh to transfer to your secondaries.
Check out tinydns.org which has migration tools from BIND which im playing with atm.
IXFR is incremental zone transfers. Instead of transfering the entire zone every time it has been update, the slave will just pull the diff, so to speek. Real handy feature that.
-- I found a fast warez site: http://warez.it.kth.se
The problem with djbdns is that Dan doesn't care about standards, and ignores them when he doesn't like them. AXFR/IXFR are RFC standards, and he makes it "optional". rsync+ssh doesn't work if you want to do zone transfers between, say, djbdns and bind. djbdns turns of TCP queries by default. Standards are about interoperability. Dan just doesn't care.
This is the topic of recurring flame wars on the dns-bind list, and I don't want to start it here. But do note that djbdns is not a drop in replacement.
djbdns does have IPv6 support, thanks to patches by Felix von Leitner - get them from www.tinydns.org
IFXR is an incremental method of zone transfering, which is completely useless if you use something like rsync and ssh. djbdns stores all of its zone data in a highly efficient CDB file. All you have to do to update your secondaries is to push the CDB file out. If you use rsync, then only the differences get pushed, the file gets updated atomically, and you're laughing.
If you use djbdns consistently, you have absolutely no need whatsoever for AFXR or IFXR. If you do secondary with other BIND servers then you'll need to run an AFXR process, unfortunately.
Try running the software instead of judging it just from the author's rants. djbdns fully supports CNAME records. DJB simply does not provide a command line utility for adding them, like it does for A, NS and MX records. Big deal. The utilities are provided as a quick-start for newcomers. There are some other esoteric BIND features missing from djbdns, but simplicity is one of djbdns' features. It was never meant to be a replacement for BIND, so criticizing it for not being a drop-in misses the point.
Alright, my bad. I sure thought i had read somewhere that it simply couldn't serve them up.
That's OK tho. There are plenty of other things wrong with djb software. like the licensing, and the attitude.
-- This is just like television, only you can see much further.
While you won't get much argument on attitude, back when I was searching for a resolver library to hack into a project, I looked at tinydns and downloaded it and started poking around for a license (since this was for work)- I didn't find one at all- and after the qmail license debacle, I thought it'd be a good thing[tm] to ask DJB what terms the stuff was licensed under. I got back a "There is no license, I don't believe in software licensing." reply.
So, if you're out of technical arguments and are down to social ones, considering BIND is the Sendmail of the 90's and Weitse hasn't attacked DNS as a project I think you're out of wind.
Look at the code, don't rush to judgement. Look at BIND's code. Compare and contrast.
I actually *like* BIND, but running it is always scary, even chrooted.
Paul
-- http://www.pauldrobertson.com
Good news for large domains.
by
alteridem
·
· Score: 5
This is good news for large domains as it adds some great features for servers servicing many requests. Bind 9 is now;
Thread safe so it can run on multi-processor machines
Plugs into several back end databases so it will be easier to support large domains
Support for IPv6. The future is nearly here!
Several protocol enhancements like IXFR, DDNS, Notify, EDNS(0,1) and improved standards conformance.
This is a major rewrite and may contain a host of new security problems, but it is a step in the right direction and I will definately be looking at it to manage my larger domains.
There is also good news for those with a smaller number of domains.
views
this allows one daemon on one server to present different data to different groups depending on where the request comes from.
if request is from internal reply with www=192.168.1.1
if request is from external reply with www=63.1.1.1
the config file would look something like this
view "internal" {
match-clients { localhost; localnets; 192.168.0.0/24; };
recursion yes;
zone "." { type hint; file "root.cache"; };
zone "0.0.127.in-addr.arpa" { type master; file "named.local"; };
zone "pricegrabber.com" { type master; file "db.pricegrabber.com.internal"; };
};
view "external" {
match-clients { any; };
zone "pricegrabber.com" { type master; file "db.pricegrabber.com.external"; };
};
This is _very_ cool! If you run two name servers(master and slave), before you would actually have to run four servers. two for 'internal users' and two for 'the world'.
Christopher McCrory
"The guy that keeps the servers running"
chrismcc@pricegrabber.com
http://www.pricegrabber.com
PriceGrabber.com - The Smart Place to Start Your Shopping
"Linux: Because rebooting is for adding new hardware"
-- Christopher McCrory
"The guy that keeps the servers running"
chrismcc@gmail.com
http://www.pricegrabber.com
Re:Good news for large domains.
by
thogard
·
· Score: 2
I've been running three name servers to get around this problem.
All my interal hosts use 192.168.*.* and I use ciscso NAT to get the right exteranal address mapped to the correct internal addresses and cisco nat will automagicly fixup dns packets on the fly but only if they are udp. The result is that I have one exteranl address for exteranl zone transfers, one for external name service and one for internal use.
I recently changed from BIND (the Buggy Internet Name Daemon) to D. J. Bernstein's DJBDNS. It's a very modular, robust and not to mention secure replacement for BIND. He's got a security guarantee as well. He offers $500 to the first person who reports a verifiable security hole.
So instead of worrying about the next serious security hole in BIND, replace it with DJBDNS and make your server a lot more secure.
For OpenBSD users: cd/usr/ports/net/djbdns; make; make install
Re:Get DJBDNS and worry no more
by
Russ+Nelson
·
· Score: 2
I'm running djbdns. Would you like to secondary my domain? I had a tough time getting djbdns to allow it, but I finally did it: I had to run "axfrd-conf". You know how hard it is to run a single command....
-russ
p.s. Sheesh!
Hopefully it has better security than the other BINDs, which, from numerous comments I've overheard, is notoriously prone to exploits. Does anyone know what functionality has been added to this release, or is it mostly bug fixes and stability improvements? Also, any word on the OpenBSD ports of BIND?
By the way, Eric Sun, who submitted this story, runs a great domain registrar called Alphapython. I can't even begin to express how happy I've been with their service, and their pricing is great, too. If you get a chance and need high-quality, affordable domains, check them out.
The Question here is, will BIND 9 be secure enough to be included in OpenBSD?
OpenBSD still uses BIND v4 due to the security issues with the later versions.
BIND9 was committed today into OpenBSD's port tree. Note that the port tree is _not_ audited, but provided as a convenient method of installing third party software.
OpenBSD comes with BIND4, which has been audited. BIND8, djbdns, and BIND9 are available in the ports tree.
Shoeboy (currently?) is a troll. Actually I'm just a jackass. I participate in the troll forums because they have intelligent discusions there. I'm certainly not in the same league as em, 80md, er or jsm.
I'm more of a prankster.
Apparently, as a protest to the 50 karma barrier, he is attempting to lose karma by posting trolls. I am protesting nothing, I'm just treating/. as a toy rather than as a community. Most long time readers have this attitude. Taco certainly does.
(Actually, I guess his karma is currently ~125, so he's trying to get it down to "normal.") Taking a peek at his User Info I'd say he's failing right now. But I wish him luck - Oddly enough karma has frozen again - so I'll be stuck at 62 until taco unfreezes it. I don't care what my karma is, I just like to post "Moderate this down - I need to lose 15 karma points by midnight" stuff to mess with people's heads and entertain them. Judging by the moderations I get, it seems to be working.
--Shoeboy
DNSSEC is a reality! (Well, it would be, if
anyone else used it...!)
No resolv.h file! (This means ALL network code
that's out there will need to be re-written to use
the new resolver, which is NOT backwards-compatiable.)
LOTS of libraries! No more simple -lresolv, or
-lbind. Instead, you're faced with -ldns, -lisc,
-llwres and -lowrapi. NONE of which are shared.
They're ALL static.
Headers are split up into 3 or 4 directories,
now. Time to get out the road map.
The Internet needs a powerful name server and name
resolver, but USEFUL tools don't use structure to
obscure the content.
-- It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re:Interesting points with BIND 9
by
MSG
·
· Score: 3
I moderated you up, but now I have to post a correction to your statement. sorry : )
I haven't actually compiled Bind 9 yet, but the page at http://www.isc.org/products/BIND/bind9.html says "To build shared libraries, specify "--with-libtool" on the configure command line.", so it seems you're inaccurate on one point.
Re:Interesting points with BIND 9
by
jacrawf
·
· Score: 2
Hooray! Chalk another one up to the standard-makers of the day! BIND is in the ranks of some of the more reknowned software ever: sendmail, vixie cron, wuftpd, telnet, and finger. All are masterful achievements of software engineering.
Oh, wait... That's damning, isn't it?
Re:Interesting points with BIND 9
by
toppk
·
· Score: 2
It is up to glibc to decide what the interace will be. If and when glibc uses bind 9's resolver, we shall see what their stragegy is with the API. It's just like/usr/include/linux. It comes from the kernel but glibc controls it (this has been a much confused point over time).
What I'm waiting for personally is dhcp 3.0 final, so I can connect my dhcp with dyndns and head off w2k...
Bind 9.0 web page is posted, but not linked
by
ChuckRoast
·
· Score: 5
The official Bind 9 page is written, just not linked, yet.
Re:Remember the AMDROCKS attack? (Bind 8.2.1)
by
austad
·
· Score: 2
I remember this. It was ADMROCKS though, not AMDROCKS. I got hit by this. I had so many friggin ipchains rules on my nameserver that they couldn't do a damn thing with it. They appended telnet onto the end of inetd.conf and added a couple of user accounts. But never added an ipchains rule to allow all, so they couldn't telnet in to do anything.
I sat and watched them play around with it for about 2 hours before I blocked their IP, upgraded bind, and chrooted it. Gotta love snort.
-- Need Free Juniper/NetScreen Support? JuniperForum
Security guarantee is limited
by
Russ+Nelson
·
· Score: 2
The security guarantee is limited to $500, and is only given to the first party to find a security hole. So far, it's gone unclaimed. Is there any kind of security guarantee for BIND v9? Do the authors trust their software as much as Dan does?
djbdns doesn't do AXFR transfers. You have to run the included axfrd to serve AXFR, or run axfr-get to retrieve records using AXFR.
-russ
Re:Security guarantee is limited
by
thogard
·
· Score: 2
Considering that Vixie is running the most heavly loaded root name server with it, I would guess he does trust it.
Re:Security guarantee is limited
by
proberts
·
· Score: 2
> I managed to get postfix to dump core a few
> times on the mandrake 7.1 that I'm runnng at
> home. Users should not be able to cause
> programs started as root to core dump.
a) How did you get it to dump core exactly.
b) Where's your bug report? Wieste's always been extremely good at fixing actual bugs.
c) Postfix drops root _very_ quickly for the parts of the system that need it. It's not monolithic and all the parts don't run as root.
I don't know *anyone* in the security community that I respect who'd run Sendmail under any circumstance that wasn't "We need a specific feature that nothing else supports" and even then it'd be on a gateway downstream of something else.
Paul
-- http://www.pauldrobertson.com
djbdns supports TCP queries.
by
Russ+Nelson
·
· Score: 2
djbdns contains two programs: an authoritative server, and a caching server. The authoritative server does not answer TCP queries because it never serves up records that require TCP queries. The caching server will issue TCP queries if needed.
-russ
The problem with djbdns is that Dan doesn't
care about standards
Learn what "standardization" means, and how to
read and interpret an RFC. You're talking out of
your ass.
AXFR has been "optional" in BIND for years ---
BIND's configuration allows them to be restricted
by IP address, and competant admins have been
restricting them with filters long before that
feature was available. djbdns does exactly the
same thing, but takes it a step further by
running AXFR service from a seperate server
context, for added security, speed, and
reliability. This violates no aspect of the
standard.
IXFR is not a "DNS Standard". All RFCs are not
standards. Many RFCs are proposed extensions to
the standards, which is exactly what IXFR is.
djbdns doesn't support IXFR because IXFR isn't
required by the standards and, thankfully, isn't
in widespread use.
Bernstein's take is that secure rsync IS in
widespread use, is a general-purpose, modern tool,
and is more available to the DNS operations
community (even the BIND advocates) than IXFR is.
I think it's clear that many of the supposed
"standards" being tossed about in this debate are
nothing more than features of BIND being wrangled
into standards documents. Welcome to OSI, circa
2000AD.
Having addressed your straw-man argument over
AXFR/IXFR, why don't we move on to ACTUAL
standards compliance? BIND up to and including
8.1.2 applied DNS compression to SRV records,
blatantly violating the most basic aspect of
the DNS standards (the on-the-wire encoding of
actual DNS records).
You're also completely wrong about the ability
to do zone transfers with secure rsync and BIND.
People already do this. Where'd you get your
information from?
djbdns uses TCP queries when necessary, automatically. Can you come up with an actual
interoperability problem djbdns has caused? What you're saying sounds *exactly* like what the
Sendmail drones said when qmail was released.
I don't expect everyone on Slashdot to understand
how the IETF works and what the forces are that
bear on it, but I do expect that everyone here is
familiar with the term "loose consensus and
working code". djbdns works. BIND has been
a disaster for years. If you're going to
deify the IETF in your arguments, try to
understand its spirit first.
Re:Remember the AMDROCKS attack? (Bind 8.2.1)
by
austad
·
· Score: 2
Yes, it would have, but I don't think they figured out I had ipchains rules. Looks like the ADMROCKS exploit lets you execute commands remotely as the user named is running as, but doesn't explicitly give you a root shell. I guess they could've just done a "rm -rf/" and hosed the machine, but I didn't really care, I had backups of all the important stuff.
Moral of the story, never run named as root under any circumstances, and always run it chrooted. In fact, never run anything as root if possible, and chroot what you can. An attacker can break out of a chroot jail, but it'll stop most script kiddies from doing much damage.
I was thinking of switching to djbdns for my nameserver on my DSL, but now that bind 9 is out, I wouldn't mind experimenting with the 6-bone a little bit, and djbdns doesn't do IPV6 as far as I know.
-- Need Free Juniper/NetScreen Support? JuniperForum
"All programs have flaws"?
by
Russ+Nelson
·
· Score: 2
Slashdot Mirror
Any new rootholes for us to exploit, or will it be just the same, old, boring stuff?
--
There's a DNS Tutorial by Jim Reid of Nominum the copany responsible for the offical support of BIND. I assume he'll be mentioning the changes in BIND 9 at this event.
This is not "news for nerds" nor "stuff that matters."
Can't we please only get updates on important software.
It's not bind holds the entire net together or anything.
--Shoeboy
I gave up on bind a while ago. Certainly some folks need its features, but for most of us, DJB's dns package should be powerful enough, plus its faster and more secure.
- DNS is a protocol
- BIND is a program (daemon actually) that fullfills the DNS protocol.
- BIND is the dominate name serving daemon in the *nix environment.
There isn't (and shouldn't be) any Linux specific name serving daemon. Hope that clears a bit of it up.BIND runs on Linux, it runs on Solaris, it runs on damn near every OS I've ever run across.
I'm sure glad we have a nice fresh version. It's been so long since I've had to patch my BIND, this sure will be exciting.
Put me down for 1.5 weeks.
Only the State obtains its revenue by coercion. - Murray Rothbard
I was able to find ISC's plans for BIND 9, but not any realease notes - anyone made them available online yet?
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
umm... actually, the daemon is "named". BIND is a package that includes named as well as a resolving library and some other tools (like nslookup).
You probably knew that; I'm just posting to clarify for those who don't.
According to the ISC Bind plans "Support for alternative back end database" is part of Bind 9. I hope that means I can add a MySQL database backend, and cgi the whole thing.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
I'm hoping BIND9 is a complete, utter rewrite, with no code from BIND8 still remaining.
If it isn't, then it's way way too late - switch to Dan Bernstein's djbdns instead. Read the security guarantee and weep in relief. Notice the exceedingly small memory footprint. The lack of core dumps. That you can get rid of AXFR completely and just use rsync+ssh to transfer to your secondaries.
Check out tinydns.org which has migration tools from BIND which im playing with atm.
- Thread safe so it can run on multi-processor machines
- Plugs into several back end databases so it will be easier to support large domains
- Support for IPv6. The future is nearly here!
- Several protocol enhancements like IXFR, DDNS, Notify, EDNS(0,1) and improved standards conformance.
- A host of other features, see this for more.
This is a major rewrite and may contain a host of new security problems, but it is a step in the right direction and I will definately be looking at it to manage my larger domains.I recently changed from BIND (the Buggy Internet Name Daemon) to D. J. Bernstein's DJBDNS. It's a very modular, robust and not to mention secure replacement for BIND. He's got a security guarantee as well. He offers $500 to the first person who reports a verifiable security hole.
/usr/ports/net/djbdns; make; make install
So instead of worrying about the next serious security hole in BIND, replace it with DJBDNS and make your server a lot more secure.
Homepage: http://cr.yp.to/djbdns.html
For OpenBSD users: cd
By the way, Eric Sun, who submitted this story, runs a great domain registrar called Alphapython. I can't even begin to express how happy I've been with their service, and their pricing is great, too. If you get a chance and need high-quality, affordable domains, check them out.
Free music from Jack Merlot.
Shoeboy (currently?) is a troll. /. as a toy rather than as a community. Most long time readers have this attitude. Taco certainly does.
Actually I'm just a jackass. I participate in the troll forums because they have intelligent discusions there. I'm certainly not in the same league as em, 80md, er or jsm.
I'm more of a prankster.
Apparently, as a protest to the 50 karma barrier, he is attempting to lose karma by posting trolls.
I am protesting nothing, I'm just treating
(Actually, I guess his karma is currently ~125, so he's trying to get it down to "normal.") Taking a peek at his User Info I'd say he's failing right now. But I wish him luck -
Oddly enough karma has frozen again - so I'll be stuck at 62 until taco unfreezes it. I don't care what my karma is, I just like to post "Moderate this down - I need to lose 15 karma points by midnight" stuff to mess with people's heads and entertain them. Judging by the moderations I get, it seems to be working.
--Shoeboy
The Internet needs a powerful name server and name resolver, but USEFUL tools don't use structure to obscure the content.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
The official Bind 9 page is written, just not linked, yet.
I remember this. It was ADMROCKS though, not AMDROCKS. I got hit by this. I had so many friggin ipchains rules on my nameserver that they couldn't do a damn thing with it. They appended telnet onto the end of inetd.conf and added a couple of user accounts. But never added an ipchains rule to allow all, so they couldn't telnet in to do anything.
I sat and watched them play around with it for about 2 hours before I blocked their IP, upgraded bind, and chrooted it. Gotta love snort.
Need Free Juniper/NetScreen Support? JuniperForum
The security guarantee is limited to $500, and is only given to the first party to find a security hole. So far, it's gone unclaimed. Is there any kind of security guarantee for BIND v9? Do the authors trust their software as much as Dan does?
djbdns doesn't do AXFR transfers. You have to run the included axfrd to serve AXFR, or run axfr-get to retrieve records using AXFR.
-russ
Don't piss off The Angry Economist
djbdns contains two programs: an authoritative server, and a caching server. The authoritative server does not answer TCP queries because it never serves up records that require TCP queries. The caching server will issue TCP queries if needed.
-russ
Don't piss off The Angry Economist
Yes, support for AXFR is optional. If you want to use it, you have to actually go to the effort of installing it. Gasp!
-russ
Don't piss off The Angry Economist
Having an updated BIND is one thing, but we'll still have to wait for them to update GAG to 9.0 - hopefully both will have Gore and Bush support.
icqqm [ICQ:11952102]
See subject.
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
If you can't say Berkeley or BSD for some reason, call it the BIND Internet Name Daemon.
<O
( \
XGNOME vs. KDE: the game!
Will I retire or break 10K?
Learn what "standardization" means, and how to read and interpret an RFC. You're talking out of your ass.
AXFR has been "optional" in BIND for years --- BIND's configuration allows them to be restricted by IP address, and competant admins have been restricting them with filters long before that feature was available. djbdns does exactly the same thing, but takes it a step further by running AXFR service from a seperate server context, for added security, speed, and reliability. This violates no aspect of the standard.
IXFR is not a "DNS Standard". All RFCs are not standards. Many RFCs are proposed extensions to the standards, which is exactly what IXFR is. djbdns doesn't support IXFR because IXFR isn't required by the standards and, thankfully, isn't in widespread use.
Bernstein's take is that secure rsync IS in widespread use, is a general-purpose, modern tool, and is more available to the DNS operations community (even the BIND advocates) than IXFR is. I think it's clear that many of the supposed "standards" being tossed about in this debate are nothing more than features of BIND being wrangled into standards documents. Welcome to OSI, circa 2000AD.
Having addressed your straw-man argument over AXFR/IXFR, why don't we move on to ACTUAL standards compliance? BIND up to and including 8.1.2 applied DNS compression to SRV records, blatantly violating the most basic aspect of the DNS standards (the on-the-wire encoding of actual DNS records).
You're also completely wrong about the ability to do zone transfers with secure rsync and BIND. People already do this. Where'd you get your information from?
djbdns uses TCP queries when necessary, automatically. Can you come up with an actual interoperability problem djbdns has caused? What you're saying sounds *exactly* like what the Sendmail drones said when qmail was released.
I don't expect everyone on Slashdot to understand how the IETF works and what the forces are that bear on it, but I do expect that everyone here is familiar with the term "loose consensus and working code". djbdns works. BIND has been a disaster for years. If you're going to deify the IETF in your arguments, try to understand its spirit first.
Yes, it would have, but I don't think they figured out I had ipchains rules. Looks like the ADMROCKS exploit lets you execute commands remotely as the user named is running as, but doesn't explicitly give you a root shell. I guess they could've just done a "rm -rf /" and hosed the machine, but I didn't really care, I had backups of all the important stuff.
Moral of the story, never run named as root under any circumstances, and always run it chrooted. In fact, never run anything as root if possible, and chroot what you can. An attacker can break out of a chroot jail, but it'll stop most script kiddies from doing much damage.
I was thinking of switching to djbdns for my nameserver on my DSL, but now that bind 9 is out, I wouldn't mind experimenting with the 6-bone a little bit, and djbdns doesn't do IPV6 as far as I know.
Need Free Juniper/NetScreen Support? JuniperForum
Please identify the security holes in qmail.
There are none.
-russ
Don't piss off The Angry Economist