Interview With Paul Vixie And David Conrad

rwm311 writes: "linuxsecurity.com is running an interview with [Paul Vixie] and [David Conrad] about the ISC and BINDv9. It's a pretty good read. Vixie talks about his days at DEC and his motivation behind BIND while both Vixie and Conrad speak of the future of BIND - features they would like to implement and things that will be going away (such as nslookup)."

Re:Ouch (Off Topic)

[mikpos]

Or Slashdot users could figure out how to use proxy servers. Either way.

The Changes in BIND

[cluge]

Actually, BINDv9 is a complete rewrite. There is no significant code shared between BINDv8 and BINDv9

This is very good news! The problem that scares me is that bind8 compatability may not be all there. This makes updating a large site to BINDv9 is going to be a problem for many ISP's etc.

There are still a couple of areas where we're deficient in support of standards, e.g., we don't support using DNSSEC with wildcards and a BIND version 9.0.0 slave does not forward dynamic updates to the master as it should according to the RFCs. Our intent is to fully implement the standards (and/or help revise the standards to make them more useful to the Internet community).

While waving off other name server implementations (DjbDNS) by saying it doesn't meet current standards, they admit that Bindv9 WON'T mean some of the current standards! In fact it seems that Mr Conrad is in favor of changing some of the standards. Is that to make them more useful, or make them fit Bindv9?

All in all ANYTHING has to be an improvement over the code of Bindv8. The proof will be after Bindv9 has been "in the wild" for a few months.

Re:Go Vixie!

[NaughtyEddie]

Yup, this is what's wrong with Slashdot. You spend time writing a long and possibly interesting post in an effort to put something into the community, then some f*cking idiot moderator puts you down a -1: Offtopic because what you're talking about isn't directly related to the story. Meanwhile, you make some stupid trolling quip elsewhere and get a +1: Funny.

Friday is Score 2: Troll Day. Join us!

And if you moderate this down, please email me and tell me exactly what you're trying to prove.

--
It's a .88 magnum -- it goes through schools.

Re:Of course bind is buggy!

[drinkypoo]

After all these years, BIND still hasn't fulfilled the vision of open-source, first spoken by Eric Stallman Raymond, and later realized by Linux Torvalds.

Definition of Open Source given in ESR's Jargon File.

Download Bind 8 Sources

Finally, the contents of the LICENSE file in the current BIND distribution:

## Copyright (c) 1993-2000 by Internet Software Consortium, Inc.
##
## Permission to use, copy, modify, and distribute this software for any
## purpose with or without fee is hereby granted, provided that the above
## copyright notice and this permission notice appear in all copies.
##
## THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
## ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
## OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
## CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
## SOFTWARE.

I didn't bother to C&P their address, which I'm sure is somewhere on their webpage.

How do the definition and the current BIND license (which I think we can expect to carry over to BIND9) not jibe? In fact, it's not just Open Source, it's Free Software as defined by RMS.

Re:bind 9 is a buggy piece of SHIT

[Shimbo]

It's almost a complete rewrite and a beta. There comes a point in the life cycle of most large pieces of software where you have to bite the bullet and re-engineer chunks of it. It's almost always a bit painful.

secure replacement for BIND

[kaisyain]

Dan Bernstein (the guy who wrote qmail) has an interesting commentary on struggling to implement a secure replacement for BIND.

namedroppers

Re:security

[MikeBabcock]

I've never read anything by a security software designer that agrees with you. Sorry. Security, especially in the area of encryption, etc. is not simply an issue of well-written bug-free software (which Bind has definately never been so far). Its a design decision and plan that has to start before the code is ever written.

Re:Dan's code is Not free software (speech)

[stab]

[root@brick /root]# uname -sr
OpenBSD 2.8
[root@brick /root]# cd /usr/ports/net/djbdns/
[root@brick djbdns]# make install

Unlimited time? Not so hard I think ..

Re:Security

[MikeBabcock]

Yes, its compliant in zone transfers. It supposedly even supports IXFRs now (incremental updates). DNSSEC? Nobody else is using it and there are serious questions about its usability in the wild (especially associating it to an existing PKI, or building one). TSIG? Microsoft's version is probably as kind as their version of Kerberos, but they come down on DJB?

I want a nameserver that doesn't suddenly disappear out from under me for no reason, or that has a memory management policy of 'help! restart me!'.

Deal with the REAL issues first, add cute features later.

Re:Security

[MikeBabcock]

Since some people don't like clicking links for some reason, here's DJB's comments on DNSSEC (a few of them at least):

DNSSEC is a project to have a central company, Network Solutions, sign all the .com DNS records. Here's the idea, proposed in 1993:

• Network Solutions creates and publishes a key.
• Each *.com creates a key and signs its own DNS records. Yahoo, for example, creates a key and signs the yahoo.com DNS records under that key.
• Network Solutions signs each *.com key. Yahoo, for example, gives its key to Network Solutions through some secure channel, and Network Solutions signs a document identifying that key as the yahoo.com key.
• Computers around the Internet are given the Network Solutions key, and begin rejecting DNS records that aren't accompanied by the appropriate signatures.

  However, as of February 2000, Network Solutions simply isn't doing this. There is no Network Solutions key. There are no Network Solutions signatures. There is no secure channel---in fact, no mechanism at all---for Network Solutions to collect *.com keys in the first place.

  DNSSEC is often falsely advertised as a software feature that you can install to protect your computer against DNS forgeries. In fact, installing DNSSEC does nothing to protect you, and it will continue to do nothing for the foreseeable future. I'm not going to bother implementing DNSSEC until I hear a detailed, concrete, credible plan for central DNSSEC deployment.

  Even if DNSSEC is someday put into place, it will continue to allow attacks through Network Solutions itself. What happens if a Network Solutions employee is bribed? Are the Network Solutions computers secure? An attacker who breaks into one critical Network Solutions computer will have control over the entire Internet.

Taken from http://cr.yp.to/djbdns/forgery.html ; ; ;

Read the rest of that page for his idea for a quick-fix.

Security

[MikeBabcock]

Their comments about security are quite irritating because they mention things like DNSSEC but don't want to talk about the way BIND is coded. DJBDNS comes up (http://cr.yp.to/djbdns.html) but is brushed off with false claims (it does support transfers, and support for IPv6 is in the works).

Re:security

[MSG]

is it just me, or does the concept of security as a "side effect" seem very frightening?

Maybe it's just you. Good programmers know that stable, correct code is the cure for 99% of all security problems. The other bit is security problems due to design flaws (such flaws would exist in the RFC, for example).

If you spend the time required to do something _right_, if you make the code robust and stable, then it will be secure. It IS a side effect of programming for stability.

Amusing quote

[Azog]

David Conrad: I look forward to seeing significantly increased use and interest in developing applications based on the RSA algorithm. Hopefully, the easing of US crypto controls earlier this year doesn't mean that someone has figured out how to factor large primes trivially... :-)

Er, Mr. Conrad, I can factor large primes trivially...

Seems like everyone makes this mistake sooner or later!

(for the confused: he meant "factor products of large primes trivially".)


Torrey Hoffman (Azog)

security

[Phexro]

on security:

"...it was an indirect goal. We wanted to produce a rock solid, commercial grade, open source DNS implementation in the tradition of BIND..."

translation: bind 9 will be just as buggy as the old bind!

"...and with high compatibility with BIND. One important side effect of all that is security."

is it just me, or does the concept of security as a "side effect" seem very frightening?

you'd think that with all the problems in the past with bind, they would have considered security to be a primary goal, not a "side effect".
--

nslookup

[Adam+Wiggins]

The basic sleazeware produced in a drunken fury by a bunch of U C Berkeley grad students was still at the core of BIND.

Interesting, I didn't expect them to admit to that sort of thing.

And it's not really that nslookup is going away, at least not the way that I think of it (a command line tool to quickly find an IP address) - they indicate that it was because nslookup currently is closely mapped to the BIND8 API which has been changed all around. I think they want something more abstract which will allow users to get the info they want without being closely tied to the underlying protocol. (Abstraction! Egad!)

All in all, it sounds like good news.