Securing DNS From The Roots Up

jeffy124 writes: "This article at ComputerWorld tells the story of how ICANN would like to replace the root DNS systems with secured servers. Lars-Johan Liman, one of the root operators, spoke about the concept at ICANN's annual meeting today. He discussed how the world's current redundant DNS system is vulnerable to DDOS attacks and yet-to-be-discovered root holes in bind that can ultimately undermine the entire Internet by taking away the name-IP mappings that are relied upon by just about everyone."

News flash!

[Teancom]

Bind may be vulnerable to security exploits! Sendmail may *not* be as secure as qmail! Walking through harlem with $100 bills hanging out of your pockets isn't smart! Sky is blue!

Some people just never get the news....

Why still running on BIND?

[kc8apf]

I have yet to find the great reason of why everyone uses BIND. I've been working on my own DNS server just for kicks. The protocol itself is trivial. It can be handled so easily, but yet, if you look at BIND's source code, you can't tell what is going on at all. So, why does everyone continue to use it? Or better question, why hasn't someone written a better alternative?

Re:Why still running on BIND?

[fanatic]

Already available is djbdns, written by D. J. Bernstein with security as a design goal. In fact, he offers rewards to anyone who can find a vulnerability.

Re:Why still running on BIND?

[DaSyonic]

djbdns, and other stuff written by him, (including qmail) is all under a restrictive license. He essentially prevents any vendor/distribution to release it, as any vendor would need to make minor changes, but a vendor can't even change the pathnames to certain files... that's not acceptable.

Read his license and see for yourself.

DNS? Ha!

[tang]

Real men surf the net using ip addresses. (And NOT in base 10)

djbdns and opennic

[SuperDuG]

djbdns states "I offer $500 to the first person to publicly report a verifiable security hole in the latest version of djbdns." ... and no one has claimed the $500 yet.

Also OpenNIC is an ICANN indepent root system ... why not just use them instead of ICANN?

Starting to back it up.

[miguel]

This time I will be prepared.

I am downloading as we speak all the DNS records in the planet into my /etc/hosts file so I can be immune to the attacks

I encourage others to do the same.

DJBDNS doesn't obey many RFC's, not OSS either

[dido]

You can't do zone transfers using djbdns for one thing. DJB thinks that zone transfers are evil, and has his own method for doing the task (rsync over ssh I believe), but whether they're evil or not is beside the point. Like it or not, zone transfers are a part of the core DNS protocols and any proper successor to BIND must implement them all. Starting a standards war with the IETF is not something I want to have along with a name server I deploy. Let Bernstein write an RFC for publication describing his idiosyncratic methods and get the IETF to ratify it as a core standard if he wants, if he truly thinks his way is the better way. The way he operates reminds me more of the way Microsoft handles standards than anything else.

Besides, djbdns is also deficient in a far more important way (for me and to a lot of people here on Slashdot anyhow, I hope): it's actually proprietary software with a limited license for gratis use. It's not Free Software or even Open Source, not by any reasonable definition of the term. There is no license along with his programs, and absent a license you have NO RIGHT to share, study, or change Bernstein's code!

Want to solve all the BIND security problems???

[evilviper]

The answer is simple, just ask the author of IPF how he did it...

Change the BIND license to make it much more restrictive, then sit back as the OpenBSD developers build their own simpler, better, more stable, and much more secure, replacement.

SSH.
IPF.
BIND?