BIND Patches Make Bad Situation Worse

An anonymous reader writes "After .COM and .NET started using a wildcard, the internet community busily started creating patches to various pieces of software to circumvent this. It was said that this was a grave problem to the internet. Several official BIND patches were announced over the next few days. However, it turns out they weren't necessarily too well thought through. Usage of the patch unexpectedly broke at least 7 Top Level Domains, ISC announced 3 weeks later, after users started having problems. The .NAME registry has sent a formal letter to ICANN's Security and Stability Advisory Comittee to warn against using the BIND patch, which they will look into in their next meeting. The intention may have been good, but... Stability? Anyone?"

Overblown

[Rafke]

This report sounds a bit overblown. A conservative named.conf would only contain:

zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

And that would not have the problems described.

Re:BIND considered harmful

[Nevyn]

there is more than one good alternative, including, but not limited to, djbdns.

Ok, so I want a authorative and recursive DNS server. It needs to be able to be distributed via. rpms, and patchable etc. I really want it to be my vendor of choice who packages and distributes it, but I that's more of a social thing.

So ... what do I use?

• nsd is written with just as little regard for security as bind ... and isn't a recursive server
• djbdns has all the legal djb problems and can't be a recursive and authoritive server
• maradns has already had security problems and fairly major DNS bugs, uses a threaded design and has piles of needed things in the "unimplemented" section of the man page. The string ADT looks suspicious to say the least.
• dnrd is recursive only
• dents unmaintained, and never worked well AIUI
• dnsmasq just does recursive queries
• dnsproxy is just recursive
• ens (yaku-ns) is said to be "experimental" by the author
• pdnsd proxy only, has lots of bugs and uses a threaded design.

So I'll use bind 9 ... and when there's a security problem I hope it's the last. However this issue doesn't count, this is a minor configuration problem that is All verisigns fault.

Re:Isn't it unnecessary now?

[karl.auerbach]

Verisign is playing a cat and mouse game with the US Dept of Commerce (NTIA) and ICANN.

As I see it, Verisign is building a portfolio of legal positions that it will be using in what I belive is almost certain litigation between Verisign and ICANN and possibly involving the US Department of Commerce?

- Verisign is trying to engender a sufficient number of statements by technical experts that it can convince a judge that there is really a technical debate and that thus the judge ought to stay out of the matter.

- It is trying to come up with enough anecdotal evidence that the internet isn't broken by sitefinder. Of course, those anecdotes are from a point of view, such as that of the typical mom and pop user, that is unlikely to perceive the real damage that has been caused. But we have to remember that most people who use the net, including most judges and lawyers, see the net in that same, technially naive, way.

- It is trying to expose the fact that the US Department of Commerce never articulated, and may not have, any authority to have done what it has done in these areas and that thus it has no authority over Verisign.

- It is trying to use the previous item to undermine ICANN's authority. And ICANN's authority is far from clear: a) the contracts ICANN uses are very, very complicated (and like many complicated things, may be full of holes) b) ICANN's claims of "consensus" are far from broadly established, particularly given ICANN's explusion of the broad community of internet users from its decision making forums.

- It is trying to establish that if there is any harm to the net, it is not of such an immediate and overwhelming nature that it has to be restrained during any legal proceedings. (Verisign would, of course, reap the financial proceeds of sitefinder during those proceedings - thus giving it a cash flow to finance the litigation. ICANN's pockets are not so deep and it is not in a position to outspend Verisign.)

So, the DNS wildcarding part of sitefinder may be turned off for the moment, but I think that is merely a tactical move on Verisign's part.

Agreed - The patch works fine

[billstewart]

The problem is that .com and .net aren't the only TLDs with evil wildcarding brokenness, just the latest and the only one to do so unilaterally without the responsible people discussing and setting policy first, and the patch didn't list quite all the TLDs that have official policies of wildcarding, just most of them. You can update it to add the others to the list, if you want, though that'll only help web browsing on port 80, and will cause you trouble if spammers try to forge mail from the other domains.