BIND Patches Make Bad Situation Worse

An anonymous reader writes "After .COM and .NET started using a wildcard, the internet community busily started creating patches to various pieces of software to circumvent this. It was said that this was a grave problem to the internet. Several official BIND patches were announced over the next few days. However, it turns out they weren't necessarily too well thought through. Usage of the patch unexpectedly broke at least 7 Top Level Domains, ISC announced 3 weeks later, after users started having problems. The .NAME registry has sent a formal letter to ICANN's Security and Stability Advisory Comittee to warn against using the BIND patch, which they will look into in their next meeting. The intention may have been good, but... Stability? Anyone?"

Sounds like a good reason to use djbdns instead

[ncc74656]

http://cr.yp.to/djbdns.html

It's nowhere near as difficult to set up as BIND, it's more secure than BIND, and there's a patch available to block Verisign's wildcard lookups. I've been running the patched version at home and at work since shortly after Verisign added the wildcard records and haven't had issues with any DNS queries.

What problem?

.name suits complain that their wildcard doesn't work anymore with those who installed patched Bind?
How is it a problem for anyone except them?

When Verisign turned the wildcard for .com/.net and ISC came up with Bind patches, many admins decided to also block wildcards in about a dozen small TLDs some of which supported wildcards from day one - they were simply below the radar until Sep 15. Now those TLDs are unhappy because customers have tools to block their idiotic tricks - who cares? - how are they any better than Verislime except they can't quite screw up as many people?

I am perfectly happy running the patched bind and have no intention of rolling it back - even if sitefinder is out for good, it's a matter or principle, - no wildcards on TLDs!

Vlad