Slashdot Mirror

← Back to Stories (view on slashdot.org)

BIND Patches Make Bad Situation Worse

Posted by ryuzaki0 on from the screwing-with-the-infrastructure dept.

An anonymous reader writes "After .COM and .NET started using a wildcard, the internet community busily started creating patches to various pieces of software to circumvent this. It was said that this was a grave problem to the internet. Several official BIND patches were announced over the next few days. However, it turns out they weren't necessarily too well thought through. Usage of the patch unexpectedly broke at least 7 Top Level Domains, ISC announced 3 weeks later, after users started having problems. The .NAME registry has sent a formal letter to ICANN's Security and Stability Advisory Comittee to warn against using the BIND patch, which they will look into in their next meeting. The intention may have been good, but... Stability? Anyone?"

2 of 280 comments (clear)

  1. Overblown by Rafke · · Score: 5, Informative
    This report sounds a bit overblown. A conservative named.conf would only contain:

    zone "com" { type delegation-only; };
    zone "net" { type delegation-only; };
    And that would not have the problems described.
  2. Re:BIND considered harmful by Nevyn · · Score: 5, Informative
    there is more than one good alternative, including, but not limited to, djbdns.

    Ok, so I want a authorative and recursive DNS server. It needs to be able to be distributed via. rpms, and patchable etc. I really want it to be my vendor of choice who packages and distributes it, but I that's more of a social thing.

    So ... what do I use?

    • nsd is written with just as little regard for security as bind ... and isn't a recursive server
    • djbdns has all the legal djb problems and can't be a recursive and authoritive server
    • maradns has already had security problems and fairly major DNS bugs, uses a threaded design and has piles of needed things in the "unimplemented" section of the man page. The string ADT looks suspicious to say the least.
    • dnrd is recursive only
    • dents unmaintained, and never worked well AIUI
    • dnsmasq just does recursive queries
    • dnsproxy is just recursive
    • ens (yaku-ns) is said to be "experimental" by the author
    • pdnsd proxy only, has lots of bugs and uses a threaded design.

    So I'll use bind 9 ... and when there's a security problem I hope it's the last. However this issue doesn't count, this is a minor configuration problem that is All verisigns fault.

    --
    ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B