DNS recommendations

Tim Haynes <usenet-20041214@stirfried.vegetable.org.uk> wrote:

> Someone recently described bind-9 as a total rewrite; while I'm hazy
> about that, I'm pretty sure I don't remember that many
> security-related updates with it. So maybe people should distinguish
> based on `bind9' rather than just `bind'.

They should, indeed.

Telltales signs of membership in Prof. Bernstein's proprietary software
fan-club: 1. Professing to be unaware of BIND9 being a completely
different codebase from BIND8/BIND4, even while claiming to be an
experience DNS admin. 2. Comparing one's favourite MTA _only_ against
sendmail, as if Postfix, Courier-MTA, and Exim4 didn't exist.

BIND9 has some grievous faults -- it's slow, overfeatured, and
needlessly monolithic -- but a poor security history isn't among them:
Paul Vixie realised that the legacy BIND8 codebase he inherited from
sundry long-ago Berkeley grad. students was hopeless spaghetti code and
needed to be abandoned over the long term. So, he commissioned Nominum,
Inc. to code a replacement solely from the documented, intended
behaviour, using no code from the legacy codebase. Thus, BIND9.

It's difficult to believe that the inevitable djbdns advocacy squads
_still_ aren't aware of those facts, after innumerable past corrections.

--
This message falsely claims to have been scanned for viruses with F-Secure
Anti-Virus for Microsoft Exchange and to have been found clean.

On 2004-12-14, Jem Berkes <jb@users.pc9.org> wrote:

>>> Bind looks like it will do all we need, but we've heard a number of
>>> security concerns with bind.
>>
>> Bind can run as user within a chroot jail with no problems. Adding
>> some kernel patch like grsecurity to limit what processes can do under
>> chroot will give you a fairly good setup to begin with.
>
> While BIND can be locked down to some degree, I am still very suspicious of
> the software. I mean, how many remote root holes do you find in software
> before you just write it off as poorly designed, broken, hopeless?

Bind v9 was a complete re-write of the software and in my experience has
been both reliable and secure.

> I don't
> know about recent versions, but past versions used tons of resources.

For my home network, I'm running it on a 5x86/133 with 32MB RAM on
NetBSD.

--

-John (john@os2.dhs.org)

Huge <huge@ukmisc.org.uk> wrote:

> Indeed. But that's not what I said. I said that providing you can tolerate
> his attitude.

That is a point.

> Authors of Open Source software with attitude problems are a pain to deal
> with. Why make life difficult for yourself?

(Quibble: djbdns isn't open source, though its terms include source
availability.)

In fairness: It would be very rare for most users of djbdns and other
DJBware to encounter Prof. Bernstein, or have any call to do so.