[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..

On Monday 31 December 2001 01:29, Michael D. Schleif wrote:

> It is always amazing to me how *intelligent* people try to make their
> point by taking other people's words out of context . . .
> > http://cr.yp.to/djbdns/faq/axfrdns.html#what
i added the URL so i that everyone could look it up. the WHOLE text.

i added another quote from that URL..

> Notice, that bind, current or not, has no answers to djb's concerns, as
> expressed in his complete paragraph ;>

"There has been some work on improving the zone-transfer protocol: a NOTIFY 
mechanism that wakes up the slaves (after a delay, and without a failure 
notice when something goes wrong); an experimental IXFR mechanism for 
incremental zone transfers (although the BIND implementation doesn't work for 
zone files modified by hand or by external tools); and several proposed 
security mechanisms, notably TSIG. BIND's May 2001 IXFR and TSIG 
implementations are supposedly free of the bugs that caused crashes, data 
corruption, and root exploits in previous versions of BIND. The BIND company 
occasionally mumbles about imaginary tools to handle new zones and client 
differentiation. By combining all these tools, you can finally approach the 
functionality of a trivial rsync script. Wow."

Wow.  May 2001.....it is 30.12.2001 now and BIND 9.2.0 is out.


DNS Security 
 DNSSEC (signed zones)
 TSIG (signed DNS requests) 
 IP version 6 

 Answers DNS queries on IPv6 sockets 
IPv6 resource records (A6, DNAME, etc.) 
Bitstring Labels 
Experimental IPv6 Resolver Library 
 DNS Protocol Enhancements 

 IXFR, DDNS, Notify, EDNS0 
Improved standards conformance 
 One server process can provide multiple "views" of the DNS namespace, e.g. 
an "inside" view to certain clients, and an "outside" view to others. 
 Multiprocessor Support 
Improved Portability Architecture 
djb should update his security concerned pages.

Reply to: