[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing bind..

jernej horvat wrote:
> On Monday 31 December 2001 01:29, Michael D. Schleif wrote:
> <...>
> > It is always amazing to me how *intelligent* people try to make their
> > point by taking other people's words out of context . . .
> <...>
> > > http://cr.yp.to/djbdns/faq/axfrdns.html#what
> i added the URL so i that everyone could look it up. the WHOLE text.
> i added another quote from that URL..
> > Notice, that bind, current or not, has no answers to djb's concerns, as
> > expressed in his complete paragraph ;>
> "There has been some work on improving the zone-transfer protocol: a NOTIFY
> mechanism that wakes up the slaves (after a delay, and without a failure
> notice when something goes wrong); an experimental IXFR mechanism for
> incremental zone transfers (although the BIND implementation doesn't work for
> zone files modified by hand or by external tools); and several proposed
> security mechanisms, notably TSIG. BIND's May 2001 IXFR and TSIG
> implementations are supposedly free of the bugs that caused crashes, data
> corruption, and root exploits in previous versions of BIND. The BIND company
> occasionally mumbles about imaginary tools to handle new zones and client
> differentiation. By combining all these tools, you can finally approach the
> functionality of a trivial rsync script. Wow."
> Wow.  May 2001.....it is 30.12.2001 now and BIND 9.2.0 is out.
> http://www.isc.org/products/BIND/bind9.html
> DNS Security
>  DNSSEC (signed zones)
>  TSIG (signed DNS requests)
>  IP version 6
>  Answers DNS queries on IPv6 sockets
> IPv6 resource records (A6, DNAME, etc.)
> Bitstring Labels
> Experimental IPv6 Resolver Library
>  DNS Protocol Enhancements
>  IXFR, DDNS, Notify, EDNS0
> Improved standards conformance
> Views
>  One server process can provide multiple "views" of the DNS namespace, e.g.
> an "inside" view to certain clients, and an "outside" view to others.
>  Multiprocessor Support
> Improved Portability Architecture
> -
> djb should update his security concerned pages.

	improved != resolved

By-the-by, what does ``Improved standards conformance'' mean?  Does it
or does it *not* conform?  Or, is it just a little bit pregnant?

``By combining all these tools, you can finally approach the
functionality of a trivial rsync script. Wow.''

Enough said . . .


Best Regards,

mds resource

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

Reply to: