Hi, On Tue, Apr 08, 2003 at 12:14:50PM -0700, Splash Tekalal wrote: > At 03:17 PM 4/8/2003 +0200, you wrote: > >Hi, > > > >On Tue, Apr 08, 2003 at 01:36:56PM +0200, Stephane Bortzmeyer wrote: > > > >> > BIND ( http://www.isc.org/products/BIND/ ) > >> > >> Why not? The Apache of the DNS servers, feature-rich and very > >> configurable. > > > >Apache is more elegant. The only thing that can equal BIND in terms of > >bloat, root exploits and general ugliness is perhaps sendmail. > > Now, maybe I'm just ignorant, but are there any root exploits on Bind9? > (specifically 9.x, not anything older.. we know 8.x was unstable =P) Well, maybe I'm just a bit cynical, but I don't think that any piece of software can evolve to gain a more inherently secure design. Frankly, no amount of partial rewrites would make me trust BIND. Even if it would have been rewritten from scratch, I'd have some trouble believing that it took them till 2001, but that now, finally, the ISC understands that you shouldn't trust user input, that you should free your mallocs, and, most importantly, that you should check if a string fits before you copy it somewhere. Some people think C makes these things hard, but I think that you can only have as trouble as the ISC's been having with it if you have a fundamentally broken programming style. All IMHO, of course. Cheers, Emile. -- E-Advies - Emile van Bergen emile@e-advies.nl tel. +31 (0)70 3906153 http://www.e-advies.nl
Attachment:
pgpvFpT7IZ2TN.pgp
Description: PGP signature