On Mon, Jun 05, 2000 at 07:08:45AM -0400, Michael Stone wrote: > > And I still think this is a stupid reason for us to be allowing a > security problem to sit around--how many people run dns servers on > machines with dynamic addresses? i would guess the people running bind on dynamic addresses consist of the following two groups: 1) people who should not be running bind at all. 2) people who have a special need for such a thing and will be smart enough to change the configuration to run it as root. IMO running bind as root is insane, hell running bind at all is halfway insane... why are we (read all who need to run DNS services) still using this giant security hole masquerading as a DNS server? are there no suitable replacements? (i presume dnscache is non-free, what about dents?) fwiw, OpenBSD by default installs an audited bind 4 configured to run non-root in a chroot jail. i presume they don't use bind 8 becuase it probably needs to be 110% rewritten to make it secure... -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpY0Ti3sst2G.pgp
Description: PGP signature