Re: Securing bind..
On Monday 31 December 2001 01:29, Michael D. Schleif wrote:
<...>
> It is always amazing to me how *intelligent* people try to make their
> point by taking other people's words out of context . . .
<...>
> > http://cr.yp.to/djbdns/faq/axfrdns.html#what
i added the URL so i that everyone could look it up. the WHOLE text.
i added another quote from that URL..
> Notice, that bind, current or not, has no answers to djb's concerns, as
> expressed in his complete paragraph ;>
"There has been some work on improving the zone-transfer protocol: a NOTIFY
mechanism that wakes up the slaves (after a delay, and without a failure
notice when something goes wrong); an experimental IXFR mechanism for
incremental zone transfers (although the BIND implementation doesn't work for
zone files modified by hand or by external tools); and several proposed
security mechanisms, notably TSIG. BIND's May 2001 IXFR and TSIG
implementations are supposedly free of the bugs that caused crashes, data
corruption, and root exploits in previous versions of BIND. The BIND company
occasionally mumbles about imaginary tools to handle new zones and client
differentiation. By combining all these tools, you can finally approach the
functionality of a trivial rsync script. Wow."
Wow. May 2001.....it is 30.12.2001 now and BIND 9.2.0 is out.
http://www.isc.org/products/BIND/bind9.html
DNS Security
DNSSEC (signed zones)
TSIG (signed DNS requests)
IP version 6
Answers DNS queries on IPv6 sockets
IPv6 resource records (A6, DNAME, etc.)
Bitstring Labels
Experimental IPv6 Resolver Library
DNS Protocol Enhancements
IXFR, DDNS, Notify, EDNS0
Improved standards conformance
Views
One server process can provide multiple "views" of the DNS namespace, e.g.
an "inside" view to certain clients, and an "outside" view to others.
Multiprocessor Support
Improved Portability Architecture
-
djb should update his security concerned pages.
--
Reply to: