Re: Securing bind..

To: debian-user@lists.debian.org
Cc: debian-isp@lists.debian.org, debian-user@lists.debian.org
Subject: Re: Securing bind..
From: "Michael D. Schleif" <mds@helices.org>
Date: Sun, 30 Dec 2001 19:31:30 -0600
Message-id: <[🔎] 3C2FBFF2.F02F66C0@helices.org>
Reply-to: mds@helices.org
References: <[🔎] Pine.LNX.4.43.0112301246300.22481-100000@maximus> <[🔎] 20011231001915.0AAC223F09@vis.moj.net> <[🔎] 3C2FB164.92678546@helices.org> <[🔎] 20011231005757.72F1C23F09@vis.moj.net>

jernej horvat wrote:
> 
> On Monday 31 December 2001 01:29, Michael D. Schleif wrote:
> 
> <...>
> > It is always amazing to me how *intelligent* people try to make their
> > point by taking other people's words out of context . . .
> <...>
> > > http://cr.yp.to/djbdns/faq/axfrdns.html#what
> i added the URL so i that everyone could look it up. the WHOLE text.
> 
> i added another quote from that URL..
> 
> > Notice, that bind, current or not, has no answers to djb's concerns, as
> > expressed in his complete paragraph ;>
> 
> "There has been some work on improving the zone-transfer protocol: a NOTIFY
> mechanism that wakes up the slaves (after a delay, and without a failure
> notice when something goes wrong); an experimental IXFR mechanism for
> incremental zone transfers (although the BIND implementation doesn't work for
> zone files modified by hand or by external tools); and several proposed
> security mechanisms, notably TSIG. BIND's May 2001 IXFR and TSIG
> implementations are supposedly free of the bugs that caused crashes, data
> corruption, and root exploits in previous versions of BIND. The BIND company
> occasionally mumbles about imaginary tools to handle new zones and client
> differentiation. By combining all these tools, you can finally approach the
> functionality of a trivial rsync script. Wow."
> 
> Wow.  May 2001.....it is 30.12.2001 now and BIND 9.2.0 is out.
> 
> http://www.isc.org/products/BIND/bind9.html
> 
> DNS Security
>  DNSSEC (signed zones)
>  TSIG (signed DNS requests)
>  IP version 6
> 
>  Answers DNS queries on IPv6 sockets
> IPv6 resource records (A6, DNAME, etc.)
> Bitstring Labels
> Experimental IPv6 Resolver Library
>  DNS Protocol Enhancements
> 
>  IXFR, DDNS, Notify, EDNS0
> Improved standards conformance
> Views
>  One server process can provide multiple "views" of the DNS namespace, e.g.
> an "inside" view to certain clients, and an "outside" view to others.
>  Multiprocessor Support
> Improved Portability Architecture
> -
> djb should update his security concerned pages.

	improved != resolved

By-the-by, what does ``Improved standards conformance'' mean?  Does it
or does it *not* conform?  Or, is it just a little bit pregnant?

``By combining all these tools, you can finally approach the
functionality of a trivial rsync script. Wow.''

Enough said . . .

-- 

Best Regards,

mds
mds resource
888.250.3987

Dare to fix things before they break . . .

Our capacity for understanding is inversely proportional to how much we
think we know.  The more I know, the more I know I don't know . . .

Reply to:

Follow-Ups:
- Re: Securing bind..
  - From: Craig Sanders <cas@taz.net.au>

References:
- Re: Securing bind..
  - From: P Prince <princep@charter.net>
- Re: Securing bind..
  - From: jernej horvat <j@aufbix.org>
- Re: Securing bind..
  - From: "Michael D. Schleif" <mds@helices.org>
- Re: Securing bind..
  - From: jernej horvat <j@aufbix.org>

Prev by Date: ADAPTEC 2040U2W PROBLEM
Next by Date: Re: "C" Manual
Previous by thread: Re: Securing bind..
Next by thread: Re: Securing bind..
Index(es):
- Date
- Thread