Dan,
> This NXT buffer overflow isn't part of some old code that Paul Vixie
> inherited from careless graduate students. It's new code.
Actually, most of the code is derived from a prototype DNSSEC implementation
done by John Gilmore and TIS quite a while back. TIS (sorry, Network
Associates) contributed the revised implementation for the 8.2 release.
> Obviously ISC's auditing is inadequate.
For BINDv8, yes, it obviously was.
> Is ISC going to
> rewrite the client and server in a way that gives us confidence in
> their security?
BIND version 9 is a complete rewrite with an attempt to focus on
compartmentalization and auditability of the code.
Regards,
-drc
