On Wednesday, November 20, 2002, at 01:17 PM, Ben Reser wrote:
Never said one had to use djbdns. I never implied that the world should go and change over to it... My original argument was merely *against* BIND... there are more alternatives than just djbdns. Feel free to pick any of them you like. I can't say anything about them because I haven't tried them... I haven't tried them because djbdns "works for me".What's stopping me is I don't like the way djb does things. Sorry but INo one said bind doesn't work. What I said was it doesn't work securely. Anyways, have you read bugtraq and the other security lists lately? There are plenty people pissed at ISC about this. The people who aren't, don't know any better or simply don't care. Also, why isn't switching to djbdns not an option? What's stopping you?
don't need to be running another person who's a pain in the ass's
software. Theo is enough for me.
Sure BIND has had it's share of security issues. But I think arguingAgain, you misunderstand my intentions. This whole bind vs. djbdns was not brought on by myself. I simply argue against bind... if someone wants to equate that to djbdns advocacy, that's entirely up to them. For all I know, DENTS is better than djbdns... or maradns is better. But I'd put money on the fact that *any* of them are better than bind.
that someone should use software simply because it hasn't is specious.
The amount of security problems is related to the number of users using
a piece of software too. Viruses that take advantage of flaws in mutt
don't exist because mutt doesn't have a big enough user basis to make it
worthwhile to write. Not because mutt doesn't (and hasn't) had security
flaws.
Yes, more security flaws are probably found in bind because more people use it. But, you have to look at the alternate approach as well. Many people look for holes in bind for the pay off (remote access to unauthorized machines, the glory of finding a hole, etc.). Money is involved here as well. Let's not forget that djb rewards those who find security problems with his software. Don't tell me that no one has looked knowing that if they find one, it's payday.
I also put a little stock in the fact that both qmail and djbdns, both by the same author, have pristine security histories, despite this "i'll pay you if you exploit it" guarantee. That makes me feel much more secure than Vixies multiple holes in bind, holes in dhcpd, holes in vixie-cron. Is there a single piece of software Vixie has authored that *hasn't* had a hole in it? That doesn't provide me with much confidence. The proof is in the pudding... Vixie's coding skills are crap. In as far as security is concerned, of course.
Those numbers are ludicrous. What is Linux? A kernel. What is Windows? A kernel, desktop, browser, etc. Let's compare apples to apples. Compare the number of security holes in the Linux kernel to those included in the Windows kernel. Oh, wait, you have to include the browser and desktop there as well, since they're basically all one and the same.Don't confuse the lack of security issues with security. They are very different things. People were saying that Linux was more secure than Windows because there weren't nearly as many vulnerabilities for Linux as for Windows. But this years vulnerability list for the two tells a different story. What those numbers mean is open for interpretation.
Journalists don't understand this. You do. I do. 'nuff said.
djb hasn't bothered because, IIRC, it isn't finished. I quote a posting from djb himself on a slashdot posting:On another note. The issues that have come to light recently were errors in the dnssec portion of the implementation. It's not terribly surprising that errors have been made in this new part of the protocol. Considering that djb hasn't bothered to implement this (and crypto enhanced protocols are not trivial to implement) people using this product can't really criticize ISC for having security issues in it's implementation of it.
"As for DNSSEC, the protocol isn't even finished, let alone required. Basic features are still in flux, and the system won't work without a centralized key-management system that doesn't exist [cr.yp.to]."
And no, it may not be trivial to implement, but good grief... do you trust someone to do something this important that can't even write resolver libs securely?
Here's the whole thread that his comments (multiple comments actually), are posted:
http://developers.slashdot.org/ comments.pl?sid=44855&cid=0&pid=0&startat=&threshold=1&mode=netsted&comm entsort=0&op=Change
sorry if that wraps.
Disappointment? I think you put too light of a word on that particular situation. If someone is merely disappointed, they should be asking themselves how much security and responsible disclosure means to them.Now I understand the disappointment that people have with the way ISC handled this. Perhaps someone should ask Vixie about it. Maybe he has an explanation. Maybe he agrees and is going to do something about it. But all this ranting and raving about how ISC sucks isn't going to do any of us any good.
At any rate, this is turning into a flameware between bind and djbdns more than anything productive, so I've got one more comment to make and that'll be it for me.
Too much other stuff to do. =)
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
