On Wed, Nov 20, 2002 at 02:21:19PM -0700, Vincent Danen wrote: > Never said one had to use djbdns. I never implied that the world > should go and change over to it... My original argument was merely > *against* BIND... there are more alternatives than just djbdns. Feel > free to pick any of them you like. I can't say anything about them > because I haven't tried them... I haven't tried them because djbdns > "works for me".
> Again, you misunderstand my intentions. This whole bind vs. djbdns was > not brought on by myself. I simply argue against bind... if someone > wants to equate that to djbdns advocacy, that's entirely up to them. > For all I know, DENTS is better than djbdns... or maradns is better. > But I'd put money on the fact that *any* of them are better than bind. That's precisely why your argument is an advocacy of djbdns. Without having tested any of them saying that they are better than bind is like saying that tinydns can't do the job. It's no different. You're making a blanket statement. As a result without having tried it the only piece of software you can really advocate is djb's. > Yes, more security flaws are probably found in bind because more people > use it. But, you have to look at the alternate approach as well. Many > people look for holes in bind for the pay off (remote access to > unauthorized machines, the glory of finding a hole, etc.). Money is > involved here as well. Let's not forget that djb rewards those who > find security problems with his software. Don't tell me that no one > has looked knowing that if they find one, it's payday. I don't know anyone who has the skills to do a security audit of a piece of software as complex as a DNS server or a mail server that would do it for just $500. Give me a break Vincent. Bruce Schneider has called these awards for bugs a joke. And they are. All it proves is that it wasn't worth $500 to someone to search for a bug. It doesn't mean that there isn't one. So if the payday is so appealing why haven't you done a security audit on these pieces of software? > I also put a little stock in the fact that both qmail and djbdns, both > by the same author, have pristine security histories, despite this > "i'll pay you if you exploit it" guarantee. That makes me feel much > more secure than Vixies multiple holes in bind, holes in dhcpd, holes > in vixie-cron. Is there a single piece of software Vixie has authored > that *hasn't* had a hole in it? That doesn't provide me with much > confidence. The proof is in the pudding... Vixie's coding skills are > crap. In as far as security is concerned, of course. Maybe, maybe not. I don't think djb's got enough of a userbase to compare to Vixie's. ISS and companies like it are constantly auditing Vixie's code for issues (and $500 doesn't incite ISS to spend time to audit djb's code, customers paying a lot more than that does). I've never seen them come out and say they audited qmail or djb and found it safe. I kinda doubt they have even audited that software. Because auditing dollars go where feet go. And the feet are with Vixie. So the eyeballs are with Vixie. And that makes me more comfortable. But the truth is that every single developer writes security bugs. I don't believe it is possible to write a 100% secure piece of software. There will always be unintended consequences of your code. Now the way this disclosure went down does make me uncomfortable if it went down the way you say it did. But I think you're making a lot of assumptions in this case. And everyone can make mistakes. If ISC turns this into a habit of how they handle things... then perhaps I'll switch. But at present I'm not so uncomfortable with it to make me want to switch. The eyeballs effect offsets that discomfort. And without a tested, well used piece of software to turn to other than djb's I don't have a lot of other compelling choices (I've already explained why I don't care for djb's software). > Disappointment? I think you put too light of a word on that particular > situation. If someone is merely disappointed, they should be asking > themselves how much security and responsible disclosure means to them. I'm disappointed. Fact is you are the only person that I've heard anything from about this. When openssh pulled their stunt lots of people were pissed at them about this. I'll reserve judgement until I'm presented with all the facts. Since I haven't heard anyone present ISC's statement of their position. I think it's premature to judge their motives and methods. Especially since your position is based upon a number of assumptions about what they did and did not do that you don't have any way of ascertaining for certain. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org "If you're not making any mistakes, you're flat out not trying hard enough." - Jim Nichols
