> Well, now, hold on there a minute, Ben....
If you can hold him back, he is frothing at the bit...
> There is something that has
> been completely missed here. Everyone keeps harping on the "Security
> holes big enough to drive a truck through" in BIND.
Well, yes it IS a problem, being that it has caused widspread internet
problems in recent history....cache poisoning is a widespread form of
attack that has not fully been addressed in BIND.
> Everyone keeps
> talking about how fixing BIND would require a complete rewrite, and no
> one wants to do that.
A lot of people want to, but....
DJB wrote a better, smaller, faster, modular replacement, but Ben keeps
nitpicking and spreading non-facts about it, after admitting that he
only read a small subset of the web pages about it.
> Well, BIND *HAS* been completely rewritten.
And MS Windows has been "completely rewritten"... ergo, it is perfect.
> All of
> the security holes that are being found/announced are for either 4.x or
> 8.2. No one has even mentioned BIND v9, which is a complete rewrite, and
> was designed with security in mind this time around.
You mean they didn't have security in mind before....?
> I haven't dug too deeply into it,
obviously...
> but just the fact that it has ipv6 capabilities, IPSec
> interop, NOCONNECT options, etc. etc. etc.
feature creep != reliability and security !
Adding IPV6 support means they are listening to people crying out about
security problems???
> tells me that someone out
> there is not only listening, but also acting on the various problems.
> None of the security holes that have been announced in the last 6+
> months are in BIND 9.
There are _hundreds_ of bugs listed in the 9.1.0rc1 CHANGES file. Many of
these are serious reliabilty problems. For
example, "dns_zone_dump() overwrote existing zone files rather than
writing to a temporary file and renaming" means that a temporary power
outage can destroy addresses. Some of the bugs, just like
some of the BIND 8 bugs described on the BIND company's ``BIND security'' web
page, allow anyone on the Internet to disable BIND with a single packet. It's
just a matter of time before someone sees how one of these BIND 9 bugs
opens up a security hole.
Why should we believe that the 300000 lines
of new code in BIND 9 were written more carefully than the 130000 lines
of new code in BIND 8?
[the above was paraphrased from the djbdns web site (cr.yp.to)]
> A poor history is something to consider when
> choosing, sure.
My point, exactly. 8 strikes, and you are betting on a home run from #9?
On the list and off the list Ben says both
"this is enough", then flames back. If you _really_ want to learn about
DNS and djbdns, other than a cursory dismissal, send an email to
[EMAIL PROTECTED] and sign up for that list. Post your concerns
or criticisms there, where they will be answered by persons much more
knowledgable than I.
I don't think that you are serious about examining any
software that actually requires you to _learn_ anything - you just
want a support group where you can cry on the shoulders of other BIND (and
sendmail, and wu-ftp, and Windows, and Outlook) users, while justifying
going back to your abusive spouse.
It sounds like some supposed Linux supporters, rather than being
flag carriers for new and better software, are merely geriatric Unix
sysadmins who want to ride on the coattails of the movement, and refuse to
aquaint themselves with new software, spreading FUD when they are
threatened.
How many DNS servers have you evaluated in real-life situations?
MTA's? TCP connection brokers? FTP servers?
I really don't get it - if you are so intent on defending crapware from
the 80's, why aren't you advocating MS DOS 6.22 as the end-all
"innovative" OS.. It is, afterall, "compatible". Or is it that you have a
vested interest, i.e, learning curve, in how BIND works, and it is easier
to whine than really read the RFC's and look at alternatives?
BTW: Vixie cron has recently gotten a lot of press for being just as
amatuerish and bug-riddled as BIND. (What WERE these guys smoking back
at Berkeley?) I have just started on porting the OpenBSD cron to Linux, if
anyone is interested (Obviously it cannot be GPL'd, only BSD's).
End of flame - I am out of propane. I just hope the nurses can wheel Ben
up to his WebTV to check his email this week.
--Pete
PS I am more tha willing to discuss these issues, off-list, with other
upright-walking primates.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
