hi
I hope u find the forwarded message very informative. it's quite big,
but i thought it would be fair to all if i quoted the entire thing. As u can
see , it was triggered by the BIND vulnerability.
regards
omicron
--
An optimist sees light at the end of every tunnel.
A pessimist fears it might be of an incoming train.
[EMAIL PROTECTED] omicron.symonds.net
C O G I T O E R G O S U M
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------- Forwarded message ----------
Date: Tue, 30 Jan 2001 18:37:26 +0100
From: Gerhard Sittig <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [suse-security] OT? djbdns (was: CERT Advisory CA-2001-02
Multiple Vulnerabilities in BIND (fwd))
On Tue, Jan 30, 2001 at 08:04 +0100, Stefan Nauber wrote:
>
> > administration that makes me wish I had bind running.
> > Serving zones, doing transfers, caching -- all's fine, fast
> > and runs on low resources. What do I miss?
>
> [ ... ]
>
> > Maybe it's complicated syntax or resource hogs?
> Complicated syntax with djbdns? Don't know what you are talking
> about :-)
When somebody wants to get it wrong, he can -- no matter how much
I will effort in wording things. :> The above still was one of
the "things I should miss?" items. And as I stated: running
djbdns neither do I miss bind's insane syntax nor its resource
consumption. While both programs would serve my basic needs,
it's just that one of them is more complex and continuously
causes problems I don't need in the first place. So I decided to
use the light weight and easy one. And on top I got a secure and
fast one.
I guess that bind users might have reasons for using this
software, be it simply being used to use it or real need in
special cases. But speaking for the plain vanilla scenario of
simply serving zones you own while doing transfers from and to
other sites and caching for your LAN / customers I cannot see
*any* valid reason why djbdns should miss something. It does all
the average admin needs and does so _very_ well.
For those readers interested in making up an opinion of their own
instead of repeating what others say about "lacks, doesn't
suffice" or "it's great, you just don't see" I only can repeat
the suggestion of looking over http://cr.yp.to/ and setting up a
test scenario. Since this is a security list I expect people to
not believe everything others tell them but to check themselves
to make sure ... :) Although chances are quite good that people
will be horrified what they missed all the time and decide to
move to djbdns ASAP, too. :>
Triggered by the thread I went to the above site today and found
the "ad" section with the "ease of use" document quite amusing.
It absolutely covers personal experience. Take this and visit
the http://www.isc.org/ site to see the list of security problems
in the recent past only. I don't want to work hard to secure my
machines and then walk in and open them up to the world by
installing a bloated program for an essential service. The "not
implemented functionality cannot be done wrong" approach is
really convincing. And anything more than enough is just too
much with regards to security. When in the need of setting up a
DNS server, I'll always take the more secure one, please! And
I've yet to see what should push me to using bind.
And BTW have I looked at the dist.html file stating what
distributors are allowed to do. I fail to see *any* point why
any reasonable distribution should be disallowed. The foremost
concern DJB states - cited from an ancient local doc - is "It is
not acceptable to have DNScache working differently on different
machines; any variation is a bug." If that's too hard a
constraint (not satisfied with the fs layout? want to have
nonfunctional software? want to have software not working as
designed and advertised? want to search for and get mad about
deviations between distros / platforms?), you seem to have other
problems.
But I haven't seen SuSE stating "we're not allowed to", it was
just a "personal opinion" (I'm sure Kurt will correct me in case
I'm wrong). Maybe somebody of the SuSE stuff will have a second
look and draw his own conclusions? The "I'm interested in
hearing about any CDs that include the package" reads like DJB
can very well imagine to have his software in a distro ...
virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" [EMAIL PROTECTED]
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
----------------------------------------------
Find out more about this and other Linux India
mailing lists at http://lists.linux-india.org/
