[Cialug] Are you using IPv6?

Nicolai nicolai-cialug at chocolatine.org
Thu Mar 29 21:37:45 CDT 2012


On Thu, Mar 29, 2012 at 06:50:17PM -0500, Jeffrey Ollie wrote:
> It seems to me that BIND is a victim of it's popularity - there are a
> lot of security vulnerabilities found because there are more people
> looking for them.

That's one reason.  Another is BIND's design which naturally lends
itself to security holes.  If you do a side by side comparison of BIND's
design and codebase to alternatives, it's no surprise that BIND far
surpasses other DNS software in vulnerabilities.  But more eyes help.
The OpenBSD project is slowly integrating Unbound into base -- maybe as
this process continues some security related patches will find their way
upstream.

> The ISC seems to have a very good record of fixing any problems quickly
> as they are found.

Apart from the scandal a few years ago when the BIND company wanted to
charge money for security patches to organizations willing to pay a
premium.  And then later, for some reason two weeks comes to mind,
release said patches to the public, in effect holding vulnerable users
hostage.  I don't think that meets the legal definition of extortion but
it's the same idea.  Of course the backlash was extremely negative and
they scratched it.  Imagine if Torvalds did that to Linux users -- what
would be your response?  Whether it was implemented or not, that's a
huge red flag.

Or the "Kaminsky bug" which was actually discovered by DJB about a
decade before Kaminsky prompted BIND to add source port randomization.
I suppose a decade late is better than nothing. :-)

ISC does longterm support on its software, though.  That's for sure.
And Vixie's done a huge amount for the Internet.  I like BIND's recent
functionality of a drop-in blacklist, essentially a local RHSBL for DNS,
where you have a large list of domains you've determined are used for
botnets or other badness and you want queries for said domains to fail.
You can do this for a small number of domains with dnscache and Unbound
but it doesn't scale, whereas the BIND solution is apparently intended
to support enormous lists.  It's a great idea and sorely needed.

Nicolai


More information about the Cialug mailing list