Return-Path: Date: 1 Feb 2001 07:29:42 -0000 Message-ID: <20010201072942.22539.qmail@cr.yp.to> From: "D. J. Bernstein" To: bugtraq@securityfocus.com Subject: Time to un-BIND your network! Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline It's interesting that the NXT security disaster and the TSIG security disaster were both introduced as new features in BIND 8.2. Paul Vixie blames BIND's problems on ``sleazeware produced in a drunken fury by a bunch of U C Berkeley grad students.'' But BIND 4 was only 20000 lines of bad code. BIND 8.2 is 150000 lines of bad code. BIND 9 is good code, you say? The BIND programmers learned their lesson from these security disasters and rewrote everything from scratch? Let's look at the facts: * BIND 9 was funded in August 1998. There was a public statement that ``code drop has been made to funding organizations'' in March 1999. Guess when BIND 8.2 was released? That's right: March 1999. * BIND 9 was made available for public testing in February 2000. The official BIND 9.0.0 release was in September 2000. _Hundreds_ of bugs have been discovered in BIND 9 since then. (The list of previously discovered bugs---presumably even more embarrassing--- doesn't seem to be publicly available. Gee, what a surprise.) * By all accounts, BIND 9 chokes even more often than BIND 8 does. Sample from the bind9-users mailing list last week: two sysadmins at large sites reported that, within a few days, BIND 9.1.0 stopped responding and started burning CPU time. Bottom line: The Buggy Internet Name Daemon lives on. BIND 9 is 300000 lines of bad code. Does anyone seriously believe that none of BIND 9's bugs can be exploited by attackers? I don't. But I can relax, because I've been free of my BINDs for the past year; I wrote my own DNS software, djbdns. To learn more: http://cr.yp.to/djbdns/ad.html http://cr.yp.to/djbdns/faq.html http://cr.yp.to/djbdns/install.html djbdns works for citysearch.com and pobox.com and one site that handles nearly 400000 *.com's; I think it'll work for you too. It's free, it doesn't crash, and it doesn't let attackers take over your machine. ---Dan