Return-Path: <djb-dsn-981012582.22539@cr.yp.to>
Date: 1 Feb 2001 07:29:42 -0000
Message-ID: <20010201072942.22539.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: bugtraq@securityfocus.com
Subject: Time to un-BIND your network!
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

It's interesting that the NXT security disaster and the TSIG security
disaster were both introduced as new features in BIND 8.2.

Paul Vixie blames BIND's problems on ``sleazeware produced in a drunken
fury by a bunch of U C Berkeley grad students.'' But BIND 4 was only
20000 lines of bad code. BIND 8.2 is 150000 lines of bad code.

BIND 9 is good code, you say? The BIND programmers learned their lesson
from these security disasters and rewrote everything from scratch? Let's
look at the facts:

   * BIND 9 was funded in August 1998. There was a public statement that
     ``code drop has been made to funding organizations'' in March 1999.
     Guess when BIND 8.2 was released? That's right: March 1999.

   * BIND 9 was made available for public testing in February 2000. The
     official BIND 9.0.0 release was in September 2000. _Hundreds_ of
     bugs have been discovered in BIND 9 since then. (The list of
     previously discovered bugs---presumably even more embarrassing---
     doesn't seem to be publicly available. Gee, what a surprise.)

   * By all accounts, BIND 9 chokes even more often than BIND 8 does.
     Sample from the bind9-users mailing list last week: two sysadmins
     at large sites reported that, within a few days, BIND 9.1.0 stopped
     responding and started burning CPU time.

Bottom line: The Buggy Internet Name Daemon lives on. BIND 9 is 300000
lines of bad code. Does anyone seriously believe that none of BIND 9's
bugs can be exploited by attackers?

I don't. But I can relax, because I've been free of my BINDs for the
past year; I wrote my own DNS software, djbdns. To learn more:

   http://cr.yp.to/djbdns/ad.html
   http://cr.yp.to/djbdns/faq.html
   http://cr.yp.to/djbdns/install.html

djbdns works for citysearch.com and pobox.com and one site that handles
nearly 400000 *.com's; I think it'll work for you too. It's free, it
doesn't crash, and it doesn't let attackers take over your machine.

---Dan