Date: Sun, 04 Feb 2001 08:14:38 -0700 From: Brett Glass <brett@lariat.org> To: Rahul Siddharthan <rsidd@physics.iisc.ernet.in> Cc: freebsd-chat@FreeBSD.ORG Subject: Re: UNIX-like approach to software and system architecture (Was: D J Bernstein) Message-ID: <4.3.2.7.2.20010204080917.049ecca0@localhost> In-Reply-To: <4.3.2.7.2.20010203110403.048e78e0@localhost> References: <20010203135902.M94275@lpt.ens.fr> <200102022245.PAA15968@usr08.primenet.com> <20010202140505.B91552@dogma.freebsd-uk.eu.org> <200102022245.PAA15968@usr08.primenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Interestingly, Theo De Raadt also seems to agree that djb's approach to DNS daemons is more sensible and secure than ISC's. In his own words: >ISC has been building a "one shoe fits all" DNS server, designed for >everything from small servers to root servers with the .com hierarchy on >them. Good security software has well constrained behaviours and small >subcomponents, so that unexpected results are minimized. BIND is not >written that way, and has hundreds of little features. It can be very >difficult to assure the quality of software designed to run in a wide >assortment of ways. None of the BIND implimentations has any of the >basic principles we see in great security software, and when we add in >the uniquitous and mono-cultured nature of it's deployment, the >discovery of a really nasty bug could hit really hard. Say, >I-LOVE-YOU.in-addr.arpa? > >We need more DNS server choices. For the article in which he was quoted, see http://securityportal.com/articles/chargingforsecurity20010201.html --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010204080917.049ecca0>